• 企业400电话
  • 微网小程序
  • AI电话机器人
  • 电商代运营
  • 全 部 栏 目

    企业400电话 网络优化推广 AI电话机器人 呼叫中心 网站建设 商标✡知产 微网小程序 电商运营 彩铃•短信 增值拓展业务
    Docker启用TLS实现安全配置的步骤

    前言

    之前开启了docker的2375 Remote API,接到公司安全部门的要求,需要启用授权,翻了下官方文档

    Protect the Docker daemon socket

    启用TLS

    在docker服务器,生成CA私有和公共密钥

    $ openssl genrsa -aes256 -out ca-key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    ............................................................................................................................................................................................++
    ........++
    e is 65537 (0x10001)
    Enter pass phrase for ca-key.pem:
    Verifying - Enter pass phrase for ca-key.pem:
    
    $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
    Enter pass phrase for ca-key.pem:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:Queensland
    Locality Name (eg, city) []:Brisbane
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
    Organizational Unit Name (eg, section) []:Sales
    Common Name (e.g. server FQDN or YOUR name) []:$HOST
    Email Address []:Sven@home.org.au

    有了CA后,可以创建一个服务器密钥和证书签名请求(CSR)

    $HOST 是你的服务器ip

    $ openssl genrsa -out server-key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    .....................................................................++
    .................................................................................................++
    e is 65537 (0x10001)
    
    $ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

    接着,用CA来签署公共密钥:

    $ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf
    
     $ echo extendedKeyUsage = serverAuth >> extfile.cnf

    生成key:

    $ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
    
     -CAcreateserial -out server-cert.pem -extfile extfile.cnf
    Signature ok
    subject=/CN=your.host.com
    Getting CA Private Key
    Enter pass phrase for ca-key.pem:

    创建客户端密钥和证书签名请求:

    $ openssl genrsa -out key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    .........................................................++
    ................++
    e is 65537 (0x10001)
    
    $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

    修改extfile.cnf:

    echo extendedKeyUsage = clientAuth > extfile-client.cnf

    生成签名私钥:

    $ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
    
     -CAcreateserial -out cert.pem -extfile extfile-client.cnf
    Signature ok
    subject=/CN=client
    Getting CA Private Key
    Enter pass phrase for ca-key.pem:

    将Docker服务停止,然后修改docker服务文件

    [Unit]
    Description=Docker Application Container Engine
    Documentation=http://docs.docker.io
    
    [Service]
    Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"
    ExecStart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
    ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
    ExecReload=/bin/kill -s HUP $MAINPID
    Restart=on-failure
    RestartSec=5
    LimitNOFILE=infinity
    LimitNPROC=infinity
    LimitCORE=infinity
    Delegate=yes
    KillMode=process
    
    [Install]
    WantedBy=multi-user.target

    然后重启服务

    systemctl daemon-reload
    systemctl restart docker.service 

    重启后查看服务状态:

    systemctl status docker.service
    ● docker.service - Docker Application Container Engine
      Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
      Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago

    已经生效。

    使用证书连接:

    复制ca.pem,cert.pem,key.pem三个文件到客户端

    docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version连接即可

    docker-java 启用TLS

    项目里使用docker的java客户端docker-java调用docker,为了支持TLS,在创建客户端时,需要增加TLS设置。

    首先将ca.pem cert.pem key.pem这三个文件拷贝到本地,例如E:\\docker\\",

    然后DefaultDockerClientConfig里withDockerTlsVerify设为true,并设置certpath为刚拷贝的目录。 

    DefaultDockerClientConfig.Builder builder =
            DefaultDockerClientConfig.createDefaultConfigBuilder()
              .withDockerHost("tcp://" + server + ":2375")
              .withApiVersion("1.30");
          if (containerConfiguration.getDockerTlsVerify()) {
            builder = builder.withDockerTlsVerify(true)
              .withDockerCertPath("E:\\docker\\");
          }
      return DockerClientBuilder.getInstance(builder.build()).build()

    大工搞定。

    总结

    以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,谢谢大家对脚本之家的支持。

    上一篇:centos7 docker 修改Nginx文件过程详解
    下一篇:Linux中jar包启动和jar包后台运行的实现方式
  • 相关文章
  • 

    © 2016-2020 巨人网络通讯 版权所有

    《增值电信业务经营许可证》 苏ICP备15040257号-8

    Docker启用TLS实现安全配置的步骤 Docker,启用,TLS,实现,安全,