普通的HTTP模式(非常不安全):
服务端(CentOS 7,IP地址192.168.9.7):
sed -i 's/\(OPTIONS="\)/\1-H 0.0.0.0:1699 /' /etc/sysconfig/docker
# 也就是加入 -H 0.0.0.0:1699参数
## 重启docker。
## 客户端配置:
echo 'export DOCKER_HOST="tcp://192.168.9.7:1699"' >> ~/.bashrc
source ~/.bashrc
## 测试:
docker version
### 生成脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
| #!/bin/bash
current_dir=`dirname $0`
current_dir=`readlink -f $current_dir`
cd ${current_dir} && export current_dir
exec 6>&1
exec > ${0}.stdout
exec 2> ${0}.stderr
_usage() {
exec 1>&6 6>&-
echo '{ "Action": "GenerateDockerTLSKey", "RetCode": 1, "Message": "Usage: ./docker-server-tlskey.sh IP1 IP2 PW" }'
exit 1
}
IP1="$1"
IP2="$2"
PW="$3"
[ "x$IP1" == "x" ] || [ "x$IP2" == "x" ] || [ "x$PW" == "x" ] && _usage
if ! /sbin/ip a | egrep -q "${IP1}|${IP2}" ;then
exec 1>&6 6>&-
echo '{ "Action": "GenerateDockerTLSKey", "RetCode": 2, "Message": "Error: IP1 or IP2 not fount" }'
exit 2
fi
if [ ! -f ./ca.pem ] || [ ! -f ./ca-key.pem ] ;then
exec 1>&6 6>&-
echo '{ "Action": "GenerateDockerTLSKey", "RetCode": 3, "Message": "ca.pem or ca-key.pem not fount" }'
exit 3
fi
if [ -f /etc/docker/cert.pem ] ;then
ips=$(openssl x509 \
-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux \
-noout -text -in /etc/docker/cert.pem )
i=0
if echo $ips | grep -q $IP1 ;then
let i+=1
fi
if echo $ips | grep -q $IP2 ;then
let i+=1
fi
if [ $i -eq 2 ];then
exec 1>&6 6>&-
echo '{ "Action": "GenerateDockerTLSKey", "RetCode": 0, "Message": "NotChange" }'
exit 0
fi
fi
[ -d /etc/docker ] || mkdir -pv /etc/docker
openssl genrsa -out server-key.pem 4096 \
&& openssl req -subj "/CN=${IP1}" -sha256 -new -key server-key.pem -out ./server.csr \
&& echo subjectAltName = IP:${IP1},IP:${IP2},IP:127.0.0.1 > ./extfile.cnf \
&& openssl x509 -req -days 3650 -sha256 -passin pass:$PW \
-in ./server.csr -CA ./ca.pem -CAkey ./ca-key.pem \
-CAcreateserial -extfile ./extfile.cnf \
-out /etc/docker/cert.pem \
&& chmod 0444 /etc/docker/cert.pem \
&& rm -f server.csr extfile.cnf ca.srl \
&& cp ca.pem /etc/docker/ca.pem \
&& cp server-key.pem /etc/docker/key.pem \
&& systemctl enable docker
retvar=$?
