创建证书目录
mkdir -p /etc/docker/cert/
cd /etc/docker/cert/
生成 ca 秘钥
openssl genrsa -aes256 -passout pass:123456 -out ca-key.pem 4096
#选项参考如下
#openssl genrsa -help
生成 ca 证书
openssl rand -writerand /root/.rnd
openssl req -new -x509 -days 1000 -key ca-key.pem -passin pass:123456 -sha256 -subj "/CN=*" -out ca.pem
生成服务端私钥
openssl genrsa -out server-key.pem 4096
生成服务端证书请求
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
生成服务端证书
#设置允许访问的客户端ip,0.0.0.0允许任意ip访问。可限制访问ip
echo subjectAltName = DNS:*,IP:0.0.0.0,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -passin pass:123456 -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
生成客户端私钥
openssl genrsa -out client-key.pem 4096
生成客户端证书请求
openssl req -subj '/CN=client' -key client-key.pem -new -out client.csr
生成客户端证书
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -passin pass:123456 -out client.pem -extfile extfile-client.cnf
修改 /etc/docker/daemon.json
vim /etc/docker/daemon.json
增加如下内容
{
#...
# 增加如下内容
"tls": true,
"tlscacert": "/etc/docker/cert/ca.pem",
"tlscert": "/etc/docker/cert/server-cert.pem",
"tlskey": "/etc/docker/cert/server-key.pem",
"tlsverify": true
}
开放docker tcp端口
vim /lib/systemd/system/docker.service
#开放tcp端口
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375
重启docker服务
systemctl daemon-reload
systemctl restart docker
测试
docker -H 10.17.201.18:2375 --tls --tlscacert /home/hnidc/jzx/ca.pem --tlscert /home/hnidc/jzx/client.pem --tlskey /home/hnidc/jzx/client-key.pem ps