Using TLS

Both the main DockerClient and low-level APIClient can connect to the Docker daemon with TLS.

This is all configured automatically for you if you’re using from_env(), but if you need some extra control it is possible to configure it manually by using a TLSConfig object.

Examples

For example, to check the server against a specific CA certificate:

tls_config = docker.tls.TLSConfig(ca_cert='/path/to/ca.pem', verify=True)
client = docker.DockerClient(base_url='<https_url>', tls=tls_config)

This is the equivalent of docker --tlsverify --tlscacert /path/to/ca.pem ....

To authenticate with client certs:

tls_config = docker.tls.TLSConfig(
  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem')
)
client = docker.DockerClient(base_url='<https_url>', tls=tls_config)

This is the equivalent of docker --tls --tlscert /path/to/client-cert.pem --tlskey /path/to/client-key.pem ....

Reference

class TLSConfig

TLS configuration.

Parameters:
  • client_cert (tuple of str) – Path to client cert, path to client key.

  • ca_cert (str) – Path to CA cert file.

  • verify (bool or str) – This can be a bool or a path to a CA cert file to verify against. If True, verify using ca_cert; if False or not specified, do not verify.