Before turning the docker's 2375 Remote API, the company received the required security departments need to enable authorization, turned down an official document
Protect the Docker daemon socket
Enable TLS
In docker server, CA to generate private and public keys
$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:$HOST
Email Address []:[email protected]
With the CA, you can create a server key and certificate signing request (CSR)
$ HOST is your server ip
$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)
$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
Next, CA to sign the public key:
$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
Generate key:
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:
Create a client key and certificate signing request:
$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Modify extfile.cnf
:
echo extendedKeyUsage = clientAuth > extfile-client.cnf
The private key to generate a signature:
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
Docker service will stop, and then modify the file docker Service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
[Service]
Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
Then restart the service
systemctl daemon-reload
systemctl restart docker.service
重启后查看服务状态:
systemctl status docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago
Already in force.
Use Certificate connection:
Copy ca.pem
, cert.pem
, key.pem
three files to the client
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version
Connection to
docker-java enabled TLS
Use docker project in the java client docker-java
calls the docker, in order to support TLS, when creating a client, you need to increase TLS settings.
First ca.pem cert.pem key.pem
copy these three files to a local, e.g. E:\\docker\\"
,
Then DefaultDockerClientConfig
in the withDockerTlsVerify
set to true, and set certpath
to just copy the directory.
DefaultDockerClientConfig.Builder builder =
DefaultDockerClientConfig.createDefaultConfigBuilder()
.withDockerHost("tcp://" + server + ":2375")
.withApiVersion("1.30");
if (containerConfiguration.getDockerTlsVerify()) {
builder = builder.withDockerTlsVerify(true)
.withDockerCertPath("E:\\docker\\");
}
return DockerClientBuilder.getInstance(builder.build()).build()
Great work done.
Author: Jadepeng
Source: jqpeng technical notepad - http://www.cnblogs.com/xiaoqi
Your support is the greatest encouragement blogger, thank you for your read.
This article belongs to the author of all, welcome to reprint, but without the author's consent declared by this section must be retained, and given the original connection in the apparent position of the article page, otherwise the right to pursue legal responsibilities.