溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
前言
之前開啟了docker的2375 Remote API,接到公司安全部門的要求,需要啟用授權,翻了下官方文檔
Protect the Docker daemon socket
啟用TLS
在docker服務器,生成CA私有和公共密鑰
$ openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus ............................................................................................................................................................................................++ ........++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem: $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]:Queensland Locality Name (eg, city) []:Brisbane Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc Organizational Unit Name (eg, section) []:Sales Common Name (e.g. server FQDN or YOUR name) []:$HOST Email Address []:Sven@home.org.au
有了CA后,可以創建一個服務器密鑰和證書簽名請求(CSR)
$HOST 是你的服務器ip
$ openssl genrsa -out server-key.pem 4096 Generating RSA private key, 4096 bit long modulus .....................................................................++ .................................................................................................++ e is 65537 (0x10001) $ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
接著,用CA來簽署公共密鑰:
$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf $ echo extendedKeyUsage = serverAuth >> extfile.cnf
生成key:
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf Signature ok subject=/CN=your.host.com Getting CA Private Key Enter pass phrase for ca-key.pem:
創建客戶端密鑰和證書簽名請求:
$ openssl genrsa -out key.pem 4096 Generating RSA private key, 4096 bit long modulus .........................................................++ ................++ e is 65537 (0x10001) $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
修改extfile.cnf:
echo extendedKeyUsage = clientAuth > extfile-client.cnf
生成簽名私鑰:
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile-client.cnf Signature ok subject=/CN=client Getting CA Private Key Enter pass phrase for ca-key.pem:
將Docker服務停止,然后修改docker服務文件
[Unit] Description=Docker Application Container Engine Documentation=http://docs.docker.io [Service] Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin" ExecStart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT ExecReload=/bin/kill -s HUP $MAINPID Restart=on-failure RestartSec=5 LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity Delegate=yes KillMode=process [Install] WantedBy=multi-user.target
然后重啟服務
systemctl daemon-reload systemctl restart docker.service
重啟后查看服務狀態:
systemctl status docker.service ● docker.service - Docker Application Container Engine Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago
已經生效。
使用證書連接:
復制ca.pem,cert.pem,key.pem三個文件到客戶端
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version連接即可
docker-java 啟用TLS
項目里使用docker的java客戶端docker-java調用docker,為了支持TLS,在創建客戶端時,需要增加TLS設置。
首先將ca.pem cert.pem key.pem這三個文件拷貝到本地,例如E:\\docker\\",
然后DefaultDockerClientConfig里withDockerTlsVerify設為true,并設置certpath為剛拷貝的目錄。
DefaultDockerClientConfig.Builder builder =
DefaultDockerClientConfig.createDefaultConfigBuilder()
.withDockerHost("tcp://" + server + ":2375")
.withApiVersion("1.30");
if (containerConfiguration.getDockerTlsVerify()) {
builder = builder.withDockerTlsVerify(true)
.withDockerCertPath("E:\\docker\\");
}
return DockerClientBuilder.getInstance(builder.build()).build()
大工搞定。
總結
以上就是這篇文章的全部內容了,希望本文的內容對大家的學習或者工作具有一定的參考學習價值,謝謝大家對億速云的支持。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
