Enable docker Remote API

In order to build image for Raspberry PI, it is sometimes usefull to be able to leverate infrastruture from a remote VM. For instance you can cross-build golang executable for ARM32v7 and transfer it to build an image on the remote PI. (used for Tiller docker image)

Generating the server certs

In the case this Kubernetes cluster, the master is running on master-pi with IP address 192.168.1.95

as root

mkdir -p $HOME/dockercerts
cd $HOME/dockercerts/

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096

export HOST=master-pi
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = DNS:$HOST,IP:192.168.1.95,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.

rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

Installing certs and configuring dockerd service

cp $HOME/dockercerts/ca.pem /etc/docker
cp $HOME/dockercerts/server-cert.pem /etc/docker/
cp $HOME/dockercerts/server-key.pem /etc/docker/
mkdir -p /etc/systemd/system/docker.service.d
vi /etc/systemd/system/docker.service.d/10-tls-verify.conf

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://192.168.1.95:2376 --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem
Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem"

Restart the service

systemctl daemon-reload
systemctl restart docker.service

Installing client side on the PI

does not have to be root.

cp /root/dockercerts/ca.pem $HOME/.docker
cp /root/dockercerts/key.pem $HOME/.docker/
cp /root/dockercerts/cert.pem $HOME/.docker/
docker --tlsverify -H tcp://192.168.1.95:2376 --tlscacert=$HOME/.docker/ca.pem --tlscert=$HOME/.docker/cert.pem --tlskey=$HOME/.docker/key.pem images

Installing client side on the remove VM

Transfer the key from the master-pi to the local Ubuntu VM

mkdir -p $HOME/.docker/master-pi
cd $HOME/.docker/master-pi/
scp rpiuser@192.168.1.95:/home/rpiuser/.docker/master-pi/* .

Verify that the VM can access the remote PI

docker --tlsverify -H tcp://192.168.1.95:2376 --tlscacert=$HOME/.docker/master-pi/ca.pem --tlscert=$HOME/.docker/master-pi/cert.pem --tlskey=$HOME/.docker/master-pi/key.pem version

Use environment variable to simplify the command line

export DOCKER_CERT_PATH=~/.docker/master-pi
export DOCKER_HOST=tcp://192.168.1.95:2376
export DOCKER_TLS_VERIFY=1

docker ps
docker image list