• centos下修改docker连接docker_host默认方式为tls方式


    1.安装docker,请参考官网文档 centos下安装docker

    2.安装完成应该可以使用docker的各种命令连接docker host。docker host运行在本机上,但与localhost不同。默认设置下,docker host(docker daemon)监听docker.sock。本机下应该有docker.sock文件,使得各种docker命令能够成功的在docker host上运行指令或者取回信息。下面将介绍如何修改默认的连接方式为tls方式。

    3.openssl生成证书:

        修改docker连接docker daemon连接方式为tls方式,需要前提条件是生成好的证书。证书可用openssl生成。建议新建一个文件夹用来存放将要生成的各种证书。CD到存放证书的目录

        a.生成key和ca证书(生成key的时候输入的密码在后面生成证书的时候会多次用到,使用docker daemon host 的DNS名字代替下面的$HOST):

    $ openssl genrsa -aes256 -out ca-key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    ............................................................................................................................................................................................++
    ........++
    e is 65537 (0x10001)
    Enter pass phrase for ca-key.pem:
    Verifying - Enter pass phrase for ca-key.pem:
    $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
    Enter pass phrase for ca-key.pem:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:SH
    State or Province Name (full name) [Some-State]:ShangHai
    Locality Name (eg, city) []:ShangHai
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
    Organizational Unit Name (eg, section) []:Sales
    Common Name (e.g. server FQDN or YOUR name) []:$HOST
    Email Address []:example@xxx.com
    

        b.生成server-key和和csr文件(使用docker daemon host 的DNS名字代替下面的$HOST)

    $ openssl genrsa -out server-key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    .....................................................................++
    .................................................................................................++
    e is 65537 (0x10001)
    $ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

        c.使你的tls连接能通过ip地址方式,绑定本机IP(使用本机IP代替下面的$LOCALIP)

    $ echo subjectAltName = IP:$LOCALIP,IP:127.0.0.1 > extfile.cnf
    
    $ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
    Signature ok
    subject=/CN=your.host.com
    Getting CA Private Key
    Enter pass phrase for ca-key.pem:

        d.生成客户端访问需要的key和证书等文件

    $ openssl genrsa -out key.pem 4096
    Generating RSA private key, 4096 bit long modulus
    .........................................................++
    ................++
    e is 65537 (0x10001)
    $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

        c.生成客户端证书配置文件

    $ echo extendedKeyUsage = clientAuth > extfile.cnf

        d.注册key

    $ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
    Signature ok
    subject=/CN=client
    Getting CA Private Key
    Enter pass phrase for ca-key.pem:

    4.将生成的证书添加的docker的配置文件中,centos下docker的配置文件是/etc/sysconfig/docker,编辑配置文件

    vi /etc/sysconfig/docker

    5.修改配置文件OPTIONS配置(下面的证书地址换成你生成的对应证书的位置)

    OPTIONS='--selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/var/docker/server-cert.pem --tlskey=/var/docker/server-key.pem -H tcp://0.0.0.0:2376'

    6.保存退出,重启docker服务,输入docker images查看镜像

    docker images
    Get http://10.32.173.215:2376/v1.20/images/json: malformed HTTP response "x15x03x01x00x02x02".
    * Are you trying to connect to a TLS-enabled daemon without TLS?
    * Is your docker daemon up and running?

        显示不能连接到docker daemon host。虽然docker daemon已经配置好并且重新启动了,但是相当于服务端更改了配置。所以客户端连接到docker daemon host的配置也需要修改。

    7.修改docker连接配置

        a.在root目录下创建目录.docker

    mkdir ~/.docker

        b.将客户端证书文件copy至.docker目录

    cp -cv {ca,cert,key}.pem ~/.docker/

        c.添加环境变量DOCKER_HOST和DOCKER_TLS_VERIFY

    vi /etc/profile

        d.在打开的文件中最后加上新的环境变量($YOURIP替换成docker daemon host的IP即本机IP)

    export DOCKER_HOST=tcp://$YOURIP:2376
    export DOCKER_TLS_VERIFY=1

    8.配置完成,输入docker images可连接docker daemon host查看镜像。至此,docker daemon host连接方式已经修改为tls方式。调用远程API的时候需要使用的证书就是~/.docker文件夹中的证书。

      

  • 相关阅读:
    Linux命令行常用符号
    IP地址详解
    黑帽子白帽子问题
    点香测算时间
    Linux系统中的压缩和打包
    Python冒泡排序
    Python选择排序
    linux 文件三大特殊权限(SUID SGID SBIT)
    预处理器之头文件嵌套包含最大层数
    一不小心就对未分配的内存进行访问和修改
  • 原文地址:https://www.cnblogs.com/onlyworld/p/5105849.html
Copyright © 2020-2023  润新知