centos7 docker使用证书

环境

docker:1.13.1+
centos7

1.生成ca证书

#!/usr/bin/env bash
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------
:<<!
author: lanwp
date: 2019/4/17
des:    docker tls数字证书创建。
        subjectAltName 不设置服务器端subjectAltName不设置(不校验 serverIP,所有服务器均可用)
        subjectAltName 设置多个 subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1
    自动创建 Docker TLS 证书
    
    服务器证书
        ca.pem
        server-cert.pem
        server-key.pem
    客户端使用
        cert.pem
        ca.pem
        key.pem
!
    
PASSWORD="123456" #私钥密码
DAYS=36500
#IP=""
    
COUNTRY="CN"
STATE="省" # 省 可选
CITY="市" # 市 可选
ORGANIZATION="公司名称" # 组织 可选
ORGANIZATIONAL_UNIT="Dev" # 组织-单位可选
COMMON_NAME="test"  # 域名或者IP,必须填写
EMAIL="test@163.com" # 可选 test@163.com
    
function noCode() {
#---
# 创建ca-key.pem 和 ca.pem
#openssl genrsa -out ca-key.pem 4096
openssl genrsa -aes256 -passout "pass:${PASSWORD}" -out ca-key.pem 4096  # -passout "pass:$PASSWORD" 不用输入私钥privateKey
openssl req -new -x509 -days ${DAYS} -key "ca-key.pem" -sha256 -out "ca.pem" -passin "pass:${PASSWORD}" -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${ORGANIZATIONAL_UNIT}/CN=${COMMON_NAME}/emailAddress=${EMAIL}"
    
#---
# Generate Server key
openssl genrsa -out "server-key.pem" 4096
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key.pem" -out server.csr
    
# echo subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1 >> extfile.cnf
# echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
# Generate server-cert.pem
openssl x509 -req -days ${DAYS} -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin "pass:${PASSWORD}"
    
rm -f extfile.cnf
    
#---
# Generate Cient
openssl genrsa -out "key.pem" 4096
    
openssl req -subj '/CN=client' -new -key "key.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:${PASSWORD}" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "cert.pem" -extfile extfile.cnf
    
rm -vf client.csr server.csr extfile.cnf
    
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
}
    
# 保存目录
setSaveCaDir() {
# 运行脚本的路径   当前运行脚本文件名basename和目录dirname
local BASE_PATH = $PWD
if [ -d "$BASE_PATH/ssl" ];then
    echo "文件夹存在"
else
    echo "文件夹不存在"
    mkdir $PWD/ssl
fi
mkdir /root/.docker/
cd $PWD/ssl
}
    
# setSaveCaDir
mkdir /root/.docker/ && cd /root/.docker/ 
noCode

2.配置daemon.json

cat <<EOF > /etc/docker/daemon.json 
{
  "registry-mirrors": ["http://hub-mirror.c.163.com"],
  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
  "tlsverify": true,
  "tlscacert": "/root/.docker/ca.pem",
  "tlscert": "/root/.docker/server.pem",
  "tlskey": "/root/.docker/server-key.pem"
}

重启docker 让配置生效

systemctl restart docker

3. 验证

使用root 用户执行

方式一

curl -k https://127.0.0.1:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem

curl -k https://127.0.0.1:2376/images/json \
      --cert ~/.docker/cert.pem \
      --key ~/.docker/key.pem \
      --cacert ~/.docker/ca.pem

方式二

命令

 docker -H 127.0.0.1 ps

例子

[root@localhost ~]# docker -H 127.0.0.1 ps
Get http://127.0.0.1:2375/v1.26/containers/json: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?

# 正常
[root@localhost ~]# docker --tls -H 127.0.0.1 ps 
CONTAINER ID        IMAGE                                           COMMAND                  CREATED             STATUS              PORTS                                                  NAMES
089aaa126aa8        kibana:6.8.2                                    "/usr/local/bin/ki..."   29 hours ago        Up 40 minutes       0.0.0.0:5601->5601/tcp                                 kibana
2047a90b277b        elasticsearch:6.8.2                             "/usr/local/bin/do..."   29 hours ago        Up 40 minutes       0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp         elasticsearch
2baaae6c4d9f        dimmaryanto93/logstash-input-jdbc-mysql:6.6.0   "/usr/local/bin/do..."   2 days ago          Up 40 minutes       0.0.0.0:5044->5044/tcp, 0.0.0.0:9600->9600/tcp         logstash6-mysql
d9a998876509        redis:5.0.5                                     "docker-entrypoint..."   6 days ago          Up 40 minutes       0.0.0.0:6379->6379/tcp                                 some-redis
e4722d3396c6        zookeeper:3.5.5    
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值