Never run Docker on a TCP socket without TLS

Kevan Ahlquist
2 min readNov 2, 2014

--

If your Docker server uses TCP sockets you need to use TLS. This is critical for boot2docker users because it uses default addresses that are easy to predict, but it applies to any setup using TCP sockets to access the Docker server. After the Docker 1.3 release some workarounds for disabling or sidestepping TLS with tools like socat were posted, this is why you shouldn’t use them:

Even if you run the Docker server inside a firewalled network it’s still vulnerable because attacks come through web browsers on machines that are already inside your network. All it takes is a little javascript delivered by a compromised website or malicious ad:

$.ajax({
url: 'http://docker_server_address/_ping',
dataType: 'jsonp’
});

Attackers can execute any command via the remote API. This means they can do anything they want with your Docker infrastructure, like download images and build containerized botnets. They probably won’t know what address Docker is listening on unless you use boot2docker, but given enough time they can probe your network and find out. Security through obscurity as your only defense mechanism is a bad idea.

Setting up TLS can be daunting if you’re not familiar with it, but Docker has a step by step guide to help you. It adds some extra work, but the alternative is leaving your docker server open to the entire world. Are you willing to take that risk? Don’t let your ship get pirated.

--

--

Kevan Ahlquist

Senior Software Development Engineer @ Amazon. Trumpet player, drum corps enthusiast.