Docker: 对Docker Remote API进行认证

  • 建立证书授权中心
$ sudo mkdir /etc/docker
$ cd /etc/docker
$ echo 01 | sudo tee ca.csl
$ sudo openssl genrsa -des3 -out ca-key.pem
$ sudo openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem
  • 创建服务器的证书签名请求和密钥
$ sudo openssl genrsa -des3 -out server-key.pem
$ sudo openssl req -new -key server-key.pem -out server.csr
$ sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
$ sudo openssl rsa -in server-key.pem -out server-key.pem
$ sudo chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/ca-key.pem /etc/docker/ca.pem
  • 配置Docker守护进程 (/etc/docker/daemon.json on Linux systems, or C:\ProgramData\docker\config\daemon.json on Windows.)
{
  "debug": true,
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "hosts": ["tcp://<config of CN>:2376"]
}
  • 创建客户端证书和密钥
$ sudo openssl genrsa -des3 -out client-key.pem
$ sudo openssl req -new -key client-key.pem -out client.csr
$ echo extendedKeyUsage = clientAuth > extfile.config
$ sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf
$ sudo openssl rsa -in client-key.pem -out client-key.pem
  • 配置Docker客户端开启认证功能
$ mkdir -p ~/.docker
$ cp ca.pem ~/.docker/ca.pem
$ cp client-key.pem ~/.docker/key.pem
$ cp client-cert.pem ~/.docker/cert.pem
$ chmod 0600 ~/.docker/key.pem ~/.docker/cert.pem
  • 测试TLS认证过的连接
$ sudo docker -H=<config of CN>:2376 --tlsverify info
  • 可以添加环境变量(~/.bashrc)
export DOCKER_HOST=<config of CN>:2376
alias docker='docker --tlsverify'
 存储系统: 札记 Guide: gorilla/mux 

Comments

©2015-2021 Alimy All rights reserved.