Protect the Docker daemon socket By default, Docker runs via a non-networked Unix socket. It can also optionally communicate using an HTTP socket. If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate. In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers

Using PowerShell DSC Windows PowerShell Desired State Configuration (DSC) is a configuration management tool that extends the existing functionality of Windows PowerShell. DSC uses a declarative syntax to define the state in which a target should be configured. More information about PowerShell DSC can be found at http://technet.microsoft.com/en-us/library/dn249912.aspx. Requirements To use this guide you’ll need a Windows host with PowerShell v4.0 or newer. The included DSC configuration scrip

Docker Plugin API Docker plugins are out-of-process extensions which add capabilities to the Docker Engine. This page is intended for people who want to develop their own Docker plugin. If you just want to learn about or use Docker plugins, look here. What plugins are A plugin is a process running on the same or a different host as the docker daemon, which registers itself by placing a file on the same docker host in one of the plugin directories described in Plugin discovery. Plugins have huma

Plan for Swarm in production This article provides guidance to help you plan, deploy, and manage Docker Swarm clusters in business critical production environments. The following high level topics are covered: Security High Availability Performance Cluster ownership Security There are many aspects to securing a Docker Swarm cluster. This section covers: Authentication using TLS Network access control These topics are not exhaustive. They form part of a wider security architecture that inclu

Play in a content trust sandbox This page explains how to set up and use a sandbox for experimenting with trust. The sandbox allows you to configure and try trust operations locally without impacting your production images. Before working through this sandbox, you should have read through the trust overview. Prerequisites These instructions assume you are running in Linux or Mac OS X. You can run this sandbox on a local machine or on a virtual machine. You will need to have sudo privileges on y

Overview of Docker Compose Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a Compose file to configure your application’s services. Then, using a single command, you create and start all the services from your configuration. To learn more about all the features of Compose see the list of features. Compose is great for development, testing, and staging environments, as well as CI workflows. You can learn more about each case in Common Use Cas

Overview Swarm with TLS All nodes in a Swarm cluster must bind their Docker daemons to a network port. This has obvious security implications. These implications are compounded when the network in question is untrusted such as the internet. To mitigate these risks, Docker Swarm and the Docker Engine daemon support Transport Layer Security (TLS). Note: TLS is the successor to SSL (Secure Sockets Layer) and the two terms are often used interchangeably. Docker uses TLS, this term is used througho

Docker and OverlayFS in practice OverlayFS is a modern union filesystem that is similar to AUFS. In comparison to AUFS, OverlayFS: has a simpler design has been in the mainline Linux kernel since version 3.18 is potentially faster As a result, OverlayFS is rapidly gaining popularity in the Docker community and is seen by many as a natural successor to AUFS. As promising as OverlayFS is, it is still relatively young. Therefore caution should be taken before using it in production Docker enviro

OpenStack Create machines on OpenStack Mandatory: --openstack-auth-url: Keystone service base URL. --openstack-flavor-id or --openstack-flavor-name: Identify the flavor that will be used for the machine. --openstack-image-id or --openstack-image-name: Identify the image that will be used for the machine. $ docker-machine create --driver openstack vm Options: --openstack-active-timeout: The timeout in seconds until the OpenStack instance must be active. --openstack-availability-zone: The

Oracle VirtualBox Create machines locally using VirtualBox. This driver requires VirtualBox 5+ to be installed on your host. Using VirtualBox 4.3+ should work but will give you a warning. Older versions will refuse to work. $ docker-machine create --driver=virtualbox vbox-test You can create an entirely new machine or you can convert a Boot2Docker VM into a machine by importing the VM. To convert a Boot2Docker VM, you’d use the following command: $ docker-machine create -d virtualbox --virtual