一、官方资料

  1. 官网资料
    https://docs.docker.com/engine/reference/commandline/dockerd/

  2. 创建证书步骤
    官网Protect the Docker daemon socket https://docs.docker.com/engine/security/https/

二、创建证书

生成的证书

ca-key.pem
ca.pem
cert.pem
key.pem
server-cert.pem
server-key.pem

服务器使用的证书
	ca.pem
	 server-cert.pem
	 server-key.pem 
	 
客户端使用
    cert.pem
    ca.pem
    key.pem

生成证书步骤

1.根证书

ca-key.pem

根证书秘钥

openssl genrsa -out  ca-key.pem 4096

ca.pem

生成根证书

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

-days 365 可以设置长的证书有效期,单位天

根据提示输入证书需要的信息

[root@localhost docker_ssl]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker166
Email Address []:

2. 服务端证书

server-key.pem

$ openssl genrsa -out server-key.pem 4096

server.csr

生成server.csr,在生成server-cert.pem需要用到
/CN 一般为你的dns=docker166

$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

server-key.pem

openssl genrsa -out server-key.pem 4096

server-cert.pem

需要用到ca-key.pem的密码, subjectAltName

echo subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 36500 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

例子:

[root@localhost docker_ssl]# echo subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1 >> extfile.cnf                
[root@localhost docker_ssl]# echo extendedKeyUsage = serverAuth >> extfile.cnf
[root@localhost docker_ssl]# cat extfile.cnf 
subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1
extendedKeyUsage = serverAuth
[root@localhost docker_ssl]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
>   -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=ffcs-ark
Getting CA Private Key
Enter pass phrase for ca-key.pem:

subjectAltName为
[root@localhost .docker]# curl https://192.168.72.110:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

3.客户端证书

key.pem
openssl genrsa -out key.pem 4096
cert.pem

days设置100年 -days 365修改为 -days 36500

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile-client.cnf

例子,设置有效期为10年

openssl x509 -req -days 36500 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
      -CAcreateserial -out cert.pem -extfile extfile-client.cnf

三、docker tls服务端配置

方式一:命令启动方式设置

dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
  -H=0.0.0.0:2376

证书放在默认目录下 ~/.docker/可以不输入证书

[root@localhost docker_ssl]# docker --tlsverify ps
error during connect: Get https://localhost:2376/v1.26/containers/json: x509: certificate is valid for docker166, not localhost
[root@localhost docker_ssl]# docker --tlsverify -H=127.0.0.1 ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

方式二:配置文件配置

docker 1.13在 /etc/sysconfig/docker-network文件中设置, 配置https方式docker时必须同时开启2375和2376端口监听,http只开启一个端口即可

vi /etc/sysconfig/docker-network 修改文件网络配置

[root@localhost docker_ssl]# vi /etc/sysconfig/docker-network 
# /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS="--tlsverify --tlscacert=/root/.docker/ca.pem --tlscert=/root/.docker/server-cert.pem --tlskey=/root/.docker/server-key.pem -H=0.0.0.0:2376 -H=0.0.0.0:2375"

重启

systemctl daemon-reload  && systemctl restart docker

docker配置文件位置cat /usr/lib/systemd/system/docker.service

四、客户端请求测试

docker本机测试tls:

测试成功/root/.docker文件夹下已经存在证书。
docker --tls version 相当于
docker --tls --tlscacert /root/.docker/ca.pem --tlscert /root/.docker/cert.pem --tlskey /root/.docker/key.pem version

[root@localhost .docker]#  docker --tls version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      07f3374/1.13.1
 Built:           Fri Dec  7 16:13:51 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      07f3374/1.13.1
 Built:           Fri Dec  7 16:13:51 2018
 OS/Arch:         linux/amd64
 Experimental:    false

相关的参数

Options:
      --config string      Location of client config files (default "/root/.docker")
      --tls                Use TLS; implied by --tlsverify
      --tlscacert string   Trust certs signed only by this CA (default "/root/.docker/ca.pem")
      --tlscert string     Path to TLS certificate file (default "/root/.docker/cert.pem")
      --tlskey string      Path to TLS key file (default "/root/.docker/key.pem")
      --tlsverify          Use TLS and verify the remote

docker -H远程请求

docker --tls -H 192.168.72.166 version

[root@docker110 ~]# docker --tls -H 192.168.72.166 version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      b2f74b2/1.13.1
 Built:           Tue Mar 12 10:27:24 2019
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      07f3374/1.13.1
 Built:           Fri Dec  7 16:13:51 2018
 OS/Arch:         linux/amd64
 Experimental:    false

DOCKER_CERT_PATH.
如下指定证书的默认目录

$ export DOCKER_CERT_PATH=~/.docker/zone1/
$ docker --tlsverify ps

curl方式

$ curl ${HOST} --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem

例1:

curl https://192.168.72.166:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem  
[root@docker110 ~]#  curl https://192.168.72.166:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem  
[]

例2,多行命令:

[root@localhost docker_ssl]# curl https://192.168.72.166:2376/images/json \
> --cert ~/.docker/cert.pem \
> --key ~/.docker/key.pem \
> --cacert ~/.docker/ca.pem
[]

其他

  1. Docker 服务 TLS 证书全自动生成 https://segmentfault.com/a/1190000012510820
  2. docker使用OpenSSL的自颁发证书创建HTTPS仓库 https://www.jianshu.com/p/bfdf41a5d8fc
# docker # 安全 # 运维
Logo
腾讯云开发者社区

腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。

更多推荐

终极指南:Flink SQL连接器版本管理从混乱到有序的升级之路

Apache Flink作为流处理领域的佼佼者,其SQL连接器的版本管理一直是开发者面临的核心挑战。本文将系统讲解Flink SQL连接器版本管理的最佳实践,帮助你轻松应对版本兼容性问题,实现从混乱到有序的升级之旅。## 连接器版本管理的常见痛点 😫在Flink应用开发中,连接器版本管理常常让开发者头疼不已。不同版本的连接器可能导致各种兼容性问题,例如API变更、功能差异甚至运行时错误。

avatar 腾讯云开发者社区

Elasticsearch复杂数据类型终极指南:从入门到精通

Elasticsearch作为功能强大的搜索引擎,支持多种复杂数据类型,让开发者能够灵活处理各种结构化和非结构化数据。本文将带你全面了解Elasticsearch中的复杂数据类型,从基础概念到实际应用,助你轻松掌握数据建模的核心技巧。## 内部对象:构建层级化数据结构在Elasticsearch中,对象类型(Object)是最基础的复杂数据类型之一,用于表示具有嵌套关系的数据。例如,我们可

avatar 腾讯云开发者社区

如何快速搭建Neon无服务器PostgreSQL:面向初学者的完整指南

Neon是一款革命性的无服务器PostgreSQL解决方案,它通过分离存储和计算层,实现了自动扩缩容、类代码式数据库分支以及零级扩展能力。本指南将帮助你从零开始搭建Neon开发环境,体验这款创新数据库的强大功能。## 准备工作:环境要求与依赖项在开始搭建Neon环境前,请确保你的系统满足以下要求:- Linux操作系统(推荐Ubuntu 20.04+或Debian 11+)- Git

avatar 腾讯云开发者社区