一、TLS加密通讯的概述
- 用TLS加密通讯原因:
为了防止链路劫持、会话劫持等问题导致 Docker 通信时被中 间人攻击,c/s 两端应该通过加密方式通讯。 - 对称密钥,例如DES、3DES、AES,长度不同,长度越长安全越高,解密速度越慢。
- 非对称密钥,分为公钥和私钥,例如RSA 公钥:所有人可知(锁),私钥(钥匙)个人身份信息,不可抵赖。
- 封装在证书中:个人信息,密钥,有效期
二、TLS加密通讯的部署
2.1、搭建环境
节点 | 地址 | 安装软件 |
---|---|---|
master | 20.0.0.50 | docker-ce |
Client | 20.0.0.60 | docker-ce |
2.2 部署过程
- Server
[root@cgroup ~]# hostnamectl set-hostname master
[root@cgroup ~]# bash
[root@master ~]#systemctl stop firewalld
[root@master ~]# setenforce 0
[root@master ~]# mkdir /tls
[root@master ~]# cd /tls
[root@master tls]# vim /etc/hosts
127.0.0.1 master
#创建ca密钥,输入密码123123
[root@master tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
......................................................................................................................................++
.........................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
#创建ca证书,输入密码123123
[root@master tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem:
#创建服务器私钥
[root@master tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................++
......................................++
e is 65537 (0x10001)
#签名私钥
[root@master tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
#使用ca证书与私钥证书签名,输入密码123123
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem:
#生成客户端密钥
[root@master tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
........................................................................................................................................................................................................++
..++
e is 65537 (0x10001)
#签名客户端
[root@master tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
#创建配置文件
[root@master tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
#签名证书,输入密码123123
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
#删除多余文件
[root@master tls]# rm -rf ca.srl client.csr extfile.cnf server.csr
#查看生成文件
[root@master tls]# ls
ca-key.pem ca.pem cert.pem key.pem server-cert.pem server-key.pem
-
配置docker
vim /lib/systemd/system/docker.service
-
重启进程
systemctl daemon-reload -
重启docker服务
systemctl restart docker -
将 /tls/ca.pem /tls/cert.pem /tls/key.pem 三个文件复制到另一台主机
[root@master tls]# scp ca.pem root@20.0.0.60:/etc/docker/
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:N36uwPtXA/RHGdEsLwiaV6x0pMPitNj+MSO3APPZtC4.
ECDSA key fingerprint is MD5:14:cf:b4:13:36:a1:ea:c6:dc:01:f5:83:65:ca:b0:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
root@20.0.0.60's password:
ca.pem 100% 1765 2.6MB/s 00:00
[root@master tls]# scp cert.pem root@20.0.0.60:/etc/docker/
root@20.0.0.60's password:
cert.pem 100% 1696 1.3MB/s 00:00
[root@master tls]# scp key.pem root@20.0.0.60:/etc/docker/
root@20.0.0.60's password:
key.pem 100% 3247 1.3MB/s 00:00
2.3 验证加密通讯
- Server上验证
[root@master tls]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community
Version: 19.03.13
API version: 1.40
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:03:45 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:02:21 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.3.7
GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
- Client上验证
[root@client ~]# vim /etc/hosts
20.0.0.50 master
[root@client ~]# cd /etc/docker/
[root@client docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
Client: Docker Engine - Community
Version: 19.03.13
API version: 1.40
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:03:45 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:02:21 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.3.7
GitCommit: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683