版权声明:原创文章转载请注明出处,谢谢。 https://blog.csdn.net/hexiaohua95/article/details/89634500
本文出自我老大的博客,稍加整理,更易懂。原文:https://safami.co/2019/04/26/docker-install-on-centos-7-and-connect-by-intellij-idea/
基本安装:
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker
docker run hello-world
server端ssl认证:此处以及本文后面部分的$HOST全部替换为你服务器的DNS地址,查看DNS命令:cat /etc/resolv.conf。 $PUBLIC-IP替换为你的IP地址,查看命令:ip addr。在生成SSL证书时,若输错了请使用ctrl+w删除输入内容,此处delete或退格无法使用。
mkdir -p /etc/docker/tls
cd /etc/docker/tls
openssl genrsa -aes256 -out ca-key.pem 4096
#Note: the password is required and remember it.
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOST,IP:$PUBLIC-IP,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
cli端ssl认证:
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=$HOST' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
禁用systemctl:
systemctl stop docker
systemctl disable docker
使用TLS验证Docker:
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version
#Ctrl+C stop dockerd server
Docker使用daemon.json配置远程访问:
mkdir -pv /z-eyes/data/docker-data
cd /etc/docker/
vim daemon.json
#add this text block
{
"data-root":"/z-eyes/data/docker-data",
"hosts":["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tls":true,
"tlsverify":true,
"tlscacert":"/etc/docker/tls/ca.pem",
"tlscert":"/etc/docker/tls/server-cert.pem",
"tlskey":"/etc/docker/tls/server-key.pem"
}
使用TLS配置Docker客户端:
mkdir -pv ~/.docker
cd /etc/docker/tls/
cp -v {ca,cert,key}.pem ~/.docker
vim ~/.bash_profile
#set DOCKER_HOST
export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1
#for local:export DOCKER_HOST=tcp://127.0.0.1:2376 DOCKER_TLS_VERIFY=1
source ~/.bash_profile
用TLS验证Docker:
docker version
docker ps
用idea远程连接docker的cli端
yum install -y lrzsz
sz ~/.docker/{ca,cert,key}.pem