Proposal: Identity management

[sthulb]

We should allow for the generation and regeneration of x509 keys for existing and new servers.

---

Users

We should allow owners of machines to generate new identities to allow third parties to control Docker. The certificates would be based of the same CA root.

The third party user would be informed of a way of collecting the new client certificates securely.

Regeneration

We should allow users to regenerate x509 certificates on their machines.

Generation

We should allow for generation of x509 certificates for hosts that weren't provisioned with Machine, effectively allowing for users to add a machine to their collection.

Implementation

The UI would be a set of commands under with certificates or identity.

Certificate collection would be easier with a client/server model for machine, allowing users to use OTPs to collect certs from a shared machine server.

[sthulb]

More to come when I have time.

[nathanleclaire]

Oh interesting - I was just thinking about this problem recently - how to grant access to remote Docker on a client that is different than the one where the machine was created.

[sthulb]

I had the idea a month ago, I talked about it in the IRC channel, I've just got around to proposing it :)

[sthulb]

This would have more benefit with a client/server model for machine though.

[frapposelli]

Great idea, much better than keeping certs on dropbox :smile:

Client/Server could be very interesting, maybe a passphrase to give access to a common shared machine?

Alice: docker-machine create, sets passphrase, share passphrase w/ Bob Bob: docker-machine attach, use Alice passphrase to gain access

[sthulb]

@frapposelli I'd expect new certs to be generated for every user. A token/passphrase would only be needed for collection. We could revoke "Alice's" certs at any time.

Disclosure: Docker doesn't support cert revocations yet.

[frapposelli]

@sthulb of course, passphrase as a way to grant access to cert generation on the shared machine, ideally the passphrase should be OTP.

[sthulb]

Yep!

[ehazlett]

+1 I think this will be a must for machine server.

[docteurklein]

What is the current solution (even hacky) to share 1 machine configuration? I saw https://github.com/docker/machine/pull/1476 and it seems great, once landed.

But currently what are the minimum set of files to move and what parts of config.json should I copy and change in order to have a working access to a docker created with machine ?

Thanks :)

[docteurklein]

Aside that, it would be awesome to enlight me on the differences and roles of each folder in ~/.docker/machine.

What is certs/*, compared to machines/*/* ?

[nathanleclaire]

What is the current solution (even hacky) to share 1 machine configuration?

Hacky would probably be to pass around the machine folder from ~/.docker/machine/machines but do a search-and-replace on the path strings in each machine's config.json to replace, say, /Users/nathanleclaire/.docker with /home/docteurklein/.docker or whatever the location of your target Machine store is. Be advised this implies moving secrets such as API keys around, and I don't think it will work for local providers (e.g. Virtualbox).

What is certs/, compared to machines//* ?

certs is the "global" machine certificate folder containing everything that is relevant to connecting to Docker remotely using TLS, including things such as the CA's private key. When a machine is created, the :

• client certificate
• client key
• CA certificate
• server key
• server certificate

are copied to the local machine directory, and the server cert, server key, and CA cert are copied to the remote computer. The corresponding settings are applied to the server daemon as well.

Does that help a little?

[docteurklein]

@nathanleclaire thanks for the very clear explanations :) It helps a lot.

Ok, so it means I don't have to pass the certs folder, since its content is copied into the folder of each machine, right?

[ghost]

Would love this feature, is there currently any way to force docker-machine to use a new server.crt? How can i revoke access to a machine when a other guy has the machine folder?