09 décembre 2014

About Docker authentication

On my previous blog post I was experimenting with Docker machine, this one require to run a custom build for docker client with "identity-auth". I was wondering what this is about.

This is actually implementation for a development topic introduced at DockerCon.SF in june



The authorization issue when using Docker is that client is talking to daemon on a TCP connection, so open to all possible abuses, and let you run arbitrary container or do crazy things on target host. Docker 1.3.0 introduced TLS authorization with a client and server certificate, so only well identified clients can connect to daemon. That's fine, but won't scale. In such a setup, all clients need to get certificate signed by authority as well as daemon, and revocation for such a client certificate is a complex process.

SSH based authentication with authorized_keys on server is a common practice to manage enterprise infrastructures. The proposed change is to adopt this exact same practice for docker.

Each docker instance (daemon or client) will get a unique identity, set first time it is ran and saved in .docker/. Surprisingly, JSON files are used to store keys - not openssl PEM files. This is actually JSON Web Keys, I never heard about this recent standard (admittedly not a topic I'm actively following). It's a bit surprising such a fresh new standard has been chosen, vs long terms established PEM format. Proposal says both format are actually supported, so third party client library will have to support both. Having looked at Java deplorable support for PEM files I wonder just adopting this fresh new format would make things simpler...

First time you establish connection with a Docker daemon, you'll have to confirm remote identity, confirming the remote key fingerprints - just like you use to do with SSH. On Daemon side, authorized client keys are stored under some authorized_keys.d directory.

As a resume, this proposed Authorization system is more or less just adopting SSH successful model. This makes me wonder why they not just use SSH directly, just like Git does as a transport layer they build docker on, and just require a secure communication channel with daemon.


The detailed proposal is discussed on #7667