主頁 > 知識庫 > Docker啟用TLS實現(xiàn)安全配置的步驟

Docker啟用TLS實現(xiàn)安全配置的步驟
熱門標簽:承德地圖標注公司 靈圖uu電子寵物店地圖標注 山東企業(yè)外呼系統(tǒng)公司 濮陽好的聯(lián)通400電話申請 地圖標注如何改成微信號 百度地圖標注公司位置要多少錢 400電話號碼辦理多少錢 虛假地圖標注 地圖標注黃河的位置

前言

之前開啟了docker的2375 Remote API,接到公司安全部門的要求,需要啟用授權,翻了下官方文檔

Protect the Docker daemon socket

啟用TLS

在docker服務器,生成CA私有和公共密鑰

$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:$HOST
Email Address []:Sven@home.org.au

有了CA后,可以創(chuàng)建一個服務器密鑰和證書簽名請求(CSR)

$HOST 是你的服務器ip

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)

$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

接著,用CA來簽署公共密鑰:

$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf

 $ echo extendedKeyUsage = serverAuth >> extfile.cnf

生成key:

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \

 -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

創(chuàng)建客戶端密鑰和證書簽名請求:

$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)

$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

修改extfile.cnf:

echo extendedKeyUsage = clientAuth > extfile-client.cnf

生成簽名私鑰:

$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \

 -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

將Docker服務停止,然后修改docker服務文件

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io

[Service]
Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target

然后重啟服務

systemctl daemon-reload
systemctl restart docker.service

重啟后查看服務狀態(tài):

systemctl status docker.service
● docker.service - Docker Application Container Engine
  Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
  Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago

已經(jīng)生效。

使用證書連接:

復制ca.pem,cert.pem,key.pem三個文件到客戶端

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version連接即可

docker-java 啟用TLS

項目里使用docker的java客戶端docker-java調用docker,為了支持TLS,在創(chuàng)建客戶端時,需要增加TLS設置。

首先將ca.pem cert.pem key.pem這三個文件拷貝到本地,例如E:\\docker\\",

然后DefaultDockerClientConfig里withDockerTlsVerify設為true,并設置certpath為剛拷貝的目錄。 

DefaultDockerClientConfig.Builder builder =
        DefaultDockerClientConfig.createDefaultConfigBuilder()
          .withDockerHost("tcp://" + server + ":2375")
          .withApiVersion("1.30");
      if (containerConfiguration.getDockerTlsVerify()) {
        builder = builder.withDockerTlsVerify(true)
          .withDockerCertPath("E:\\docker\\");
      }
  return DockerClientBuilder.getInstance(builder.build()).build()

大工搞定。

總結

以上就是這篇文章的全部內容了,希望本文的內容對大家的學習或者工作具有一定的參考學習價值,謝謝大家對腳本之家的支持。

標簽:淮安 福州 上海 鷹潭 泰安 安康 德宏 樂山

巨人網(wǎng)絡通訊聲明:本文標題《Docker啟用TLS實現(xiàn)安全配置的步驟》,本文關鍵詞  Docker,啟用,TLS,實現(xiàn),安全,;如發(fā)現(xiàn)本文內容存在版權問題,煩請?zhí)峁┫嚓P信息告之我們,我們將及時溝通與處理。本站內容系統(tǒng)采集于網(wǎng)絡,涉及言論、版權與本站無關。
  • 相關文章
  • 下面列出與本文章《Docker啟用TLS實現(xiàn)安全配置的步驟》相關的同類信息!
  • 本頁收集關于Docker啟用TLS實現(xiàn)安全配置的步驟的相關信息資訊供網(wǎng)民參考!
    • 推薦文章