环境
虚拟机:ubuntu
主机:win10
步骤
跟着我的步骤一步一步来,坑点我会特别指明,下面就开始吧。
以下操作均在docker服务器进行。
1、建立一个certs文件夹存放密钥,然后进入该文件夹,右键->在终端打开
2、输入openssl genrsa -aes256 -out ca-key.pem 4096
jtc@ubuntu:~/certs$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................++
..............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem: //输入密码
Verifying - Enter pass phrase for ca-key.pem: //确认密码
期间会让你输入密码确认密码,自己记住就好了。
3、输入openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
jtc@ubuntu:~/certs$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................++
..............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem: //输入密码
Verifying - Enter pass phrase for ca-key.pem:
jtc@ubuntu:~/certs$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:jtc
Locality Name (eg, city) [Default City]:hz
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:xx
Common Name (eg, your name or your server's hostname) []:192.168.184.128 //输入你自己的docker服务器IP地址
注意这里最后一行输入你的docker服务器IP地址,其他的参数照我的来无所谓。
4、输入openssl genrsa -out server-key.pem 4096
5、输入openssl req -subj "/CN=192.168.184.128" -sha256 -new -key server-key.pem -out server.csr
注意这里要改成你对应的IP地址哦,我的是192.168.184.128
6、输入echo subjectAltName = DNS:192.168.184.128,IP:192.168.184.128,IP:0.0.0.0,IP:127.0.0.1 >> extfile.cnf
注意这里要改IP地址哦
7、输入echo extendedKeyUsage = serverAuth >> extfile.cnf
8、输入openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
这里会再次确认一次密码
9、输入openssl genrsa -out key.pem 4096
10、输入openssl req -subj '/CN=client' -new -key key.pem -out client.csr
11、输入echo extendedKeyUsage = clientAuth >> extfile.cnf
12、输入openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
这里会再次确认一次密码
13、输入
rm -v client.csr server.csr //删除临时文件
chmod -v 0400 ca-key.pem key.pem server-key.pem //配置权限
chmod -v 0444 ca.pem server-cert.pem cert.pem //配置权限
14、此时在我们的certs文件夹下,会有八个文件
将ca.pem、ca-key.pem、cert.pem、key.pem拷至运行java程序的机器,我用的是U盘,结果由于不是管理员权限,部分文件无法访问,需要先打开命令行
su root
进入root权限,然后输入nautilus
,在该文件夹下进行复制粘贴操作
15、在本机上找个文件夹放入刚才这四个文件,我放在
然后在虚拟机中使用gedit /lib/systemd/system/docker.service
打开文件,找到ExecStart。
如果跟着我上一篇文章实行过的朋友应该会有印象,我们在ExecStart之后曾经加入过
-H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
,那么我们将这条语句删掉,没有的朋友可以忽略,并加入以下语句:
-D --tlsverify=true --tlscert=/home/jtc/certs/server-cert.pem --tlskey=/home/jtc/certs/server-key.pem --tlscacert=/home/jtc/certs/ca.pem -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
注意这里/home/jtc/certs
要改成你自己刚才的certs文件目录地址哦,它需要找到对应的密钥
16、重启服务
systemctl daemon-reload
service docker restart
17、此时浏览器使用192.168.184.128:2375/info
已经无法访问了,因为只有携带特定密钥认证的主机方可访问docker服务器,这也就保证了它的安全。我们使用java进行访问,
如第一篇所说,maven项目直接添加依赖,非maven项目从github上找jar包手动导入。
这里我是maven项目,写了个测试类来测试。
package com.service.impl;
import com.github.dockerjava.api.DockerClient;
import com.github.dockerjava.api.command.DockerCmdExecFactory;
import com.github.dockerjava.api.model.Info;
import com.github.dockerjava.core.DefaultDockerClientConfig;
import com.github.dockerjava.core.DockerClientBuilder;
