docker远程访问TLS证书认证shell

docker开启远程访问端口，防止非法访问

• 配置证书认证
• 配置防火墙或安全策略

#!/bin/bash
# docker.tls.sh
# 环境centos 7 ,root
# 创建 Docker TLS 证书

##########配置信息

Port=2376
Node=$(hostname)
IP=$(ip add|sed -nr  's#^.*inet (.*)/[1-9].*(ens|eth).*$#1#gp')
PASSWORD="88888888"
COUNTRY="CN"
STATE="Shanghai"
CITY="Shanghai"
ORGANIZATION="Elven"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="228@elven.vip"

##########生成证书

# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096  &>/dev/null
# Generate CA
openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"  &>/dev/null

echo "#Server"
# Generate Server key
openssl genrsa -out "server-key_$Node.pem" 4096  &>/dev/null
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnf

echo "#Client"
openssl genrsa -out "client-key_$Node.pem" 4096  &>/dev/null
openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnf

chmod  0400  "client-key_$Node.pem" "server-key_$Node.pem"
chmod  0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem"

##########docker配置
echo  
echo "#拷贝证书"
#服务端证书
mkdir -p ~/.docker
cp -avf "ca_$Node.pem" "server-cert_$Node.pem" "server-key_$Node.pem" ~/.docker
#客户端证书文件
cp -avf "client-cert_$Node.pem" "client-key_$Node.pem" ~/.docker/
# 打包客户端证书
tar -zcf docker-tls-client_$Node.tar.gz ca_$Node.pem client-cert_$Node.pem client-key_$Node.pem
cp -af docker-tls-client_$Node.tar.gz  ~/.docker/
ls -hl $(pwd)/docker-tls*

echo  
echo "#修改docker启动项 /lib/systemd/system/docker.service"
SetOPTS=" --tls 
--tlscacert=$HOME/.docker/ca_${Node}.pem 
--tlscert=$HOME/.docker/server-cert_${Node}.pem  
--tlskey=$HOME/.docker/server-key_${Node}.pem 
-H 0.0.0.0:${Port} "
sed  -i "s#^ExecStart.*#& $SetOPTS #" /lib/systemd/system/docker.service
grep '^ExecStart' /lib/systemd/system/docker.service
systemctl daemon-reload

echo  
echo "#客户端远程连接"
echo "docker -H $IP:${Port} --tlsverify --tlscacert ~/.docker/ca_$Node.pem --tlscert ~/.docker/client-cert_$Node.pem --tlskey ~/.docker/client-key_$Node.pem ps -a"
echo "#客户端使用curl连接"
echo "curl --cacert ~/.docker/ca_$Node.pem --cert ~/.docker/client-cert_$Node.pem --key ~/.docker/client-key_$Node.pem https://$IP:${Port}/containers/json"

#clean
rm -f ca*.srl *.pem *.cnf *.csr

echo  
echo -e "e[1;32m#重启docker生效
systemctl restart  docker
e[0m"
#