一、官方资料
-
官网资料
https://docs.docker.com/engine/reference/commandline/dockerd/ -
创建证书步骤
官网Protect the Docker daemon socket https://docs.docker.com/engine/security/https/
二、创建证书
生成的证书
ca-key.pem
ca.pem
cert.pem
key.pem
server-cert.pem
server-key.pem
服务器使用的证书
ca.pem
server-cert.pem
server-key.pem
客户端使用
cert.pem
ca.pem
key.pem
生成证书步骤
1.根证书
ca-key.pem
根证书秘钥
openssl genrsa -out ca-key.pem 4096
ca.pem
生成根证书
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
-days 365
可以设置长的证书有效期,单位天
根据提示输入证书需要的信息
[root@localhost docker_ssl]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker166
Email Address []:
2. 服务端证书
server-key.pem
$ openssl genrsa -out server-key.pem 4096
server.csr
生成server.csr,在生成server-cert.pem
需要用到
/CN 一般为你的dns=docker166
$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
server-key.pem
openssl genrsa -out server-key.pem 4096
server-cert.pem
需要用到ca-key.pem的密码, subjectAltName
echo subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 36500 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
例子:
[root@localhost docker_ssl]# echo subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1 >> extfile.cnf
[root@localhost docker_ssl]# echo extendedKeyUsage = serverAuth >> extfile.cnf
[root@localhost docker_ssl]# cat extfile.cnf
subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1
extendedKeyUsage = serverAuth
[root@localhost docker_ssl]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
> -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=ffcs-ark
Getting CA Private Key
Enter pass phrase for ca-key.pem:
subjectAltName为
[root@localhost .docker]# curl https://192.168.72.110:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
3.客户端证书
key.pem
openssl genrsa -out key.pem 4096
cert.pem
days设置100年 -days 365修改为 -days 36500
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
例子,设置有效期为10年
openssl x509 -req -days 36500 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
三、docker tls服务端配置
方式一:命令启动方式设置
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
-H=0.0.0.0:2376
证书放在默认目录下 ~/.docker/
可以不输入证书
[root@localhost docker_ssl]# docker --tlsverify ps
error during connect: Get https://localhost:2376/v1.26/containers/json: x509: certificate is valid for docker166, not localhost
[root@localhost docker_ssl]# docker --tlsverify -H=127.0.0.1 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
方式二:配置文件配置
docker 1.13在 /etc/sysconfig/docker-network
文件中设置, 配置https方式docker时必须同时开启2375和2376端口监听,http只开启一个端口即可
vi /etc/sysconfig/docker-network 修改文件网络配置
[root@localhost docker_ssl]# vi /etc/sysconfig/docker-network
# /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS="--tlsverify --tlscacert=/root/.docker/ca.pem --tlscert=/root/.docker/server-cert.pem --tlskey=/root/.docker/server-key.pem -H=0.0.0.0:2376 -H=0.0.0.0:2375"
重启
systemctl daemon-reload && systemctl restart docker
docker配置文件位置cat /usr/lib/systemd/system/docker.service
四、客户端请求测试
docker本机测试tls:
测试成功/root/.docker文件夹下已经存在证书。
docker --tls version 相当于
docker --tls --tlscacert /root/.docker/ca.pem --tlscert /root/.docker/cert.pem --tlskey /root/.docker/key.pem version
[root@localhost .docker]# docker --tls version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
Go version: go1.9.4
Git commit: 07f3374/1.13.1
Built: Fri Dec 7 16:13:51 2018
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
Go version: go1.9.4
Git commit: 07f3374/1.13.1
Built: Fri Dec 7 16:13:51 2018
OS/Arch: linux/amd64
Experimental: false
相关的参数
Options:
--config string Location of client config files (default "/root/.docker")
--tls Use TLS; implied by --tlsverify
--tlscacert string Trust certs signed only by this CA (default "/root/.docker/ca.pem")
--tlscert string Path to TLS certificate file (default "/root/.docker/cert.pem")
--tlskey string Path to TLS key file (default "/root/.docker/key.pem")
--tlsverify Use TLS and verify the remote
docker -H远程请求
docker --tls -H 192.168.72.166 version
[root@docker110 ~]# docker --tls -H 192.168.72.166 version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Tue Mar 12 10:27:24 2019
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
Go version: go1.9.4
Git commit: 07f3374/1.13.1
Built: Fri Dec 7 16:13:51 2018
OS/Arch: linux/amd64
Experimental: false
DOCKER_CERT_PATH.
如下指定证书的默认目录
$ export DOCKER_CERT_PATH=~/.docker/zone1/
$ docker --tlsverify ps
curl方式
$ curl ${HOST} --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
例1:
curl https://192.168.72.166:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
[root@docker110 ~]# curl https://192.168.72.166:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
[]
例2,多行命令:
[root@localhost docker_ssl]# curl https://192.168.72.166:2376/images/json \
> --cert ~/.docker/cert.pem \
> --key ~/.docker/key.pem \
> --cacert ~/.docker/ca.pem
[]
其他
- Docker 服务 TLS 证书全自动生成 https://segmentfault.com/a/1190000012510820
- docker使用OpenSSL的自颁发证书创建HTTPS仓库 https://www.jianshu.com/p/bfdf41a5d8fc