创建TLS 安全连接
- 创建证书脚本
[root@node-219 docker]# cat tlscert.sh
#!/bin/bash
# @author: Bocloud
if [ $# != 1 ] ; then
echo "USAGE: $0 [HOST_IP]"
exit 1;
fi
#============================================#
# 下面为证书密钥及相关信息配置,注意修改 #
#============================================#
PASSWORD="Beyond#11"
COUNTRY=CN
PROVINCE=jiangsu
CITY=suzhou
ORGANIZATION=Bocloud
GROUP=OEM
NAME=Bocloud
HOST=$1
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
echo "your host is: $1"
# 1.生成根证书RSA私钥,PASSWORD作为私钥文件的密码
openssl genrsa -passout pass:$PASSWORD -aes256 -out ca-key.pem 4096
# 2.用根证书RSA私钥生成自签名的根证书
openssl req -passin pass:$PASSWORD -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -subj $SUBJ
#============================================#
# 用根证书签发server端证书 #
#============================================#
# 3.生成服务端私钥
openssl genrsa -out server-key.pem 4096
# 4.生成服务端证书请求文件
openssl req -new -sha256 -key server-key.pem -out server.csr -subj "/CN=$HOST"
# 5.使tls连接能通过ip地址方式,绑定IP
echo subjectAltName = IP:127.0.0.1,IP:$HOST > extfile.cnf
# 6.使用根证书签发服务端证书
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
#============================================#
# 用根证书签发client端证书 #
#============================================#
# 7.生成客户端私钥
openssl genrsa -out key.pem 4096
# 8.生成客户端证书请求文件
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
# 9.客户端证书配置文件
echo extendedKeyUsage = clientAuth > extfile.cnf
# 10.使用根证书签发客户端证书
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
#============================================#
# 清理 #
#============================================#
# 删除中间文件
rm -f client.csr server.csr ca.srl extfile.cnf
# 转移目录
mkdir client server
cp {ca,cert,key}.pem client
cp {ca,server-cert,server-key}.pem server
rm {cert,key,server-cert,server-key}.pem
# 设置私钥权限为只读
chmod -f 0400 ca-key.pem server/server-key.pem client/key.pem
- 执行脚本
生成TLS证书配置
[root@node-219 docker]# bash ./tlscert.sh 192.168.2.219
your host is: 192.168.2.219
Generating RSA private key, 4096 bit long modulus
.................................................++
.........++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
...............................++
..........++
e is 65537 (0x10001)
Signature ok
subject=/CN=192.168.2.219
Getting CA Private Key
Generating RSA private key, 4096 bit long modulus
..................................................................................................++
....................................................++
e is 65537 (0x10001)
Signature ok
subject=/CN=client
Getting CA Private Key
mkdir: cannot create directory ‘client’: File exists
mkdir: cannot create directory ‘server’: File exists
证书路径如下:
[root@node-219 docker]# ls
ca-key.pem ca.pem client server tlscert.sh
[root@node-219 docker]# pwd
/root/docker
- 配置服务端docker
cp证书到docker下。
[root@node-219 docker]# cp server/* /etc/docker
修改/usr/lib/systemd/system/docker.service文件,在 ExecStart=/usr/bin/dockerd -H fd://
后添加上证书配置。
ExecStart=/usr/bin/dockerd -H fd:// --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H=unix:///var/run/docker.sock -H=0.0.0.0:2375
重启docker使配置生效。
[root@node-219 docker]# systemctl daemon-reload
[root@node-219 docker]# systemctl restart docker
外部访问的方式
- 客户端加tls参数访问
[root@node-216 ~]# docker --tlsverify --tlscacert=client/ca.pem --tlscert=client/cert.pem --tlskey=client/key.pem -H tcp://192.168.2.219:2375 images
REPOSITORY TAG IMAGE ID CREATED SIZE
deploy.bocloud/paas/tomcat jdk8-corretto acfc903a890c 8 weeks ago 418MB
deploy.bocloud/paas/sonarqube 7.9.1 6b7ac1689533 2 months ago 480MB
deploy.bocloud/paas/jenkins 2.174 d6170c74e3ca 8 months ago 704MB
deploy.bocloud/paas/postgresql-photon v1.5.0 35c891dea9cf 19 months ago 221MB
deploy.bocloud/paas/clair v2.0.1 930044c045e0 2 years ago 387MB
- Docker API方式访问
[root@node-216 ~]# curl https://192.168.2.219:2375/images/json --cert client/cert.pem --key client/key.pem --cacert client/ca.pem
[{"Containers":-1,"Created":1571710621,"Id":"sha256:acfc903a890c280823c7672e3f775e8f15bd97259ed77a5873fd7a1cb53f2db3","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/tomcat@sha256:9a08962cc4e8d1ff850ab85048dbfdf5ef8bfd5706cd30df4345557f1eb35e7c"],"RepoTags":["deploy.bocloud/paas/tomcat:jdk8-corretto"],"SharedSize":-1,"Size":417867037,"VirtualSize":417867037},{"Containers":-1,"Created":1571474225,"Id":"sha256:6b7ac16895331e3867d06762bf773c87e6512a7ae60f4f4fd037800093b271d5","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/sonarqube@sha256:e4465c1a587a9f07def0f4ae99e88e3755eb2b016261a6fc5fbb46fb4e8cfd4e"],"RepoTags":["deploy.bocloud/paas/sonarqube:7.9.1"],"SharedSize":-1,"Size":479541766,"VirtualSize":479541766},{"Containers":-1,"Created":1555988207,"Id":"sha256:d6170c74e3ca7f4e133de55416bec9f110f96d41de2f757d288769500808737b","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/jenkins@sha256:484cdb6e7a7d3d49f3e26faa07e4c96dadf08ce82a40a7aef5546a48b0ec02a6"],"RepoTags":["deploy.bocloud/paas/jenkins:2.174"],"SharedSize":-1,"Size":703658287,"VirtualSize":703658287},{"Containers":-1,"Created":1525274683,"Id":"sha256:35c891dea9cfb0aa4afb3912736cba8a44af1b37897ccad2f9c134031420354e","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/postgresql-photon@sha256:f748660abdd45316fbcee918017591b367020b5129d4e79a718a6c40e7dea326"],"RepoTags":["deploy.bocloud/paas/postgresql-photon:v1.5.0"],"SharedSize":-1,"Size":221102591,"VirtualSize":221102591},{"Containers":-1,"Created":1497986555,"Id":"sha256:930044c045e082b0b2bdded18bb16ee1a115f12942a773ae0e163c9e0417e3ba","Labels":{},"ParentId":"","RepoDigests":["deploy.bocloud/paas/clair@sha256:9bf420f9e3af9377133a0e439b9aaf7f849dfdceaa0af0b9983166337e86bbbf"],"RepoTags":["deploy.bocloud/paas/clair:v2.0.1"],"SharedSize":-1,"Size":386887602,"VirtualSize":386887602}]