Enabling an Authentication Mechanism for Docker Remote API

Abstract

Docker is an operating system level virtualization mechanism on Linux which allows deploy and run applications inside software containers. Software containers provides lightweight and faster delivery of applications by separating applications from the infrastructure. Furthermore it helps to provide better hardware utilization than virtual machines. Docker has now became one of the fast growing industry practices in the field of software virtualization. Docker architecture allows users to interact with the Docker daemon and other Docker components via three different types of mechanisms, which allows developers and system administrators manage dockerized resources effective and efficient way. One approach is making the Docker daemon listening on a TCP port and allows users to make requests through an API. This API is known as Docker Remote API. One of the major drawbacks of above mentioned mechanism is Docker hasn’t implement a flexible request authentication mechanism for the requests which are pointed to Remote API which makes it problematic in accessing Docker via the Remote API. This project has focused on introducing and implementing a token based request authentication mechanism to the Docker Remote API when the Docker daemon listening on a TCP port. The new implementation makes Docker Remote API accessible only via a proxy server. The proxy server act as a reverse proxy for the user requests which are directed to Docker Remote API. An authentication server also been in place with the new implementation to issue and validate the access tokens, which are required to access the Docker Remote API via the proxy server. With the new implementation, users and applications which are eligible to perform Docker operations via Remote API should have proper secret credentials. The access tokens can be obtained by submitting those credentials to the authentication server. Every request which is made to the Docker Remote API should have a valid access token. The proxy server validates the access token of the request with the authentication server and pass the request to the Docker Remote API or reject the request. The final evaluation shows that, though the new implementation has introduced some latency to the request-response routing, it has achieved the aspects of request authentication without deviating the responses.