Same issue for me with Docker Desktop (installed months ago and updated till latest) + WSL 2 on Win10. No luck with #3546 and with same issues described before (docker proxy listening on 2375 port). I've finnally try to uninstall Docker Desktop, reboot Win and re-install Docker Desktop from fresh new installer and it seems works now. If all is working as it should, you should be able to see that wslhost is bound to the local loopback on port 2375, and that envoy.exe is bound to “IPv4 unspecified” on 2375 as well: Now I was finally able to use a computer with some significant hardware as my Docker host. To do this, click on the Endpoints tab and then (in the top pane - Figure E), type a name for the new endpoint and add the IP Address of the new Docker server (with port 2375). Click Add endpoint.
This article Source: Wizard Cloud co-founder: Liao Yu ( http://www.ghostcloud.cn/ )
Docker Open Port 2375
Author: Liao Yu, University of Electronic Science and Technology Computer and finance double Master, responsible for Ghostcloud of product operations. Former architect of the southwest of EMC. China's top Docker technical experts, Docker open source project contributors. Has a wealth of virtualization, cloud computing and enterprise-class software experience.
Today there are small partners found that docker exposed 2375 port, causing a security hole. I now tell you the whole story of the ins and outs, and tell the little partners, how to fix this loophole.
In order to achieve cluster management, Docker provides a remote management interface. The Docker Daemon acts as a daemon and runs in the background to execute the Docker commands sent to the management interface. It is because of the wrong use of the Docker remote interface, causing security vulnerabilities.
When you start the Docker Daemon, add -H 0.0.0.0:2375, and the Docker Daemon can receive commands from the remote Docker Client. Note that Docker is 2375 port as a non-encrypted port exposed, generally used in the test environment. At this point, there is no encryption and authentication process, as long as the Docker host to know the IP, anyone can manage the container on the host and mirror.
What is the loophole
The domestic cattle people developed a set of Niubi search engine – Zhong Kui's eyes, you can scan out the exposed port on the host. Enter the keyword docker port: 2375 on ZoomEye.org and immediately scan all Docker hosts that have exposed the 2375 port. Because there is no encryption, know the host IP later, the hacker can do whatever they want.
At present there are 717 machines around the world exposed 2375 port! It was terrible!
These hosts are located in various countries around the world, of which the United States hosts the most. This is because Docker is the highest rate of use in the United States, the domestic will be in a year or two large-scale use of Docker. All small partners must solve the security problem.
Hackers in the query to the host IP, you can manage the containers on these hosts.
Docker-h IP: 2375 info
Containers: 8 Running: 8 Paused: 0 Stopped: 0 Images: 62 Server Version: 1.11.0
Through this vulnerability, you can even get host information. The attacker could do whatever he wanted.
Docker -H IP: 2375 run –rm -v /: / root alpine cat / root / etc / hostname
Docker-node-5
How to find loopholes <br /> small partners, quickly check whether your Docker exposed 2375 port.
1. Check the docker daemon process to see if the port 2375 is enabled.
Ps -ef | grep docker
/ Usr / bin / docker daemon -H = tcp: //0.0.0.0: 2375
2. Send commands to the Docker host via remote administration.
Docker-h 192.168.0.10:2375 info
Containers: 41 Running: 16 Paused: 0 Stopped: 25 Images: 821 Server Version: 1.10.3
How to fix the vulnerability <br /> If you want to securely manage the remote Docker host, what should I do? In fact, Docker itself provides an encrypted remote management port 2376, with the CA certificate, you can provide a TLS connection.
First, prepare five certificates and secret key files, namely ca.pem, server-cert.pem, server-key.pem, client-cert.pem and client-key.pem. Where server-cert.pem restricts the list of clients that can access the Docker host.
When starting Docker Deamon, you need to set -H, -tls, -tlscacert = ca.pem, -tlscert = server-cert.pem and -tlskey = server-key.pem. At this point, only the host in the client list can access the Docker host.
The specific configuration is more complex, I now introduce these steps in detail.
1. Generate the CA private key ca-key.pem, which uses the private key to sign the CA certificate.
Ca-key.pem is a temporary file, and finally can be deleted.
Openssl genrsa -out ~ / docker / ca-key.pem 4096
2. Use the CA private key to generate a self-signed CA certificate ca.pem. When generating a certificate, set the validity period of the certificate with -days 365. The unit is days, by default for 30 days.
Openssl req -x509 -sha256 -batch -subj '/ C = CN / ST = Sichuan / L = Chengdu / O = Ghostcloud Co., Ltd / OU = Laboratory / CN = www.gho stcloud.cn' -new -days 365 -key ~ / docker / ca-key.pem -out ~ / docker / ca.pem
When generating a CA certificate, you need to provide some company information.
