两台虚拟机都安装了 docker-ce。
server端-----192.168.175.148
client端------192.168.175.149
//关闭防火墙
[root@promote ~]# systemctl stop firewalld.service
[root@promote ~]# mkdir /root/tls
//创建ca密码
[root@promote tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
........++
.....................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem: ///输入密码123123
Verifying - Enter pass phrase for ca-key.pem: 再次输入密码123123
///创建ca证书
[root@promote tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem: //输入密码123123
///创建服务器私钥
[root@promote tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
......................++
............................................++
e is 65537 (0x10001)
//创建私钥签名
[root@promote tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
///使用ca证书与私钥签名,创建server-cert.pem,生成ca.srl
[root@promote tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
ey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem: ///输入密码123123
//生成客户端密钥----key.pem
[root@promote tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.................................................................................++
..............................................................................................................................................................................................................................++
e is 65537 (0x10001)
//生成客户端签名
[root@promote tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
//创建配置文件
[root@promote tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
//创建签名证书
[root@promote tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem: ///输入密码
//修改docker的配置文件,并且重启服务
vim /usr/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/tls/ca.pem --tlscert=/root/tls/server-cert.pem --tlskey=/root/tls/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
[root@promote tls]# systemctl daemon-reload
[root@promote tls]# systemctl restart docker
将(ca.pem)ca证书、(cert.pem)签名证书、(key.pem)客户端密钥复制到client的/etc/docker目录下,使client客户端可以通过证书来访问
[root@promote tls]# scp ca.pem root@192.168.175.149:/etc/docker/
[root@promote tls]# scp cert.pem root@192.168.175.149:/etc/docker/
[root@promote tls]# scp key.pem root@192.168.175.149:/etc/docker/
client端------192.168.175.149
部署基本环境,且验证TLS
[root@promote ~]# vim /etc/hosts
192.168.175.148 master
//查看server端的docker版本
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2375 version
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b
Built: Wed Mar 11 01:27:04 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b
Built: Wed Mar 11 01:25:42 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683