docker 开启Tls
TLS认证访问控制
配置主机名
[root@localhost~]# hostnamectl set-hostname master
[root@localhost~]# su
[root@master ~]# echo “127.0.0.1 master” >>/etc/hosts
创建tls目录存放相关文件
[root@master ~]# mkdir /tls
[root@master ~]# cd /tls
创建ca秘钥和证书
- 创建ca秘钥
[root@master tls]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
....................................++
..........................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem: ## 输入密码
Verifying - Enter pass phrase for ca-key.pem: ##再次输入密码
- 创建ca证书
[root@master tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
Enter pass phrase for ca-key.pem: ##输入密码,创建证书
3 创建服务器私钥
[root@master tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..........................++
............++
e is 65537 (0x10001)
1
4 签名私钥
[root@master tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
1
2
5 使用ca证书与私钥证书签名
[root@master tls]# openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem: ##输入认证密码
6 生成客户端密钥
[root@master tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
......................................................++
........................................++
e is 65537 (0x10001)
1
2
7 签名客户端
[root@master tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
8 创建配置文件
[root@master tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
1
9 签名证书
[root@master tls]# openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem: ##输入密码
1
2
3
4
5
- 删除多余文件,以.pem结尾的是有用文件
[root@master tls]# ls
ca-key.pem ca.pem ca.srl cert.pem client.csr extfile.cnf key.pem server-cert.pem server.csr server-key.pem
[root@master tls]# ls *.pem
ca-key.pem ca.pem cert.pem key.pem server-cert.pem server-key.pem
[root@master tls]# ls |egrep -v "*.pem" |xargs rm -rf ##删除无用文件
[root@master tls]# ls
ca-key.pem ca.pem cert.pem key.pem server-cert.pem server-key.pem
1
2
3
放通端口, 端口最好不要设置为2376, 设置成什么端口都可以。
[root@master tls]# vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/tls/ca.pem --tlscert=/tls/server-cert.pem --tlskey=/tls/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
##修改准启动项
[root@master tls]# systemctl daemon-reload
[root@master tls]# systemctl restart docker
1
将/tls/ca.pem /tls/cert.pem /tls/key.pem三个文件复制到另一台主机(客户端)
12. [root@master tls]# scp ca.pem cert.pem key.pem [email protected]:/etc/docker/
[email protected]'s password:
ca.pem 100% 1765 891.6KB/s 00:00
cert.pem 100% 1696 2.1MB/s 00:00
key.pem 100% 3243 4.7MB/s 00:00
1
到客户端(192.168.10.20)访问控制测试
[root@client ~]# ls /etc/docker/*.pem ##查看证书文件
/etc/docker/ca.pem /etc/docker/cert.pem /etc/docker/key.pem
[root@client ~]# echo "192.168.10.10 master" >>/etc/hosts
[root@client docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest c39a868aad02 12 days ago 133MB
1
2