Skip to main content

Secure nested LCOW: Part 3

Part 3: Getting all together

After the configuration of the Docker daemon on the Nested Hyper-V VM (part 2), it's now finally time to configure the Docker client that will connect to it.

Once again, I will be using WSL as the main shell. However, if you choose to go with Powershell, it's OK too (simply I won't explain it here :).

Setup: Window 10 Docker Client

first of all, the docker client needs to be installed in the WSL environment.
And this will be as easy as one command line, thanks to the Docker install script:
client:~$ curl -sSL https://get.docker.com/ | sudo sh

As the end of the log suggests, add your user to the docker group. This will require you to logoff in order to apply the change.
You can either close the WSL console window and open a new one (logoff / login), or a small trick is to "login again" using the "su" command:
client:~$ sudo usermod -aG docker $LOGNAME

client:~$ sudo su - $LOGNAME

Generate Docker client certification

As the Docker daemon is configured to only accept TLS connections from clients, the next step is to configure our client with the SSL certificates.
Before I start, I would point out there's two different paths:

  • Generate the client certificate on the server
    OR
  • Copy all the needed files (root CA, CAKey) to the client and generate it there

Even if the CAkey as a password, I'm really not fond of copying it to the client (even if it's my own computer).
So, in my case, I will generate the client certificate on the Server VM, and then copy the files back to my client (source).
Open your Hyper-V manager and connect to your Server VM:
PS> ubuntu.exe

server:~$ cd /mnt/c/Program\ Files/docker/certs

server:certs$ openssl genrsa -out key.pem 4096

server:certs$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

server:certs$ echo extendedKeyUsage = clientAuth >> client-extfile.cnf

server:certs$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile client-extfile.cnf

Configure Docker client

Finally, the only remaining point is to copy the needed files to the client.
Once again, there is plenty options out there, and one more time I choose the WSL way (yeah, at this stage I can be considered maniac I guess).

Note: the following steps will require that you have SSH installed on WSL inside your Server VM. Please follow this guide to so.

Get back to your WSL console on the Windows 10 client:
client:~$ mkdir .docker && cd .docker

client:.docker$ scp <server name>:"/mnt/c/Program\ Files/docker/certs/{ca,cert,key}.pem" .

client:.docker$ ls -l

client:.docker$ cd

client:~$ export DOCKER_HOST=tcp://<server name>:2376

client:~$ export DOCKER_TLS_VERIFY=1

client:~$ export DOCKER_CERT_PATH=$HOME/.docker

client:~$ env | grep DOCKER

Testing LCOW

Finally, after all the Hyper-V, Server VM and Docker (server & client) configurations, it's now time to see your efforts be rewarded.

You can follow (once again) Stefan's guide and witness by yourself how a single Docker daemon can run two different "platform based" containers:


I truly hope this guide could have helped you in some way, and once again, if you read these lines I do THANK YOU!


>>> Nunix Out <<<

Comments

Post a Comment

Popular posts from this blog

Docker + WSL: Get 2 daemon for the price of 1

Introduction almost two years ago, Docker announced the capability of switching between the Linux and Windows containers "mode" (far from the right click that we have today). At that time, I wrote a blog post on how to run both daemons at the same time ( http://darthnunix.blogspot.ch/2016/10/docker-for-windows-2-daemons-enter-in.html ) Fast forward to 2018, and while we were blogging on how to get the TLS connection from WSL docker client with  Rory McCune  ( https://raesene.github.io/blog/2018/03/29/WSL-And-Docker/ ), another blog post, by Stefan Stranger drew my attention (read: blew my mind) as I was trying to reproduce the same: how could I "bind" the docker socket in WSL with the Docker for Windows Linux mode socket ( https://blogs.technet.microsoft.com/stefan_stranger/2018/04/02/access-my-docker-for-windows-kubernetes-cluster-from-debian-wsl/ ) From 1 to 2 daemon: DemonHunter mode achieved Now that we have all the required setup resources, let's b...
4 comments
Read more

WSL: One Home to host them all

Introduction This blog post will explain how a single home mount can be shared accross all  the WSL instances. It was quite fun to find the idea and then make it happen. It will use all the tools currently available from WSL, so please don't expect a "Linux only" as Interopability will be heavily used. And before I start, here is my point of view about WSL: It's not only  Linux! It's different, just like GNU is different from Unix (yes I said it). We have finally the strength of both worlds combined. And while I do understand the "dev" aspect is meant to be reproducible in a Linux prod environment, the "ops" side is meant to take advantages of everything that can make the full environment feeling Home. Setup requirements In order to really enjoy this solution, I do recommend having 2 or more WSL distros installed or, if you fell like a real WSLCorsair, try @bketelsen crazy setup (I love it)! While the distros are downlo...
3 comments
Read more

VSCode + WSL: the SSH way

The initial idea early 2017, Rich Turner made a demo where Visual Studio was used to develop C++ code, however the debugging environment targeted was WSL! With some magic, he showed something that he had forbidden from the initial release of WSL: writting directly to the WSL filesystem (still a big no-no actually). Of course, this triggered a lot of curiosity and the WSL Corsair had to loot from it too! SSH to save the day the biggest challenge was to find a way that not only could be easy to setup on both ends, and also would be approved  by the WSL team.  TLDR: if you use the Windows Path, You Die! #ThereBeDragons Another way, more Linux-oriented, needed to be used and hopefully a solution already existed and was simply waiting on being used: SSH🔐 The setup the setup is done in 2 distinct parts: Setup the SSH server on WSL Setup the SSH client on VSCode  While the SSH server is a standard procedure in Linux, finding the right  plugin for VSCode w...
Post a Comment
Read more