欢迎关注笔者的微信公众号
前言
通常我们使用docker
都是在服务器端pull
镜像然后根据镜像创建容器。对于自开发的应用,如果想要将其创建为docker
镜像一般需要将应用编译打包后编写Dockerfile
文件使用docker build
命令构建成docker镜像。对于每次的版本升级和功能迭代都需要重复这些步骤,因此最好将这些操作流程化和自动化。
可以对docker进行相关配置,客户端可远程对docker服务进行操作。
If you need to access the Docker daemon remotely, you need to enable the
tcp
Socket. Beware that the default setup provides un-encrypted and un-authenticated direct access to the Docker daemon - and should be secured either using the built in HTTPS encrypted socket, or by putting a secure web proxy in front of it. You can listen on port2375
on all network interfaces with-H tcp://0.0.0.0:2375
, or on a particular network interface using its IP address:-H tcp://192.168.59.103:2375
. It is conventional to use port2375
for un-encrypted, and port2376
for encrypted communication with the daemon.
最简单的方式就是将docker向外暴露。
# vim /usr/lib/systemd/system/docker.service
...第13行
ExecStart=/usr/bin/dockerd -H fd:// \
-H tcp://0.0.0.0:2375 \
--containerd=/run/containerd/containerd.sock
...
# service docker restart
但是,这样的方式没有任何防护,是非常不安全的,因为docker默认是以root
用户启动的,一旦黑客通过docker服务对服务器进行攻击,很容易拿到服务器的root
权限从而造成严重的后果。因此最好对docker服务进行加密,只有拿到加密证书的客户端才能对服务端进行操作。
具体步骤
- 创建加密证书
- 配置docker服务使用加密方式
- 客户端连接时指定证书
官方文档:
- https://docs.docker.com/engine/reference/commandline/dockerd/#:~:text=Examples-,Daemon%20socket%20option,-%F0%9F%94%97
- https://docs.docker.com/engine/security/protect-access/#:~:text=C%0AControlPersist%20%20%20%20yes-,Use%20TLS%20(HTTPS)%20to%20protect%20the%20Docker%20daemon%20socket,-%F0%9F%94%97
生成证书
$ HOST=example.com
$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..........++++
.........................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256