docker 配置tls加密的tcp远程连接
修改docker启动配置,启动参数加上这些 vi /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
执行生成证书脚本 vi tls.sh 证书生成路径/etc/docker/ca/
#创建 Docker TLS 证书
#!/bin/bash
SERVER="0.0.0.0" #需要修改为本机ip
PASSWORD="keyunitor"
COUNTRY="CN"
STATE="shanghai"
CITY="shanghai"
ORGANIZATION="Dev"
ORGANIZATIONAL_UNIT="Dev"
EMAIL="test@xxx.com"
#临时文件夹
TEMP_DIR='/etc/docker/ca'
mkdir -p ${TEMP_DIR}
cd ${TEMP_DIR}
#生成`ca-key.pem` 文件 设置密码
openssl genrsa -aes256 -passout pass:${PASSWORD} -out ca-key.pem 4096
echo "生成ca私钥完成"
#生成 `ca.pem` 文件,设置国家、省市、组织名、邮箱
openssl req -new -x509 -passin "pass:${PASSWORD}" -days 3650 -key ca-key.pem -sha256 -out ca.pem -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${ORGANIZATIONAL_UNIT}/emailAddress=${EMAIL}"
echo "填写配置信息完成"
#生成 `server-key.pem` 文件
openssl genrsa -out server-key.pem 4096
#生成 `server.csr` 文件
openssl req -subj "/CN=${SERVER}" -sha256 -new -key server-key.pem -out server.csr
#生成配置文件 `extfile.cnf`
echo subjectAltName = IP:${SERVER},IP:0.0.0.0 > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
#生成服务器证书,需要输入之前输入的密码
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:${PASSWORD}" \-CAcreateserial -out server-cert.pem -extfile extfile.cnf
echo "生成自签证书完成"
#添加配置,使密钥适合客户端身份验证
echo extendedKeyUsage = clientAuth >> extfile.cnf
#生成 `key.pem` 文件
openssl genrsa -out key.pem 4096
#创建`client.csr`文件
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
#生成证书
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:${PASSWORD}" \-CAcreateserial -out cert.pem -extfile extfile.cnf
echo "生成client自签证书完成"
rm -v -f client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
echo "复制证书到指定目录"
cp server-*.pem /etc/docker/
cp ca.pem /etc/docker/
systemctl daemon-reload
systemctl restart docker
执行脚本
sh tls.sh
脚本预写,可不执行 重启docker服务
systemctl daemon-reload
systemctl restart docker
通过docker命令行测试端口开放是否成功 ps:如0.0.0.0运行失败换成本机ip
cd /etc/docker/ca/
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2375 version
结果:
Client: Docker Engine - Community
Version: 20.10.17
API version: 1.41
Go version: go1.17.11
Git commit: 100c701
Built: Mon Jun 6 23:05:12 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b842
Built: Mon Jun 6 23:03:33 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.6
GitCommit: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc:
Version: 1.1.2
GitCommit: v1.1.2-0-ga916309
docker-init:
Version: 0.19.0
GitCommit: de40ad0