一、docker 使用TLS开启2376
1.1 使用Openssl 生成CA、服务器和客户端密钥
#cd 到证书生成目录
cd /etc/.docker/certs
$HOST为服务器ip
$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Henan
Locality Name (eg, city) []:Zhengzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inspur
Organizational Unit Name (eg, section) []:Inspur
Common Name (e.g. server FQDN or YOUR name) []:$HOST
Email Address []:wjy@inspur.co
1.2 生成服务器密钥和证书签名请求
$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)
$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
1.3 指定IP地址和DNS名称
echo subjectAltName = DNS:$HOST,IP:10.151.11.52,IP:127.0.0.1,IP:0.0.0.0 >> extfile.cnf
#将docker守护进程密钥的扩展使用属性设置为仅使用于服务器的身份验证
echo extendedKeyUsage = serverAuth >> extfile.cnf
1.4 生成签名证书
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:
1.5 生成客户端密钥和证书签名请求
$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
$ echo extendedKeyUsage = clientAuth > extfile-client.cnf
#生成签名证书
$ openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
#删除证书签名请求和扩展配置文件
$ rm -v client.csr server.csr extfile.cnf extfile-client.cnf
#删除密钥的写权限,保护密钥不受意外损坏
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
#生成证书结果:
1.6 开启docker 2376端口
#打开docker service文件
vim /etc/systemd/system/docker.service
在ExecStart=/usr/bin/dockerd-current 后面增加
--tlsverify --tlscacert=/etc/.docker/certs/ca.pem --tlscert=/etc/.docker/certs/server-cert.pem \--tlskey=/etc/.docker/certs/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
#重启docker
systemctl daemon-reload
systemctl restart docker
1.7 配置客户端
1. 创建证书目录
mkdir -pv ~/.docker/certs/cd ~/.docker/certs/
2. 将服务端/etc/.docker/certs中ca.pem、cert.pem、key.pem这3个文件拷贝到当前目录
scp ca.pem cert.pem key.pem ~/.docker/certs
文件为ca.pem、cert.pem、key.pem,IDEA工具连接直接选择客户端证书文件夹就行
1.8 IDEA连接docker配置(可选)
1、打开IDEA,点击File->Settings, 在搜索栏输入docker
2、在API URL中端口可以输入自己开启的2375或者2376
二、docker 开启2375端口
#打开docker service文件
vim /etc/systemd/system/docker.service
在ExecStart=/usr/bin/dockerd-current 后面增加 -H tcp://0.0.0.0:2375
#重启docker
systemctl daemon-reload
systemctl restart docker
三、docker-java配置使用2375或者2376端口
3.1 pom.xml中引入依赖的maven包
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java</artifactId>
<version>3.2.5</version>
</dependency>
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java-core</artifactId>
<version>3.2.5</version>
</dependency>
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java-transport-httpclient5</artifactId>
<version>3.2.5</version>
</dependency>
3.2连接2376端口
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder()
.withDockerHost("tcp://10.151.11.51:2376")
.withDockerTlsVerify(true)
.withDockerCertPath("~/.docker/certs")
.withRegistryUsername("admin")
.withRegistryPassword("123456a?")
.withRegistryUrl("http://10.151.11.51:5000")
.build();
DockerHttpClient httpClient = new ApacheDockerHttpClient.Builder()
.dockerHost(config.getDockerHost())
.sslConfig(config.getSSLConfig())
.build();
DockerClient dockerClient = DockerClientImpl.getInstance(config, httpClient);
3.3 连接2375端口
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder()
.withDockerHost("tcp://10.151.11.51:2375")
.withDockerTlsVerify(false)
// .withDockerCertPath("~/.docker/certs")
.withRegistryUsername("admin")
.withRegistryPassword("123456a?")
.withRegistryUrl("http://10.151.11.51:5000")
.build();
DockerHttpClient httpClient = new ApacheDockerHttpClient.Builder()
.dockerHost(config.getDockerHost())
.sslConfig(config.getSSLConfig())
.build();
DockerClient dockerClient = DockerClientImpl.getInstance(config, httpClient);
配置完成,可以使用docker-java对docker服务器的镜像和镜像仓库中的镜像进行操作。
参考链接:
https://docs.docker.com/engine/security/https/
https://github.com/docker-java/docker-java/blob/3.2.5/docs/getting_started.md