C is the country, China is CN.
ST represents province, such as Sichuan.
L represents the city, such as Chengdu.
O means company, such as Ghostcloud Co., Ltd.
OU indicates the department name, such as Laboratory.
CN said the company domain name, such as www.ghostcloud.cn .
Docker Windows Port 2375
3. Generate the server private key server-key.pem and CSR (Certificate Signing Request) server-csr.pem. CN is DockerDaemon.
Server-csr.pem is a temporary file, generated server-cert.pem later, you can delete.
Openssl genrsa -out ~ / docker / server-key.pem 4096
Openssl req -subj '/ CN = DockerDaemon' -sha256 -new -key ~ / docker / server-key.pem -out ~ / docker / server-csr.pem
4. Use the CA certificate to generate the server certificate server-cert.pem. TLS connection, you need to limit the client's IP list or domain name list. Only clients in the list can access the Docker Daemon through a client certificate. In this case, only 127.0.0.1 and 192.168.1.100 client access is allowed. If you add 0.0.0.0, all clients can access the Docker Daemon through a certificate.
Allow.list is a temporary file that generates server-cert.pem later and can be deleted.
Echo subjectAltName = IP: 127.0.0.1, IP: 192.168.1.100> ~ / docker / allow.list
Openssl x509 -req -days 365 -sha256 -in ~ / docker / server-csr.pem -CA ~ / docker / ca.pem -CAkey ~ / docker / ca-key.pem -CAcreat eserial -out ~ / docker / server -cert.pem -extfile ~ / docker / allow.list
5. Generate the client private key client-key.pem and CSRclient-csr.pem. CN is DockerClient.
Client-csr.pem is a temporary file, generate client-cert.pem later, you can delete.
Openssl genrsa -out ~ / docker / client-key.pem 4096
Openssl req -subj '/ CN = DockerClient' -new -key ~ / docker / client-key.pem -out ~ / docker / client-csr.pem
6. Use the CA certificate to generate the client certificate client-cert.pem. You need to add the extendedKeyUsage option.
Echo extendedKeyUsage = clientAuth> ~ / docker / options.list
Openssl x509 -req -days 365 -sha256 -in ~ / docker / client-csr.pem -CA ~ / docker / ca.pem -CAkey ~ / docker / ca-key.pem -CAcreat eserial -out ~ / docker / client -cert.pem -extfile ~ / docker / options.list
7. Successfully generated the required certificate and secret key, you can delete the temporary file.
Rm -f ~ / docker / server-csr.pem ~ / docker / client-csr.pem ~ / docker / allow.list ~ / docker / options.list
8. In order to ensure the security of the certificate and private key, you need to modify the file access.
Chmod 0444 ~ / docker / ca.pem ~ / docker / server-cert.pem ~ / docker / client-cert.pem
Chmod 0400 ~ / docker / ca-key.pem ~ / docker / server-key.pem ~ / docker / client-key.pem
9. Restart Docker Daemon, add ca.pem, server-cert.pem and server-key.pem. -H = 0.0.0.0: 2376 indicates that the Docker Daemon is listening on port 2376. Docker daemon -tlsverify -tlscacert = ~ / docker / ca.pem -tlscert = ~ / docker / server-cert.pem -tlskey = ~ / docker / server-key.pem -H = 0.0.0.0: 2376
10. On the client, when running the docker command, add ca.pem, client-cert.pem, and client-key.pem. In this case, only 127.0.0.1 and 192.168.1.100 clients can access the Docker Daemon.
Docker –tlsverify –tlscacert = ~ / docker / ca.pem –tlscert = ~ / docker / client-cert.pem –tlskey = ~ / docker / client-key.pem -H = tcp: // 127.0. 0.1: 2376 info
Containers: 41 Running: 16 Paused: 0 Stopped: 25 Images: 821 Server Version: 1.10.3
Now little partners can safely control the Docker host remotely.
Wizard Cloud Docker Remote Management Solution
The process of generating a CA certificate is complicated and cumbersome, with a slight error, and you can not start a secure connection. Wizard Cloud provides users with a TLS-based Docker remote management solution that allows users to securely manage their own Docker hosts through the wizard cloud management platform.
1. The user is registered on the sprite cloud management platform.
2. Enter the console, through the navigation bar -> cluster -> my host, choose to access the new host. The host added to the wizard cloud management platform.
3. The console provides a graphical user interface and a complete Docker operation, the user can easily create, clone, snapshot, delete the container. At the same time the wizard cloud management platform also provides a mirror warehouse services, to provide you with a rich container image. Wizard Cloud Mirror Warehouse uses OSS object storage, using a security certificate to ensure that your mirror will not leak.