docker_TLS

2024-04-03 17:36:58

服务器上的操作

hostnamectl set-hostname master
su

vim /etc/hosts
127.0.0.1   master

mkdir /tls
cd /tls/

#创建ca密钥
openssl genrsa -aes256 -out ca-key.pem 4096 
//输入123456

#创建ca证书
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
//输入123456

#创建服务器私钥
openssl genrsa -out server-key.pem 4096 

#签名私钥
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr

#使用ca证书与私钥证书签名
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
//输入123456

#生成客户端密钥
openssl genrsa -out key.pem 4096

#签名客户端
openssl req -subj "/CN=client" -new -key key.pem -out client.csr

#创建配置文件
echo extendedKeyUsage=clientAuth > extfile.cnf

#签名证书,需要(签名客户端,ca证书,ca密钥)
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
//输入123456

#删除多余文件
rm -rf ca.srl client.csr extfile.cnf server.csr

#配置docker
vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/tls/ca.pem --tlscert=/tls/server-cert.pem --tlskey=/tls/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock

#重启进程
systemctl daemon-reload

#重启docker服务
systemctl restart docker

客户端的操作

hostnamectl set-hostname client
su

vim /etc/hosts
192.168.17.10 master

#将 /tls/ca.pem /tls/cert.pem /tls/key.pem 三个文件复制到另一台主机
scp ca.pem root@192.168.17.20:/etc/docker/
scp cert.pem root@192.168.17.20:/etc/docker/
scp key.pem root@192.168.17.20:/etc/docker/

验证

#服务器验证
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version

Client: Docker Engine - Community
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:33:55 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:32:17 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0


#在客户端验证
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version

Client: Docker Engine - Community
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:33:55 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:32:17 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
上一篇:微信支付商户证书cert.zip中确实rootca.pem文件解决方法


下一篇:K8s简单了解