09 décembre 2014

About Docker authentication

On my previous blog post I was experimenting with Docker machine, this one require to run a custom build for docker client with "identity-auth". I was wondering what this is about.

This is actually implementation for a development topic introduced at DockerCon.SF in june

The authorization issue when using Docker is that client is talking to daemon on a TCP connection, so open to all possible abuses, and let you run arbitrary container or do crazy things on target host. Docker 1.3.0 introduced TLS authorization with a client and server certificate, so only well identified clients can connect to daemon. That's fine, but won't scale. In such a setup, all clients need to get certificate signed by authority as well as daemon, and revocation for such a client certificate is a complex process.

SSH based authentication with authorized_keys on server is a common practice to manage enterprise infrastructures. The proposed change is to adopt this exact same practice for docker.

Each docker instance (daemon or client) will get a unique identity, set first time it is ran and saved in .docker/. Surprisingly, JSON files are used to store keys - not openssl PEM files. This is actually JSON Web Keys, I never heard about this recent standard (admittedly not a topic I'm actively following). It's a bit surprising such a fresh new standard has been chosen, vs long terms established PEM format. Proposal says both format are actually supported, so third party client library will have to support both. Having looked at Java deplorable support for PEM files I wonder just adopting this fresh new format would make things simpler...

First time you establish connection with a Docker daemon, you'll have to confirm remote identity, confirming the remote key fingerprints - just like you use to do with SSH. On Daemon side, authorized client keys are stored under some authorized_keys.d directory.

As a resume, this proposed Authorization system is more or less just adopting SSH successful model. This makes me wonder why they not just use SSH directly, just like Git does as a transport layer they build docker on, and just require a secure communication channel with daemon.

The detailed proposal is discussed on #7667

1 commentaires:

Anonyme a dit…

Investopedia does not include all presents available within the marketplace. Now, think of your self walking into a on line casino with the sensation that you’re going to beat those odds because of|as a outcome of} luck is on your aspect. If you 카지노 had a slew of bad arms, the likelihood of that turning into a profitable streak simply doesn’t exist. In 2018, industrial on line casino gaming income amounted to about $41.7 billion; a method to think about|to consider} all those income is that they're {the outcome of|the results of} the accrual of the entire losses from on line casino patrons annually. Slot machine odds are variety of the} worst, ranging from a one-in-5,000 to one-in-about-34-million likelihood of profitable the highest prize when utilizing the maximum coin play.