Docker启用TLS实现安全配置的步骤
发布时间:2024-03-12 点击:121
服务器
前言
之前开启了docker的2375 remote api,接到公司安全部门的要求,需要启用授权,翻了下官方文档
protect the docker daemon socket
启用tls
在docker服务器,生成ca私有和公共密钥
$ openssl genrsa -aes256 -out ca-key.pem 4096generating rsa private key, 4096 bit long modulus............................................................................................................................................................................................ ........ e is 65537 (0x10001)enter pass phrase for ca-key.pem:verifying - enter pass phrase for ca-key.pem:$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pementer pass phrase for ca-key.pem:you are about to be asked to enter information that will be incorporatedinto your certificate request.what you are about to enter is what is called a distinguished name or a dn.there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter \\\'.\\\', the field will be left blank.-----country name (2 letter code) [au]:state or province name (full name) [some-state]:queenslandlocality name (eg, city) []:brisbaneorganization name (eg, company) [internet widgits pty ltd]:docker incorganizational unit name (eg, section) []:salescommon name (e.g. server fqdn or your name) []:$hostemail address []:sven@home.org.au有了ca后,可以创建一个服务器密钥和证书签名请求(csr)
$host 是你的服务器ip
$ openssl genrsa -out server-key.pem 4096generating rsa private key, 4096 bit long modulus..................................................................... ................................................................................................. e is 65537 (0x10001)$ openssl req -subj /cn=$host -sha256 -new -key server-key.pem -out server.csr接着,用ca来签署公共密钥:
$ echo subjectaltname = dns:$host,ip:$host:127.0.0.1 >> extfile.cnf $ echo extendedkeyusage = serverauth >> extfile.cnf生成key:
$ openssl x509 -req -days 365 -sha256 -in server.csr -ca ca.pem -cakey ca-key.pem \\\\ -cacreateserial -out server-cert.pem -extfile extfile.cnfsignature oksubject=/cn=your.host.comgetting ca private keyenter pass phrase for ca-key.pem:创建客户端密钥和证书签名请求:
$ openssl genrsa -out key.pem 4096generating rsa private key, 4096 bit long modulus......................................................... ................ e is 65537 (0x10001)$ openssl req -subj \\\'/cn=client\\\' -new -key key.pem -out client.csr修改extfile.cnf:
echo extendedkeyusage = clientauth > extfile-client.cnf生成签名私钥:
$ openssl x509 -req -days 365 -sha256 -in client.csr -ca ca.pem -cakey ca-key.pem \\\\ -cacreateserial -out cert.pem -extfile extfile-client.cnfsignature oksubject=/cn=clientgetting ca private keyenter pass phrase for ca-key.pem:将docker服务停止,然后修改docker服务文件
[unit]description=docker application container enginedocumentation=http://docs.docker.io[service]environment=path=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbinexecstart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -h unix:///var/run/docker.sock -h tcp://0.0.0.0:2375execstartpost=/sbin/iptables -i forward -s 0.0.0.0/0 -j acceptexecreload=/bin/kill -s hup $mainpidrestart=on-failurerestartsec=5limitnofile=infinitylimitnproc=infinitylimitcore=infinitydelegate=yeskillmode=process[install]wantedby=multi-user.target然后重启服务
systemctl daemon-reloadsystemctl restart docker.service 重启后查看服务状态:
systemctl status docker.service● docker.service - docker application container engine loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled) active: active (running) since thu 2019-08-08 19:22:26 cst; 1 min ago已经生效。
使用证书连接:
复制ca.pem,cert.pem,key.pem三个文件到客户端
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -h=$host:2375 version连接即可docker-java 启用tls
项目里使用docker的java客户端docker-java调用docker,为了支持tls,在创建客户端时,需要增加tls设置。
首先将ca.pem cert.pem key.pem这三个文件拷贝到本地,例如e:\\\\\\\\docker\\\\\\\\,
然后defaultdockerclientconfig里wi
如何让网站的图片快速加载?
云服务器秒杀活动必看
拥有30万粉丝的“网红狗”,被科学家克隆49次,刷新世界纪录
以太网帧格式是什么?
