项目中,我们docker常常需要使用java来调用,这是就需要使用http请求了,但是这样就增加了不安全因素,那就是所有人都可以通过http来访问你的docker。这时,我们可以配置TLS。
创建证书
使用openssl来创建CA,并签署秘钥/证书。
首先创建一个certs目录,并内置三个子目录 ca、client、server。
$ mkdir -p ~/certs/{ca,client,server}
复制代码运行openssl创建CA秘钥和证书,并将CA证书保存在~/certs/ca 目录下。
$ openssl genrsa -out ~/certs/ca/ca-key.pem 2048
$ openssl req -x509 -new -nodes -key ~/certs/ca/ca-key.pem \
-days 10000 -out ~/certs/ca/ca.pem -subj '/CN=docker-CA'
复制代码创建一个用于client的openssl配置文件~/certs/client/openssl.cnf
cd ~/certs/client/
vim openssl.cnf
复制代码[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
复制代码再创建一个用于server的openssl配置文件~/certs/server/openssl.cnf
alt_names中的ip为Docker Server的ip,即client需要访问的ip,若有多个docker服务,此处填写多个,否则client将无法访问Docker Server。
cd ~/certs/server/
vim openssl.cnf
复制代码[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = docker.local
IP.1 = 你自己服务器的IP
IP.2 = 你自己服务器的IP2
复制代码为客户端创建并签署证书
$ openssl genrsa -out ~/certs/client/key.pem 2048
$ openssl req -new -key ~/certs/client/key.pem -out ~/certs/client/cert.csr \
-subj '/CN=docker-client' -config ~/certs/client/openssl.cnf
$ openssl x509 -req -in ~/certs/client/cert.csr -CA ~/certs/ca/ca.pem \
-CAkey ~/certs/ca/ca-key.pem -CAcreateserial \
-out ~/certs/client/cert.pem -days 365 -extensions v3_req \
-extfile ~/certs/client/openssl.cnf
复制代码为服务端创建并签署证书
$ openssl genrsa -out ~/certs/server/key.pem 2048
$ openssl req -new -key ~/certs/server/key.pem \
-out ~/certs/server/cert.csr \
-subj '/CN=docker-server' -config ~/certs/server/openssl.cnf
$ openssl x509 -req -in ~/certs/server/cert.csr -CA ~/certs/ca/ca.pem \
-CAkey ~/certs/ca/ca-key.pem -CAcreateserial \
-out ~/certs/server/cert.pem -days 365 -extensions v3_req \
-extfile ~/certs/server/openssl.cnf
复制代码此时,所有证书已经创建完毕,目录结构如下:
.
├── ca
│ ├── ca-key.pem
│ ├── ca.pem
│ └── ca.srl
├── client
│ ├── cert.csr
│ ├── cert.pem
│ ├── key.pem
│ └── openssl.cnf
└── server
├── cert.csr
├── cert.pem
├── key.pem
└── openssl.cnf
在Docker中配置TLS证书
查看配置文件位置
$ systemctl show --property=FragmentPath docker
FragmentPath=/lib/systemd/system/docker.service
$ vim /lib/systemd/system/docker.service
复制代码
在配置文件中开启TLS,并配置服务端证书,将上一步生成好的server证书和ca.pem拷贝至/etc/docker/ssl。
ExecStart=/usr/bin/dockerd-current -H tcp://192.168.0.1:2375 -H unix:///var/run/docker.sock –tlsverify –tlscacert=/etc/docker/ssl/ca.pem –tlscert=/etc/docker/ssl/cert.pem –tlskey=/etc/docker/ssl/key.pem
重新加载systemd和Docker服务
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
复制代码此时,Docker Server端的TLS配置已经完成。
在客户端中使用TLS证书
未使用TLS证书访问Docker Server
$ docker -H tcp://192.168.0.1:2375 version
Client:
Version: 17.03.0-ce
API version: 1.26
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 08:10:07 2017
OS/Arch: linux/amd64
Get http://101.37.164.86:3257/v1.26/version: malformed HTTP response "\x15\x03\x01\x00\x02\x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?
复制代码使用TLS证书访问DockerServer
此处的为客户端的密钥。和你配置的IP地址
$ docker --tlsverify --tlscacert=/ca.pem --tlscert=/cert.pem --tlskey=/key.pem -H tcp://192.168.0.1 version
Client:
Version: 17.03.0-ce
API version: 1.26
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 08:10:07 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.1-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: c6d412e
Built: Mon Mar 27 17:14:09 2017
OS/Arch: linux/amd64
Experimental: false
复制代码
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
