Hello,
I have recently worked on accessing Docker Daemon of Fedora Atomic host from local machine which is fully automated by Ansible Playbook. Keeping security in mind TLS server and client certs are generated. The idea is to use Docker daemon of atomic host remotely. Kindly let me know if you like the idea :-). I would like to publish a post on the same. I am open to ideas.
Thanks, Trishna
On Fri, Jan 06, 2017 at 12:57:58PM -0000, Trishna Guha wrote:
I have recently worked on accessing Docker Daemon of Fedora Atomic host from local machine which is fully automated by Ansible Playbook. Keeping security in mind TLS server and client certs are generated. The idea is to use Docker daemon of atomic host remotely. Kindly let me know if you like the idea :-). I would like to publish a post on the same. I am open to ideas.
+1 sounds great
On 01/06/2017 08:46 AM, Matthew Miller wrote:
On Fri, Jan 06, 2017 at 12:57:58PM -0000, Trishna Guha wrote:
I have recently worked on accessing Docker Daemon of Fedora Atomic host from local machine which is fully automated by Ansible Playbook. Keeping security in mind TLS server and client certs are generated. The idea is to use Docker daemon of atomic host remotely. Kindly let me know if you like the idea :-). I would like to publish a post on the same. I am open to ideas.
+1 sounds great
Make sure that you point out that ANY process on the client that can access the TLS certs now has FULL root on the server and can do anything it wants on it.
On Fri, Jan 6, 2017 at 7:47 PM, Daniel J Walsh dwalsh@redhat.com wrote:
Make sure that you point out that ANY process on the client that can access the TLS certs now has FULL root on the server and can do anything it wants on it.
Sure I will mention it. Thanks. Another point that would be useful to add that we will want to give access of Docker daemon of server only to the specific client host that can be trusted.
On 01/06/2017 09:43 AM, Trishna Guha wrote:
On Fri, Jan 6, 2017 at 7:47 PM, Daniel J Walsh dwalsh@redhat.com wrote:
Make sure that you point out that ANY process on the client that can access the TLS certs now has FULL root on the server and can do anything it wants on it.
Sure I will mention it. Thanks. Another point that would be useful to add that we will want to give access of Docker daemon of server only to the specific client host that can be trusted.
Yes. BTW, docker never accepted higher level Authorization so that we could do better access controls. They believe this should be handled at the Orchestration level Kubernetes/OpenShift handle Roles Based Access Control, without having to expose docker remote socket access.
magazine@lists.fedoraproject.org
-
Daniel J Walsh -
Matthew Miller -
Trishna Guha