linux环境docker安装应用
- -------------------------------------------------------------
- 自动创建 Docker TLS 证书
- -------------------------------------------------------------
- config
- --[BEGIN]------------------------------
- 代码,可以随便写
- 服务器的外网IP
- CA证书的密码
- 国家
- 地区
- 城市
- 组织
- 邮件地址
- --[END]--
- 创建存放脚本的文件夹
- Generate CA key
- Generate CA
- Generate Server key
- Generate Server Certs.
- Generate Client Certs.
- 打包客户端证书成tar.gz包
- 拷贝服务端证书,保存在docker目录下
- vim /etc/docker/daemon.json
- 启动docker
1.docker安装准备
1.1 linux版本:CentOS 7
1.2. 准备
CentOS7能上外网
yum -y install gcc
yum -y install gcc-c++
1.3 安装
1.3.1 安装依赖包
yum install -y yum-utils device-mapper-persistent-data lvm2
1.3.2 设置stable镜像仓库
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
或
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
1.3.3 更新yum软件包索引
yum makecache fast
2.docker安装
标题
1、安装指定版本:
yum list docker-ce.x86_64 --showduplicates | sort -r #从高到低列出Docker-ce的版本
例如:指定版本(docker-ce-20.10.9)进行安装:
yum install docker-ce-<VERSION_STRING> docker-ce-cli-<VERSION_STRING> containerd.io
例如:
yum install docker-ce-20.10.9 docker-ce-cli-20.10.9 containerd.io
或安装最新版本:
yum -y install docker-ce
启动docker
执行以下命令启动docker:
systemctl start docker
生成证书
#!/bin/bash
-------------------------------------------------------------
自动创建 Docker TLS 证书
-------------------------------------------------------------
config
–[BEGIN]------------------------------
代码,可以随便写
CODE=“xxx”
服务器的外网IP
IP="$1"
CA证书的密码
PASSWORD=“password”
国家
COUNTRY=“CN”
地区
STATE=“guangdong”
城市
CITY=“shengzhen”
组织
ORGANIZATION=“xx”
ORGANIZATIONAL_UNIT=“Dev”
COMMON_NAME="$IP"
邮件地址
EMAIL=“xxx@xx.com”
–[END]–
创建存放脚本的文件夹
cd /etc/docker/docker-ca
if [ ! -n “$IP” ] ;then
echo “需要提供服务器外网IP”
exit 1
fi
Generate CA key
openssl genrsa -aes256 -passout “pass:$PASSWORD” -out “ca-key.pem” 4096
Generate CA
openssl req -new -x509 -days 365 -key “ca-key.pem” -sha256 -out “ca.pem” -passin “pass: P A S S W O R D " − s u b j " / C = PASSWORD" -subj "/C= PASSWORD"−subj"/C=COUNTRY/ST= S T A T E / L = STATE/L= STATE/L=CITY/O= O R G A N I Z A T I O N / O U = ORGANIZATION/OU= ORGANIZATION/OU=ORGANIZATIONAL_UNIT/CN= C O M M O N N A M E / e m a i l A d d r e s s = COMMON_NAME/emailAddress= COMMONNAME/emailAddress=EMAIL”
Generate Server key
openssl genrsa -out “server-key.pem” 4096
Generate Server Certs.
openssl req -subj “/CN=$COMMON_NAME” -sha256 -new -key “server-key.pem” -out server.csr
echo “subjectAltName = IP:$IP,IP:127.0.0.1” >> extfile.cnf
echo “extendedKeyUsage = serverAuth” >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -passin “pass:$PASSWORD” -CA “ca.pem” -CAkey “ca-key.pem” -CAcreateserial -out “server-cert.pem” -extfile extfile.cnf
Generate Client Certs.
rm -f extfile.cnf
openssl genrsa -out “key.pem” 4096
openssl req -subj ‘/CN=client’ -new -key “key.pem” -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin “pass:$PASSWORD” -CA “ca.pem” -CAkey “ca-key.pem” -CAcreateserial -out “cert.pem” -extfile extfile.cnf
rm -vf client.csr server.csr
chmod -v 0400 “ca-key.pem” “key.pem” “server-key.pem”
chmod -v 0444 “ca.pem” “server-cert.pem” “cert.pem”
打包客户端证书成tar.gz包
mkdir -p “tls-client-certs”
cp -f “ca.pem” “cert.pem” “key.pem” “tls-client-certs/”
cd “tls-client-certs”
tar zcf “tls-client-certs.tar.gz” *
mv “tls-client-certs.tar.gz” …/
cd …
rm -rf “tls-client-certs”
拷贝服务端证书,保存在docker目录下
#mkdir -p /etc/docker
#cp “ca.pem” “server-cert.pem” “server-key.pem” /etc/docker
运行create-ca.sh
这里我放在/etc/docker/docker-ca下
cd /etc/docker/docker-ca
./create-ca.sh ip地址
编辑vim /usr/lib/systemd/system/docker.service
修改
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/etc/docker/docker-ca/ca.pem --tlscert=/etc/docker/docker-ca/server-cert.pem --tlskey=/etc/docker/docker-ca/server-key.pem
vim /etc/docker/daemon.json
{
“insecure-registries” : [
“registry.docker-cn.com”,
“docker.mirrors.ustc.edu.cn”
],
“log-driver”:“json-file”,
“log-opts”:{
“max-size” :“50m”,“max-file”:“1”
}
}
启动docker
systemctl start docker