docker
/
cli
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add TLS support for discovery backend 

This leverages recent additions to libkv enabling client
authentication via TLS so the discovery back-end can be locked
down with mutual TLS.  Example usage:

    docker daemon [other args] \
        --cluster-advertise 192.168.122.168:2376 \
        --cluster-store etcd://192.168.122.168:2379 \
        --cluster-store-opt kv.cacertfile=/path/to/ca.pem \
        --cluster-store-opt kv.certfile=/path/to/cert.pem \
        --cluster-store-opt kv.keyfile=/path/to/key.pem

Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
This commit is contained in:
Daniel Hiltgen 2015-09-28 16:22:57 -07:00 committed by Tibor Vass
parent 7beb4061e1
commit 323fb21864
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/reference/commandline/daemon.md
View File

@ -24,6 +24,7 @@ weight = -1
--default-gateway-v6="" Container default gateway IPv6 address --default-gateway-v6="" Container default gateway IPv6 address
--cluster-store="" URL of the distributed storage backend --cluster-store="" URL of the distributed storage backend
--cluster-advertise="" Address of the daemon instance to advertise --cluster-advertise="" Address of the daemon instance to advertise
--cluster-store-opt=map[] Set cluster options
--dns=[] DNS server to use --dns=[] DNS server to use
--dns-opt=[] DNS options to use --dns-opt=[] DNS options to use
--dns-search=[] DNS search domains to use --dns-search=[] DNS search domains to use
@ -537,6 +538,20 @@ please check the [run](run.md) reference.
daemon instance should use when advertising itself to the cluster. The daemon daemon instance should use when advertising itself to the cluster. The daemon
should be reachable by remote hosts on this 'host:port' combination. should be reachable by remote hosts on this 'host:port' combination.
The daemon uses [libkv](https://github.com/docker/libkv/) to advertise
the node within the cluster. Some Key/Value backends support mutual
TLS, and the client TLS settings used by the daemon can be configured
using the `--cluster-store-opt` flag, specifying the paths to PEM encoded
files. For example:
```bash
--cluster-advertise 192.168.1.2:2376 \
--cluster-store etcd://192.168.1.2:2379 \
--cluster-store-opt kv.cacertfile=/path/to/ca.pem \
--cluster-store-opt kv.certfile=/path/to/cert.pem \
--cluster-store-opt kv.keyfile=/path/to/key.pem
```
## Miscellaneous options ## Miscellaneous options
IP masquerading uses address translation to allow containers without a public IP masquerading uses address translation to allow containers without a public