systemctl start docker
exec 1>&6 6>&-
if [ $retvar -eq 0 ] ;then
echo '{ "Action": "GenerateDockerTLSKey", "RetCode": 0 }'
exit 0
else
echo '{ "Action": "GenerateDockerTLSKey", "RetCode": 1, "Message": "openssl error" }'
exit 1
fi
|
### 手动生成脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| #!/bin/bash
current_dir=`dirname $0`
current_dir=`readlink -f $current_dir`
cd ${current_dir} && export current_dir
IP1="$1"
IP2="$2"
_usage() {
echo "Usage: $0 IP1 IP2"
exit 127
}
[ "x$IP1" == "x" ] || [ "x$IP2" == "x" ] && _usage
if ! /sbin/ip a | egrep -q "${IP1}|${IP2}" ;then
echo "ERROR: ${IP1} or ${IP2} not fount"
exit 126
fi
if [ -f /etc/docker/cert.pem ] ;then
ips=$(openssl x509 \
-certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux \
-noout -text -in /etc/docker/cert.pem )
i=0
if echo $ips | grep -q $IP1 ;then
let i+=1
fi
if echo $ips | grep -q $IP2 ;then
let i+=1
fi
if [ $i -eq 2 ];then
echo "not change, skip"
exit 0
else
echo "ip change"
fi
fi
openssl req -subj "/CN=${IP1}" -sha256 -new -key server-key.pem -out ./server.csr
echo subjectAltName = IP:${IP1},IP:${IP2},IP:127.0.0.1 > ./extfile.cnf
openssl x509 -req -days 3650 -sha256 \
-in ./server.csr -CA ./ca.pem -CAkey ./ca-key.pem \
-CAcreateserial -extfile ./extfile.cnf \
-out /etc/docker/cert.pem && echo "OK"
chmod 0444 /etc/docker/cert.pem
rm -f server.csr extfile.cnf ca.srl
cp ca.pem /etc/docker/ca.pem
cp server-key.pem /etc/docker/key.pem
|
# 启用HTTPS模式:
## 文档: https://docs.docker.com/engine/articles/https/
## CA证书
### 私钥(使用xlands做为密码):
openssl genrsa -aes256 -out ca-key.pem 4096
chmod 0400 ca-key.pem
### 签发申请(10年):
openssl req -new -x509 -days 3650 \
-subj "/C=CN/ST=GD/L=GZ/O=baoyugame/OU=baoyugame/CN=*.baoyugame.com" \
-sha256 -key ca-key.pem -out ca.pem
chmod 0444 ca.pem
## 服务端证书:
### 私钥:
openssl genrsa -out server-key.pem 4096
chmod 0400 server-key.pem
### 请求证书(设置HOST为不同IP地址就可以给其他主机签发证书):
HOST=192.168.9.7
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server-$HOST.csr
### 需允许服务器的网卡IP地址:
echo subjectAltName = IP:$HOST,IP:127.0.0.1 > extfile.cnf
### 签署 -(不带-extfile extfile.cnf参数)- :
openssl x509 -req -days 3650 -sha256 \
-in server-$HOST.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -extfile extfile.cnf \
-out server-cert-$HOST.pem
chmod 0444 server-cert-$HOST.pem
删除请求证书:
rm server-$HOST.csr
### 部署证书(复制到各自主机上):
#echo 'DOCKER_CERT_PATH=/etc/docker' | sudo tee -a /etc/sysconfig/docker
#sed -i 's/\(OPTIONS="\)/\1 --tlsverify ' /etc/sysconfig/docker
cat< /etc/sysconfig/docker
DOCKER_CERT_PATH=/etc/docker
OPTIONS="-g /home/docker --tlsverify --ip=172.17.42.1 --userland-proxy=false -H 0.0.0.0:1699 -H unix:///var/run/docker.sock "
EOF
sudo cp ca.pem /etc/docker/ca.pem
sudo cp server-key.pem /etc/docker/key.pem
sudo cp server-cert-$HOST.pem /etc/docker/cert.pem
开启:
sudo systemctl start docker
## 客户端证书:
### 独立目录:
mkdir client && cd client
### 私钥:
openssl genrsa -out key.pem 4096
chmod 0400 key.pem
### 请求证书:
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
### 附件属性:
echo extendedKeyUsage = clientAuth > extfile.cnf
### 签署:
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ../ca.pem -CAkey ../ca-key.pem \
-CAcreateserial -extfile extfile.cnf \
-out cert.pem
chmod 0444 cert.pem
cp ../ca.pem .
### 删除请求证书:
rm client.csr extfile.cnf .srl
### 部署证书:
mkdir ~/.docker/
cp ca.pem ~/.docker/
cp client-key.pem ~/.docker/key.pem
cp client-cert.pem ~/.docker/cert.pem
客户端配置(默认启用TLS):
cat<> ~/.bashrc
export DOCKER_HOST="tcp://192.168.9.7:1699"
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/dir/tls-key/client
EOF
source ~/.bashrc
测试:
docker version
Last updated: