rebased/mergable copy of "Add https cert and key options to docker"#2996
rebased/mergable copy of "Add https cert and key options to docker"#2996discordianfish wants to merge 3 commits intomoby:masterfrom
Conversation
|
something is not merge-able with this code ;) |
|
@crosbymichael: Ha, this thing moves so fast. Rebased again! |
|
LGTM |
docs/sources/examples/https.rst
Outdated
There was a problem hiding this comment.
This is kind of misleading. We may want to change the line above to:
sudo docker -d -sslkey=privkey.pem -sslcert=cacert.pem -H=tcp://0.0.0.0 -H unix:///var/run/docker.sock
So that the client still works while the API is being served of https at the same time.
|
@crosbymichael Good catch, I've changed it |
The prior example wasn't working for me.
|
@discordianfish After more testing the client does not work with the unix socket because we are still serving https over the unix socket and the client gets malformed responses. I think we should update the client to work with https also no matter the protocol. |
|
@crosbymichael I'm working in another branch on https client which fixes this problem as well. Maybe it's easier to just close this "https server" PR and I'll open a new PR with both client and server changes. Guess this PR here alone doesn't make much sense anyway. |
|
As discussed in IRC: Will close this in favor of a new PR including https support for client and server. |
|
@discordianfish and/or @crosbymichael... so just to level-set on what i believe to be true right now --> there is no way to use the docker CLI to push images to a private registry which is using SSL correct? what i have is a private docker registry being fronted by nginx. nginx is in turn setup to use self-signed certificates for SSL. i cannot get a my cert does in fact contain valid SAN IP and DNS -- i double checked by dumping it to text with IMHO it seems like the docker CLI should support:
i was hoping i could use unix sockets with socat to hack around this issue short term, but it appears a docker push does not use the -H option (i.e. client CLI example here: http://jpetazzo.github.io/2013/10/20/secure-connection-docker-api/) thanks |
This is a mergable copy of #2186