✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.3.2.2 Daemon Auth Requirements

A focused guide to Daemon Auth Requirements, connecting core concepts with practical Docker and container operations.

Daemon auth requirements specify exactly what's needed to establish that a client connecting to the Docker daemon is actually authorized, primarily centered on TLS client certificate verification for remote access, combined with appropriate local access control for direct, host-level daemon interaction.

Requirements for Remote Daemon Authentication

A remotely accessible daemon should require client certificate verification, ensuring only clients presenting a certificate signed by a trusted certificate authority are accepted.

dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376

Without --tlsverify, even a TLS-encrypted connection accepts any client, providing encryption without actual authentication — both pieces are necessary for genuine security.

Requirements for Local Daemon Access Control

For a daemon accessed only locally, authentication is effectively handled through host-level user and group permissions, specifically membership in the docker group (or equivalent).

groups someuser

Confirming exactly which users have this group membership, and therefore effective daemon access, is the local equivalent of reviewing remote daemon authentication.

Why Authentication Alone Isn't the Same as Authorization

Confirming a client's identity (authentication) is a necessary but not sufficient step — some daemon configurations or wrapping tools also support more granular authorization, restricting which specific actions an authenticated client is permitted to perform.

docker run -d -v /var/run/docker.sock:/var/run/docker.sock -e CONTAINERS=1 tecnativa/docker-socket-proxy

A proxy like this adds an authorization layer beyond simple authentication, restricting an otherwise authenticated client to only specific, permitted daemon operations.

Periodically Reviewing Who Actually Has Authenticated Access

Reviewing the current set of authorized certificates or group memberships ensures access remains appropriately scoped as personnel and systems change over time.

ls /etc/docker/certs.d/
Why Daemon Auth Requirements Matter

Properly establishing both authentication (confirming identity) and, where appropriate, authorization (restricting permitted actions) for daemon access is essential given the severity of what unauthenticated or overly broad daemon access would otherwise allow.

Related content