import com.github.dockerjava.core.DockerClientConfig;
import com.github.dockerjava.jaxrs.JerseyDockerCmdExecFactory;
import com.service.DockerTestService;
import org.springframework.stereotype.Service;
/**
* @author Tiecheng Jia
* @date 2020/2/14 17:06
*/
@Service
public class DockerTestServiceImpl implements DockerTestService {
@Override
public void DockerTest() {
// 安全认证
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder().withDockerTlsVerify(true)
.withDockerCertPath("D:/docker-java/").withDockerHost("tcp://192.168.184.128:2375")
.withDockerConfig("D:/docker-java/").withApiVersion("1.40").withRegistryUrl("https://index.docker.io/v1/")
.withRegistryUsername("dockeruser").withRegistryPassword("ilovedocker")
.withRegistryEmail("dockeruser@github.com").build();
DockerCmdExecFactory dockerCmdExecFactory = new JerseyDockerCmdExecFactory()
.withReadTimeout(1000)
.withConnectTimeout(1000)
.withMaxTotalConnections(100)
.withMaxPerRouteConnections(10);
// 连接
DockerClient dockerClient = DockerClientBuilder.getInstance(config).withDockerCmdExecFactory(dockerCmdExecFactory).build();
Info info = dockerClient.infoCmd().exec();
System.out.println("---以下是docker输出---");
System.out.println(info);
}
}
注意这里,没有特别说明的默认
dockerHost:docker服务器ip地址和端口号
dockercertPath:windows的密钥文件存放地址
dockerconfig:同Path,配置地址
apiVersion:dockerAPI的版本,通过docker version命令在docker服务器上获取版本号
最后输出
---以下是docker输出---
com.github.dockerjava.api.model.Info@6a4238ff[architecture=x86_64,containers=0,containersStopped=0,containersPaused=0,containersRunning=0,cpuCfsPeriod=true,cpuCfsQuota=true,cpuShares=true,cpuSet=true,debug=true,discoveryBackend=<null>,dockerRootDir=/var/lib/docker,driver=overlay2,driverStatuses=[[Backing Filesystem, extfs], [Supports d_type, true], [Native Overlay Diff, true]],systemStatus=<null>,plugins={Volume=[local], Network=[bridge, host, ipvlan, macvlan, null, overlay], Authorization=null, Log=[awslogs, fluentd, gcplogs, gelf, journald, json-file, local, logentries, splunk, syslog]},executionDriver=<null>,loggingDriver=json-file,experimentalBuild=false,httpProxy=,httpsProxy=,id=ZKNS:CDJA:GJ3G:6YJ3:YADZ:WVBU:SERB:FNBY:Z4DO:YOHK:G62G:VZ6V,ipv4Forwarding=true,bridgeNfIptables=true,bridgeNfIp6tables=true,images=4,indexServerAddress=https://index.docker.io/v1/,initPath=<null>,initSha1=<null>,kernelVersion=4.15.0-45-generic,labels={},memoryLimit=true,memTotal=4112039936,name=ubuntu,ncpu=4,nEventsListener=0,nfd=23,nGoroutines=36,noProxy=,oomKillDisable=true,osType=linux,oomScoreAdj=<null>,operatingSystem=Ubuntu 16.04.6 LTS,registryConfig=com.github.dockerjava.api.model.InfoRegistryConfig@26361572[indexConfigs={docker.io=com.github.dockerjava.api.model.InfoRegistryConfig$IndexConfig@5dc8448b[mirrors=[],name=docker.io,official=true,secure=true]},insecureRegistryCIDRs=[127.0.0.0/8],mirrors=[]],sockets=<null>,swapLimit=false,systemTime=2020-02-14T04:36:31.954387391-08:00,serverVersion=19.03.4,clusterStore=,clusterAdvertise=]
就成功啦!
下一期我们将介绍java使用dockerAPI并封装工具,实现基础docker操作的方法。