1. 配置环境
新增 ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
root@ros-OptiPlex-3050:~# nano /lib/systemd/system/docker.service
root@ros-OptiPlex-3050:~# cat /lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
重启docker
root@ros-OptiPlex-3050:~# service docker reload
Warning: docker.service changed on disk. Run 'systemctl daemon-reload' to reload units.
root@ros-OptiPlex-3050:~# systemctl daemon-reload
root@ros-OptiPlex-3050:~# systemctl docker restart
Unknown operation docker.
root@ros-OptiPlex-3050:~# service docker restart
检测配置的端口
root@ros-OptiPlex-3050:~# netstat -antp | grep 2375
tcp6 0 0 :::2375 :::* LISTEN 19143/dockerd
2. Java访问客户端
加载docker-java的jar
<!-- https://mvnrepository.com/artifact/com.github.docker-java/docker-java -->
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java</artifactId>
<version>3.0.14</version>
</dependency>
初始化客户端访问
DockerClient dockerClient = DockerClientBuilder.getInstance().build();
3. 配置证书认证
新建文件夹并导入证书
配置ca的密码
root@ros-OptiPlex-3050:/home/hett/certs# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
........................................................................................................................................++
...........................................................................................................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
root@ros-OptiPlex-3050:/home/hett/certs# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [AU]:ch
State or Province Name (full name) [Some-State]:hett
Locality Name (eg, city) []:hefei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hrg
Organizational Unit Name (eg, section) []:ai
Common Name (e.g. server FQDN or YOUR name) []:192.168.30.240
Email Address []:1771084007@qq.com
Common Name,说是要你填写,server FQDN或your name,意味着可以随便写,但是我在这里建议,写Docker所在服务器的IP,这个很重要。这个IP后边还会用到,我这里是192.168.99.101,在生产环境下,用使用你docker宿主机的DNS name替换下面的填入Common name,如api.google.com等
生成私钥
root@ros-OptiPlex-3050:/home/hett/certs# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................++
..........................++
e is 65537 (0x10001)
生成证书
root@ros-OptiPlex-3050:/home/hett/certs# openssl req -subj "/CN=192.168.30.240" -sha256 -new -key server-key.pem -out server.csr
下面我们可以用CA来签署证书了。这里我们可以填写IP地址或则DNS name,如,我们需要允许10.10.10.20和127.0.0.1连接:
$echo subjectAltName = IP:10.10.10.20, IP:127.0.0.1 > extfile.cnf,
上述命令有点像一个过滤器,如果地址填的不全,远程API就无法访问该Docker,那么我们就把,地址填的全一些,我的命令是这样滴:
$echo subjectAltName = DNS:192.168.99.101, IP: 192.168.99.101, IP: 192.168.1.101, IP:0.0.0.0, IP:127.0.0.1 > extfile.cnf
然后,将上述多个生成信息,写入文件。用如下命令。
$openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
再看客户端私钥:
$openssl genrsa -out key.pem 4096
下一步再生成客户端证书请求文件:
$openssl req -subj '/CN=client' -new -key key.pem -out client.csr
用CA为客户端签署证书文件:
$openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
这时候,还需要输入你的密码,我的密码是