ssl docker daemon connection

nextcloud / app_api

Nextcloud AppAPI

https://apps.nextcloud.com/apps/app_api

GNU Affero General Public License v3.0

84 stars 8 forks source link

ssl docker daemon connection #308

Open vandman opened 5 months ago

vandman commented 5 months ago

Describe why it is important and where it will be useful

I do not know if it is me, but I do not see any option to load certificate to be able to use ssl to connect to the docker daemon. In my case, when I activate ssl, It does not work as I use self signed certificate. I guess In most company, This is the case.
with https, network must no be set specifically to host.

Describe your proposed solution

Add options to be able to load certificate from file system. to be clear, you could use the same key as in daemon.json in /etc/docker/ "tlscacert", "tlscert", "tlskey".

Describe alternatives you've considered, if relevant

No response

Additional context

No response

bigcat88 commented 5 months ago

Please use occ security:certificates:import for that

vandman commented 5 months ago

Hi, Thanks for your answer, but unfortunately, it does not solve the problem. If you secure your docker daemon with self signed certificate, it means that app_api will be the client. So the client need a private key to encrypt data. In order to trust this key, you also need to provide the root CA public key. The private key can not be loaded by occ security:certificates:import, moreover, how do you select the proper client certificate to start communicating in ssl?

You need to specify the certificate files.

Look at the Docker documentation

regards

bigcat88 commented 5 months ago

https://github.com/cloud-py-api/app_api/blob/5b06f215c74fc416c4c98d2250ea8b05841625a6/.github/workflows/tests-deploy.yml#L310-L345

Is this test wrong?

vandman commented 5 months ago

Hi, I am not sure, but it might be wrong because the container has acces to the docker socket. Try the same thing without the -v /var/run/docker.sock:/var/run/docker.sock parameter.

There is difference between my setting and the test, my docker server has a private/public key, each of my service that need to comunicate with the daemon has its own private/public key. The service/container that need to comunicate with docker daemon are not launched with --net host, I set up specific authorisation to allow trafic from container to the host. Regards Pierre

bigcat88 commented 5 months ago

I am not sure, but it might be wrong because the container has acces to the docker socket.

docker-socket-proxy must have access to the "/var/run/docker.sock" , it's goal is to allow accessing docker socket for AppAPI with the network requests.

vandman commented 5 months ago

Hi, By docker-socket-proxy, do you mean this repository https://github.com/Tecnativa/docker-socket-proxy. If yes, that mean that I need to install docker-socket-proxy too to make AppApi work, Am I right?

andrey18106 commented 5 months ago

Hi, By docker-socket-proxy, do you mean this repository https://github.com/Tecnativa/docker-socket-proxy.

Hi!

By docker-socket-proxy we mean our implementation, which is based on haproxy alpine, configuration is originally like in all-in-one config, with a few security adjustments for remote installs.

If yes, that mean that I need to install docker-socket-proxy too to make AppApi work, Am I right?

As was said above, yes, AppAPI requires the Docker daemon configured to work with it via network requests. Please follow our instructions in docker-socket-proxy to setup https docker socket proxy connection.

If you have any further questions, do not hesitate to ask them here.