首先,在Docker守护程序的主机上,生成CA私钥和公钥:
$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:cloudtop
Email Address []:Sven@home.org.au
现在您已拥有CA,您可以创建服务器密钥和证书签名请求(CSR)。确保“Common Name”与用于连接Docker的主机名匹配:
注意:将
$HOST
以下示例中的所有实例替换为Docker守护程序主机的DNS名称。
$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)
$ openssl req -subj "/CN=cloudtop" -sha256 -new -key server-key.pem -out server.csr
接下来,我们将使用我们的CA签署公钥:
由于可以通过IP地址和DNS名称建立TLS连接,因此在创建证书时需要指定IP地址。例如,允许使用10.10.10.20
和连接127.0.0.1
:
$ echo subjectAltName = DNS:cloudtop,IP:当前IP地址,IP:127.0.0.1 >> extfile.cnf
将Docker守护程序密钥的扩展使用属性设置为仅用于服务器身份验证:
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
现在,生成签名证书:
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:
授权插件提供更细粒度的控制,以补充来自相互TLS的身份验证。除了上述文档中描述的其他信息之外,在Docker守护程序上运行的授权插件还会收到用于连接Docker客户端的证书信息。
对于客户端身份验证,请创建客户端密钥和证书签名请求:
注意:为了简化下一步,您可以在Docker守护程序的主机上执行此步骤。
$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
要使密钥适合客户端身份验证,请创建扩展配置文件:
$ echo extendedKeyUsage = clientAuth >> extfile.cnf
现在,生成签名证书:
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
生成后cert.pem
,server-cert.pem
您可以安全地删除两个证书签名请求:
$ rm -v client.csr server.csr
默认umask
值为022,您的密钥对于您和您的组来说是世界可读和可写的。
要保护您的密钥免受意外损坏,请删除其写入权限。要使它们只能被您读取,请更改文件模式,如下所示:
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
证书可以是世界可读的,但您可能希望删除写访问以防止意外损坏:
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
添加自定义启动项,并且加载重启
$ sudo mkdir /etc/systemd/system/docker.service.d
$ sudo vim /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --tlsverify --tlscacert=/home/cloudtop/software/docker/ca.pem --tlscert=/home/cloudtop/software/docker/server-cert.pem --tlskey=/home/cloudtop/software/docker/server-key.pem -H=0.0.0.0:2376
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker