本篇內(nèi)容主要講解“docker daemon的HTTP socket TLS加密連接怎么實(shí)現(xiàn)”,感興趣的朋友不妨來看看。本文介紹的方法操作簡單快捷,實(shí)用性強(qiáng)。下面就讓小編來帶大家學(xué)習(xí)“docker daemon的HTTP socket TLS加密連接怎么實(shí)現(xiàn)”吧!
創(chuàng)新互聯(lián)建站-專業(yè)網(wǎng)站定制、快速模板網(wǎng)站建設(shè)、高性價(jià)比龍山網(wǎng)站開發(fā)、企業(yè)建站全套包干低至880元,成熟完善的模板庫,直接使用。一站式龍山網(wǎng)站制作公司更省心,省錢,快速模板網(wǎng)站建設(shè)找我們,業(yè)務(wù)覆蓋龍山地區(qū)。費(fèi)用合理售后完善,十多年實(shí)體公司更值得信賴。
默認(rèn)docker daemon是通過非網(wǎng)絡(luò)的unix socket監(jiān)聽客戶端連接的.如果我們需要客戶端通過網(wǎng)絡(luò)來安全的連接到docker daemon,則因該配置TLS加密方式,通過http的方式來連接.
[root@srv00 ~]# openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus .........................................................................................................................................................................++ ........................++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem: [root@srv00 ~]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:docker Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:srv00 Email Address []:h@xxx.com
ca證書頒發(fā)好.可以申請證書簽名請求(CSR)了,注意common name填主機(jī)名
服務(wù)端證書:
[root@srv00 ~]# openssl genrsa -out server-key.pem 4096 Generating RSA private key, 4096 bit long modulus .........................................++ ..................................................................++ e is 65537 (0x10001) [root@srv00 ~]# openssl req -subj "/CN=srv00" -sha256 -new -key server-key.pem -out server.csr [root@srv00 ~]# echo subjectAltName = IP:192.168.1.80,IP:127.0.0.1 > extfile.cnf [root@srv00 ~]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf Signature ok subject=/CN=srv00 Getting CA Private Key Enter pass phrase for ca-key.pem:
客戶端證書:
[root@srv00 ~]# openssl genrsa -out key.pem 4096 Generating RSA private key, 4096 bit long modulus ............................................................++ ..............................................................................................................................................................++ e is 65537 (0x10001) [root@srv00 ~]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr [root@srv00 ~]# echo extendedKeyUsage = clientAuth > extfile.cnf [root@srv00 ~]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf Signature ok subject=/CN=client Getting CA Private Key Enter pass phrase for ca-key.pem:
CSR 沒用可以刪了
[root@srv00 ~]# rm -rfv client.csr server.csr removed ‘client.csr’ removed ‘server.csr’
[root@srv00 ~]# chmod 400 *.pem <==收緊權(quán)限 [root@srv00 ~]# mkdir /etc/docker/cert.d [root@srv00 ~]# cp ca.pem server-key.pem server-cert.pem /etc/docker/cert.d/ [root@srv00 ~]# vi /etc/systemd/system/docker.service.d/daemon.conf [Service] ExecStart= ExecStart=/usr/bin/docker daemon -H fd:// \ --storage-driver=devicemapper --storage-opt=dm.thinpooldev=/dev/mapper/vgdocker-thinpool --storage-opt dm.use_deferred_removal=true \ --tlsverify --tlscacert=/etc/docker/cert.d/ca.pem --tlscert=/etc/docker/cert.d/server-cert.pem --tlskey=/etc/docker/cert.d/server-key.pem \ -H=0.0.0.0:2376 [root@srv00 ~]# systemctl daemon-reload [root@srv00 ~]# systemctl restart docker
[root@srv00 ~]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=192.168.1.80:2376 version Client: Version: 1.11.1 API version: 1.23 Go version: go1.5.4 Git commit: 5604cbe Built: Wed Apr 27 00:34:42 2016 OS/Arch: linux/amd64 Server: Version: 1.11.1 API version: 1.23 Go version: go1.5.4 Git commit: 5604cbe Built: Wed Apr 27 00:34:42 2016 OS/Arch: linux/amd64
客戶端證書移到另一臺機(jī)器上測試
[root@srv00 ~]# scp ca.pem key.pem cert.pem hippo@192.168.1.81:/home/hippo hippo@192.168.1.81's password: ca.pem 100% 2069 2.0KB/s 00:00 key.pem 100% 3243 3.2KB/s 00:00 cert.pem 100% 1846 1.8KB/s 00:00
ubuntu 機(jī)器上配置
hippo@ubuntu:~$ mkdir .docker hippo@ubuntu:~$ mv ca.pem cert.pem key.pem .docker/ hippo@ubuntu:~$ export DOCKER_HOST=tcp://192.168.1.80:2376 hippo@ubuntu:~$ export DOCKER_TLS_VERIFY=1 hippo@ubuntu:~$ docker version Client: Version: 1.10.3 API version: 1.22 Go version: go1.6.1 Git commit: 20f81dd Built: Wed, 20 Apr 2016 14:19:16 -0700 OS/Arch: linux/amd64 An error occurred trying to connect: Get https://192.168.1.80:2376/v1.22/version: dial tcp 192.168.1.80:2376: getsockopt: no route to host
通過配置環(huán)境變量而不是通過傳遞參數(shù)也可
可能服務(wù)端防火墻的問題..我們開放2376端口就好
[root@srv00 ~]# firewall-cmd --state running [root@srv00 ~]# firewall-cmd --add-port=2376/tcp --permanent [root@srv00 ~]# firewall-cmd --reload [root@srv00 ~]# firewall-cmd --list-port
再在ubuntu上試一下
hippo@ubuntu:~$ docker version Client: Version: 1.10.3 API version: 1.22 Go version: go1.6.1 Git commit: 20f81dd Built: Wed, 20 Apr 2016 14:19:16 -0700 OS/Arch: linux/amd64 Server: Version: 1.11.1 API version: 1.23 Go version: go1.5.4 Git commit: 5604cbe Built: Wed Apr 27 00:34:42 2016 OS/Arch: linux/amd64 hippo@ubuntu:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos latest 8596123a638e 9 days ago 196.7 MB ubuntu latest c5f1cf30c96b 3 weeks ago 120.7 MB
測試成功.
如果將客戶端證書放在用戶的.docker目錄下,則
--tlscacert --tlscert --tlskey
這些參數(shù)無需指定.如果是daemon的本機(jī),-H
參數(shù)也無需指定.
到此,相信大家對“docker daemon的HTTP socket TLS加密連接怎么實(shí)現(xiàn)”有了更深的了解,不妨來實(shí)際操作一番吧!這里是創(chuàng)新互聯(lián)網(wǎng)站,更多相關(guān)內(nèi)容可以進(jìn)入相關(guān)頻道進(jìn)行查詢,關(guān)注我們,繼續(xù)學(xué)習(xí)!