上海ecs云服务器安装虚拟机
做SEO优化一定要坚持做高质量内容
整机和云服务器有什么区别
43891云服务器实惠
前言
之前开启了docker的2375 remote api,接到公司安全部门的要求,需要启用授权,翻了下官方文档
protect the docker daemon socket
启用tls
在docker服务器,生成ca私有和公共密钥
$ openssl genrsa -aes256 -out ca-key.pem 4096generating rsa private key, 4096 bit long modulus............................................................................................................................................................................................ ........ e is 65537 (0x10001)enter pass phrase for ca-key.pem:verifying - enter pass phrase for ca-key.pem:$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pementer pass phrase for ca-key.pem:you are about to be asked to enter information that will be incorporatedinto your certificate request.what you are about to enter is what is called a distinguished name or a dn.there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter \\\'.\\\', the field will be left blank.-----country name (2 letter code) [au]:state or province name (full name) [some-state]:queenslandlocality name (eg, city) []:brisbaneorganization name (eg, company) [internet widgits pty ltd]:docker incorganizational unit name (eg, section) []:salescommon name (e.g. server fqdn or your name) []:$hostemail address []:sven@home.org.au有了ca后,可以创建一个服务器密钥和证书签名请求(csr)
$host 是你的服务器ip
$ openssl genrsa -out server-key.pem 4096generating rsa private key, 4096 bit long modulus..................................................................... ................................................................................................. e is 65537 (0x10001)$ openssl req -subj /cn=$host -sha256 -new -key server-key.pem -out server.csr接着,用ca来签署公共密钥:
$ echo subjectaltname = dns:$host,ip:$host:127.0.0.1 >> extfile.cnf $ echo extendedkeyusage = serverauth >> extfile.cnf生成key:
$ openssl x509 -req -days 365 -sha256 -in server.csr -ca ca.pem -cakey ca-key.pem \\\\ -cacreateserial -out server-cert.pem -extfile extfile.cnfsignature oksubject=/cn=your.host.comgetting ca private keyenter pass phrase for ca-key.pem:创建客户端密钥和证书签名请求:
$ openssl genrsa -out key.pem 4096generating rsa private key, 4096 bit long modulus......................................................... ................ e is 65537 (0x10001)$ openssl req -subj \\\'/cn=client\\\' -new -key key.pem -out client.csr修改extfile.cnf:
echo extendedkeyusage = clientauth > extfile-client.cnf生成签名私钥:
$ openssl x509 -req -days 365 -sha256 -in client.csr -ca ca.pem -cakey ca-key.pem \\\\ -cacreateserial -out cert.pem -extfile extfile-client.cnfsignature oksubject=/cn=clientgetting ca private keyenter pass phrase for ca-key.pem:将docker服务停止,然后修改docker服务文件
[unit]description=docker application container enginedocumentation=http://docs.docker.io[service]environment=path=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbinexecstart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -h unix:///var/run/docker.sock -h tcp://0.0.0.0:2375execstartpost=/sbin/iptables -i forward -s 0.0.0.0/0 -j acceptexecreload=/bin/kill -s hup $mainpidrestart=on-failurerestartsec=5limitnofile=infinitylimitnproc=infinitylimitcore=infinitydelegate=yeskillmode=process[install]wantedby=multi-user.target然后重启服务
systemctl daemon-reloadsystemctl restart docker.service 重启后查看服务状态:
systemctl status docker.service● docker.service - docker application container engine loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled) active: active (running) since thu 2019-08-08 19:22:26 cst; 1 min ago已经生效。
使用证书连接:
复制ca.pem,cert.pem,key.pem三个文件到客户端
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -h=$host:2375 version连接即可docker-java 启用tls
项目里使用docker的java客户端docker-java调用docker,为了支持tls,在创建客户端时,需要增加tls设置。
首先将ca.pem cert.pem key.pem这三个文件拷贝到本地,例如e:\\\\\\\\docker\\\\\\\\,
然后defaultdockerclientconfig里wi
如何让网站的图片快速加载?
云服务器秒杀活动必看
拥有30万粉丝的“网红狗”,被科学家克隆49次,刷新世界纪录
以太网帧格式是什么?
上海ecs云服务器安装虚拟机
做SEO优化一定要坚持做高质量内容
整机和云服务器有什么区别
43891云服务器实惠
下一篇:怎么购买多个腾讯云服务器