本文主要介绍怎么开启docker的远程安全访问,以便本地开发的应用在远程docker机生成镜像。
开放远程访问的同时,我们也要兼顾安全性,因此需要生成证书,来验证客户端的连接。
使用OpenSSL创建CA证书、服务器和客户端的密钥
- 在docker服务器生成CA公钥和私钥
按照以下命令执行即可,注意记住设置的密码
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:Triooo
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:lipandeng
Email Address []:li.pandeng@163.com
- 创建服务器密钥和证书签名请求 (CSR)
注意将以下/CN=12.78.18.15中的ip换成服务器的ip地址
[root@iZwz9i8zv8yq98qn70q4ewZ docker_ca]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
......................................................................................................................................................................................................++
...++
e is 65537 (0x10001)
[root@iZwz9i8zv8yq98qn70q4ewZ docker_ca]# openssl req -subj "/CN=12.78.18.15" -sha256 -new -key server-key.pem -out server.csr
- 用 CA 签署公钥,创建文件extfile.cnf
extfile.cnf内容(注意替换服务器ip):
subjectAltName = IP:0.0.0.0,IP:12.78.18.15,IP:127.0.0.1
extendedKeyUsage = serverAuth
- 生成签名证书
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl x509 -req
- 创建客户端密钥和证书签名请求
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=12.78.182.15' -new -key key.pem -out client.csr
- 使密钥符合客户端身份验证,创建一个新的扩展配置文件(extfile-client.cnf)
内容如下
extendedKeyUsage = clientAuth
- 生成签名证书
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
openssl x509 -req -days
- 删除两个证书签名请求和扩展配置文件
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
rm -v
- 保护密钥,改其权限为所有者只读
chmod -v 0400 ca-key.pem key.pem server-key.pem
- 防止##### 公钥文件被更改,修改其权限为只读
chmod -v 0444 ca.pem server-cert.pem cert.pem
修改Docker配置,使Docker守护程序仅接受来自提供CA信任的证书的客户端的连接
- 配置文件 /usr/lib/systemd/system/docker.service,在ExecStart 添加内容
ExecStart=/usr/bin/dockerd \
--tlsverify \
--tlscacert=/home/data/docker_ca/ca.pem \
--tlscert=/home/data/docker_ca/server-cert.pem \
--tlskey=/home/data/docker_ca/server-key.pem \
-H tcp://0.0.0.0:2376 \
-H unix:///var/run/docker.sock
- 重启docker,以使配置生效
systemctl daemon-reload
systemctl restart docker
systemctl status docker.service
2376端口已启用
客户端验证
- 将 ca.pem、cert.pem、key.pem三个文件从docker服务器下载到客户端机器
- docker客户端测试
docker --tlsverify \
--tlscacert=/data/docker/ca/ca.pem \
--tlscert=/data/docker/ca/cert.pem \
--tlskey=/data/docker/ca/key.pem \
-H=12.78.18.15:2376 version
- curl测试Docker API
curl https://12.78.18.15:2376/images/json \
--cert /data/docker/ca/cert.pem \
--key /data/docker/ca/key.pem \
--cacert /data/docker/ca/ca.pem
docker test
参考官网文档:https://docs.docker.com/engine/security/protect-access/
