Docker启用TLS实现安全配置的步骤
前言
之前开启了docker的2375RemoteAPI,接到公司安全部门的要求,需要启用授权,翻了下官方文档
ProtecttheDockerdaemonsocket
启用TLS
在docker服务器,生成CA私有和公共密钥
$opensslgenrsa-aes256-outca-key.pem4096 GeneratingRSAprivatekey,4096bitlongmodulus ............................................................................................................................................................................................++ ........++ eis65537(0x10001) Enterpassphraseforca-key.pem: Verifying-Enterpassphraseforca-key.pem: $opensslreq-new-x509-days365-keyca-key.pem-sha256-outca.pem Enterpassphraseforca-key.pem: Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[AU]: StateorProvinceName(fullname)[Some-State]:Queensland LocalityName(eg,city)[]:Brisbane OrganizationName(eg,company)[InternetWidgitsPtyLtd]:DockerInc OrganizationalUnitName(eg,section)[]:Sales CommonName(e.g.serverFQDNorYOURname)[]:$HOST EmailAddress[]:Sven@home.org.au
有了CA后,可以创建一个服务器密钥和证书签名请求(CSR)
$HOST是你的服务器ip
$opensslgenrsa-outserver-key.pem4096 GeneratingRSAprivatekey,4096bitlongmodulus .....................................................................++ .................................................................................................++ eis65537(0x10001) $opensslreq-subj"/CN=$HOST"-sha256-new-keyserver-key.pem-outserver.csr
接着,用CA来签署公共密钥:
$echosubjectAltName=DNS:$HOST,IP:$HOST:127.0.0.1>>extfile.cnf $echoextendedKeyUsage=serverAuth>>extfile.cnf
生成key:
$opensslx509-req-days365-sha256-inserver.csr-CAca.pem-CAkeyca-key.pem\ -CAcreateserial-outserver-cert.pem-extfileextfile.cnf Signatureok subject=/CN=your.host.com GettingCAPrivateKey Enterpassphraseforca-key.pem:
创建客户端密钥和证书签名请求:
$opensslgenrsa-outkey.pem4096 GeneratingRSAprivatekey,4096bitlongmodulus .........................................................++ ................++ eis65537(0x10001) $opensslreq-subj'/CN=client'-new-keykey.pem-outclient.csr
修改extfile.cnf:
echoextendedKeyUsage=clientAuth>extfile-client.cnf
生成签名私钥:
$opensslx509-req-days365-sha256-inclient.csr-CAca.pem-CAkeyca-key.pem\ -CAcreateserial-outcert.pem-extfileextfile-client.cnf Signatureok subject=/CN=client GettingCAPrivateKey Enterpassphraseforca-key.pem:
将Docker服务停止,然后修改docker服务文件
[Unit] Description=DockerApplicationContainerEngine Documentation=http://docs.docker.io [Service] Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin" ExecStart=/opt/kube/bin/dockerd--tlsverify--tlscacert=/root/docker/ca.pem--tlscert=/root/docker/server-cert.pem--tlskey=/root/docker/server-key.pem-Hunix:///var/run/docker.sock-Htcp://0.0.0.0:2375 ExecStartPost=/sbin/iptables-IFORWARD-s0.0.0.0/0-jACCEPT ExecReload=/bin/kill-sHUP$MAINPID Restart=on-failure RestartSec=5 LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity Delegate=yes KillMode=process [Install] WantedBy=multi-user.target
然后重启服务
systemctldaemon-reload systemctlrestartdocker.service
重启后查看服务状态:
systemctlstatusdocker.service ●docker.service-DockerApplicationContainerEngine Loaded:loaded(/etc/systemd/system/docker.service;enabled;vendorpreset:enabled) Active:active(running)sinceThu2019-08-0819:22:26CST;1minago
已经生效。
使用证书连接:
复制ca.pem,cert.pem,key.pem三个文件到客户端
docker--tlsverify--tlscacert=ca.pem--tlscert=cert.pem--tlskey=key.pem-H=$HOST:2375version连接即可
docker-java启用TLS
项目里使用docker的java客户端docker-java调用docker,为了支持TLS,在创建客户端时,需要增加TLS设置。
首先将ca.pemcert.pemkey.pem这三个文件拷贝到本地,例如E:\\docker\\",
然后DefaultDockerClientConfig里withDockerTlsVerify设为true,并设置certpath为刚拷贝的目录。
DefaultDockerClientConfig.Builderbuilder=
DefaultDockerClientConfig.createDefaultConfigBuilder()
.withDockerHost("tcp://"+server+":2375")
.withApiVersion("1.30");
if(containerConfiguration.getDockerTlsVerify()){
builder=builder.withDockerTlsVerify(true)
.withDockerCertPath("E:\\docker\\");
}
returnDockerClientBuilder.getInstance(builder.build()).build()
大工搞定。
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,谢谢大家对毛票票的支持。