- First verify that your Workstation has openssl and keytool at hand
<![CDATA[$ openssl help
$ keytool]]>
- Download the following bash script to a new directory at your workstation: loadcoder-docker-certs.sh
- Create the file hosts.txt next to the downloaded bash script in the new directory, that contains a list of all the hosts that you want to secure the Docker API for:
<![CDATA[my-master-host.com
worker1.com
worker2.com]]>
- Create the file password.txt in the new directory, that contains a password. Compose a hard password with low and high case letters, numbers, special characters and with a length of at least 8. Don't use whitespaces in the password, because it will not work! This password will be used when accessing the Docker API from the Controller, so therefore save this password at a secure place, as you will need it later on. Note also that when executing the script in the next step, the password file will be removed for security reasons.
- Change the permission for the script and then execute it. The script has to be executed from the directory:
<![CDATA[$ chmod 500 loadcoder-docker-certs.sh
$ ./loadcoder-docker-certs.sh]]>
- Verify that the password.txt has been removed, and a directory called certs has been created
<![CDATA[$ ls -la
certs
hosts.txt
loadcoder-docker-certs.sh]]>
- The created certs/hosts directory will contain directories with names equal to the hostnames you stated in the hosts.txt. Copy all files of each host directory to the corresponding machine and into directory /root/.docker:
<![CDATA[$ ls -lt /root/.docker/
ca-key.pem
ca.pem
... (all the other certificate files)]]>
- At each machine, adjust /lib/systemd/system/docker.service so that the Docker daemon starts with MTLS activated. Set the ExecStart as follows:
<![CDATA[ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/.docker/ca.pem --tlscert=/root/.docker/server-cert.pem --tlskey=/root/.docker/server-key.pem -H=0.0.0.0:2375]]>
- Restart the Docker daemon
<![CDATA[$ systemctl daemon-reload
$ service docker stop
$ service docker start]]>
- From this point it won't be possible to perform docker commands without providing proper authentication. To do this convieniently, add two environment variables by adding the following line at the end of file /root/.bashrc
<![CDATA[export DOCKER_HOST=tcp://127.0.0.1:2375 DOCKER_TLS_VERIFY=1]]>
- The docker command will use the copied certificate files to authenticate to the daemon. Simply use docker as before:
<![CDATA[$ docker ps]]>
- Now go back to the Workstation to the directory where loadcoder-docker-certs.sh is located. In the directory certs/clientcerts you will find the client certificate jks files for all the hosts stated in the hosts.txt. Copy these files to your load test project's resource directory (src/main/resource)
- The cluster machines and your load test project is now setup to communicate with docker through MTLS. The last thing to do is to specify the password used in the certificate generation. The recommended was to do this is to set this as a JVM argument when running the Controller.
<![CDATA[-Ddocker.mtls.password=changeit]]>
It is also possible to set this through the configuration file, but is less secure since the password is then stored as a part of the load test project and proably also version controlled.
<![CDATA[docker.mtls.password=changeit]]>