Docker remote api 访问控制
- Docker的远程调用 API 接口存在未授权访问漏洞,至少应限制外网访问。建议使用 Socket 方式访问。
- 监听内网 ip,docker daemon 启动方式如下
默认情况下,docker不提供对外访问端口
[root@localhost docker]# netstat -ntap | grep docker
[root@localhost docker]#
- 修改文件,将docker的端口对外提供
vim /usr/lib/systemd/system/docker.service
重新加载服务,查看端口是否开放
[root@localhost docker]# systemctl daemon-reload
[root@localhost docker]# systemctl restart docker
[root@localhost docker]# netstat -ntap | grep 2375
tcp 0 0 192.168.179.174:2375 0.0.0.0:* LISTEN 6514/dockerd
添加防火墙规则,在宿主机的firewalld上做IP访问控制即可。
firewalld-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.179.175" port portocol="tcp" port="2375" accept"
IP=192.168.179.175为客服端地址
[root@localhost docker]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.179.175" port protocol="tcp" port="2375" accept"
success
[root@localhost docker]# firewall-cmd --reload
在其他节点查看docker状态,在服务端下载一个镜像
服务端下载镜像
[root@localhost docker]# docker pull nginx
[root@localhost docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 602e111c06b6 42 hours ago 127MB
客服端查看本地镜像
[root@localhost docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@localhost docker]#
客户端查看服务端镜像
[root@localhost docker]# docker -H=tcp://192.168.179.174:2375 images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 602e111c06b6 42 hours ago 127MB
Docker-TLS加密通讯
- 为了防止链路劫持、会话劫持等问题导致 Docker 通信时被中 间人攻击,c/s 两端应该通过加密方式通讯
修改两个测试主机的主机名称
[root@localhost docker]# hostnamectl set-hostname master
[root@localhost docker]# su
[root@master docker]#
[root@localhost docker]# hostnamectl set-hostname client
[root@localhost docker]# su
[root@client docker]#
解析主机,更改hosts文件
创建工作目录,服务器端操作
[root@master docker]# mkdir /tls
[root@master docker]# cd /tls/
[root@master tls]# ls
[root@master tls]#
创建CA证书的秘钥
[root@master tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
....++
..................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem: #密码自定义
Verifying - Enter pass phrase for ca-key.pem: #确认密码密码
[root@master tls]# ls
ca-key.pem
创建CA证书
[root@master tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
-days 证书的有效期,-kye 指定秘钥文件,-sha 哈希算法,-out 生成证书文件名称
Enter pass phrase for ca-key.pem: #输入秘钥密码
[root@master tls]# ls
ca-key.pem ca.pem
创建服务器秘钥
[root@master tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................................................++
..........................................++
e is 65537 (0x10001)
[root@master tls]# ls
ca-key.pem ca.pem server-key.pem
签名服务器私钥
[root@master tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[root@master tls]# ls
ca-key.pem ca.pem server.csr server-key.pem
使用ca证书与私钥证书签名
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem: #输入秘钥密码
生成客户端密钥
[root@master tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................................................................................++
......................................................................................++
e is 65537 (0x10001)
[root@master tls]# ls
ca-key.pem ca.pem ca.srl key.pem server-cert.pem server.csr server-key.pem
签名客户端
[root@master tls]# ls
ca-key.pem ca.pem ca.srl client.csr key.pem server-cert.pem server.csr server-key.pem
创建配置文件,使用客户端证书验证
[root@master tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
[root@master tls]# ls
ca-key.pem ca.pem ca.srl client.csr extfile.cnf key.pem server-cert.pem server.csr server-key.pem
签名证书,输入123123,需要(签名客户端,ca证书,ca密钥)
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@master tls]# ls
ca-key.pem ca.srl client.csr key.pem server.csr
ca.pem cert.pem extfile.cnf server-cert.pem server-key.pem
删除多余文件
[root@master tls]# ls
ca-key.pem ca.pem cert.pem key.pem server-cert.pem server-key.pem
修改docker的文件,使用TLS证书验证登录
重新加载docker服务,将证书推送给客户端
[root@master tls]# systemctl daemon-reload
[root@master tls]# systemctl restart docker
[root@master tls]# netstat -ntap | grep docker
tcp6 0 0 :::2376 :::* LISTEN 6709/dockerd
将 /tls/ca.pem /tls/cert.pem /tls/key.pem 三个文件复制到客户端主机
[root@master tls]# scp ca.pem root@192.168.179.182:/etc/docker/
root@192.168.179.182's password:
ca.pem 100% 1765 2.1MB/s 00:00
[root@master tls]# scp cert.pem root@192.168.179.182:/etc/docker/
root@192.168.179.182's password:
cert.pem 100% 1696 1.4MB/s 00:00
[root@master tls]# scp key.pem root@192.168.179.182:/etc/docker/
root@192.168.179.182's password:
key.pem 100% 3243 3.6MB/s 00:00
客户端查看文件
[root@client docker]# ls
ca.pem cert.pem daemon.json key.json key.pem
服务端下载一个镜像,用客户端查看
服务端无镜像
[root@master tls]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
客户端查看镜像
[root@client docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@client docker]#
服务端下载镜像
[root@master tls]# docker pull nginx
[root@master tls]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 602e111c06b6 2 days ago 127MB
[root@master tls]#
客户端查看服务端镜像,先关闭双方的防火墙
[root@client docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 602e111c06b6 2 days ago 127MB