function docker_api : Using protected socket

[arnaudschaeffer]

Hello,

I configured docker to protect the docker daemon socket and make it available through HTTPS. I follow the Docker documentation to this (Protect the Docker daemon socket).

I use the official nginx image for the reverse proxy and jwilder/docker-gen which required access to the docker daemon socket.

By setting the following environment variables, the image jwilder/docker-gen works without mounting the docker daemon socket.

DOCKER_OPTS=--key /home/.docker/key.pem --cacert /home/.docker/ca.pem --cert /home/.docker/cert.pem
# in my case 172.18.0.1 is the Gateway IP
DOCKER_HOST=tcp://172.18.0.1:2376

Is there a way to do this with this image ?

I manage to make it work by editing the docker_api in functions.sh. The modification I made are not generic, so I can't do a PR. But I might give it a shot if it's something missing.

[arnaudschaeffer]

Hi there,

I did some modifications to use this image with a protected docker daemon socket and without running the image as root.

The code I pushed is working for what I want to accomplish, but it's not good enough for a pull request.

In order to access the socket with https, you should add the following in your environment variables :

# Url of the docker socket
DOCKER_HOST=tcp://172.18.0.1:2376
# path where key.pem, ca.pem and cert.pem are located
DOCKER_CERT_PATH=/home/ubuntu/.docker

I had lot of troubles when I wanted not to run this image as root. I've ended up installing acme.sh with the user starting the docker container and mounting this volume and commenting so lines in the check_writable_directory function. Then, I set the acme path to an environment variable :

ACMESH_PATH=/home/user/.acme.sh

So this might be use as a starting point for this issue. If someone wants to give me pointer to fix the problem, I would be glad to try to do something better !