In order to build image for Raspberry PI, it is sometimes usefull to be able to leverate infrastruture from a remote VM. For instance you can cross-build golang executable for ARM32v7 and transfer it to build an image on the remote PI. (used for Tiller docker image)
In the case this Kubernetes cluster, the master is running on master-pi with IP address 192.168.1.95
as root
mkdir -p $HOME/dockercerts
cd $HOME/dockercerts/
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
export HOST=master-pi
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOST,IP:192.168.1.95,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
cp $HOME/dockercerts/ca.pem /etc/docker
cp $HOME/dockercerts/server-cert.pem /etc/docker/
cp $HOME/dockercerts/server-key.pem /etc/docker/
mkdir -p /etc/systemd/system/docker.service.d
vi /etc/systemd/system/docker.service.d/10-tls-verify.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://192.168.1.95:2376 --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem
Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem"
Restart the service
systemctl daemon-reload
systemctl restart docker.service
does not have to be root.
cp /root/dockercerts/ca.pem $HOME/.docker
cp /root/dockercerts/key.pem $HOME/.docker/
cp /root/dockercerts/cert.pem $HOME/.docker/
docker --tlsverify -H tcp://192.168.1.95:2376 --tlscacert=$HOME/.docker/ca.pem --tlscert=$HOME/.docker/cert.pem --tlskey=$HOME/.docker/key.pem images
Transfer the key from the master-pi to the local Ubuntu VM
mkdir -p $HOME/.docker/master-pi
cd $HOME/.docker/master-pi/
scp rpiuser@192.168.1.95:/home/rpiuser/.docker/master-pi/* .
Verify that the VM can access the remote PI
docker --tlsverify -H tcp://192.168.1.95:2376 --tlscacert=$HOME/.docker/master-pi/ca.pem --tlscert=$HOME/.docker/master-pi/cert.pem --tlskey=$HOME/.docker/master-pi/key.pem version
Use environment variable to simplify the command line
export DOCKER_CERT_PATH=~/.docker/master-pi
export DOCKER_HOST=tcp://192.168.1.95:2376
export DOCKER_TLS_VERIFY=1
docker ps
docker image list