Continental Innovates with Rancher and Kubernetes
ros tls generate is used to generate both the client and server TLS certificates for Docker.
ros tls generate
Remember, all ros commands need to be used with sudo or as a root user.
To have docker secured by TLS you need to set rancher.docker.tls to true, and generate a set of server and client keys and certificates:
$ sudo ros config set rancher.docker.tls true
$ sudo ros tls gen --server -H localhost -H <hostname1> -H <hostname2> ... -H <hostnameN>
$ sudo system-docker restart docker
Here, <hostname*>s are the hostnames that you will be able to use as your docker host names. A <hostname*> can be a wildcard pattern, e.g. “*.*.*.*.*”. It is recommended to have localhost as one of the hostnames, so that you can test docker TLS connectivity locally.
When you’ve done that, all the necessary server certificate and key files have been saved to /etc/docker/tls directory, and the docker service has been started with --tlsverify option.
You also need client cert and key to access Docker via a TCP socket now:
$ sudo ros tls gen
INFO Out directory (-d, --dir) not specified, using default: /home/rancher/.docker
All the docker client TLS files are in ~/.docker dir now.
Now you can use your client cert to check if you can access Docker via TCP:
$ docker --tlsverify version
Because all the necessary files are in the ~/.docker dir, you don’t need to specify them using --tlscacert --tlscert and --tlskey options. You also don’t need -H to access Docker on localhost.
Copy the files from /home/rancher/.docker to $HOME/.docker on your client machine if you need to access Docker on your RancherOS host from there.
On your client machine, set the Docker host and test out if Docker commands work.
$ export DOCKER_HOST=tcp://<hostname>:2376 DOCKER_TLS_VERIFY=1
$ docker ps