Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to configure Docker API TLS authentication for CoreOS". The explanation in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian and study and learn "how to configure Docker API TLS authentication for CoreOS" together.

We often use Portainer to manage docker environments, and we often use Jenkins to automatically build and deploy docker. Remote management uses Docker APIs. Usually we just open port 2375 (usually) without security protection. This is more dangerous and can lead to remote hijacking attacks. Then we need to configure port 2376 (normally) for TLS authentication.

Here's how we configure CoreOS:

First, use the system's own openssl to generate the corresponding server and client certificates

We use scripts to generate automatically, which is very convenient. The script (auto-tls-certs.sh) is as follows:

#!/ bin/bash#-------------------------------------------------------------The following is configuration information # --[BEGIN]---------------------CODE="dp"IP="docker server ip"PASSWORD="certificate password"COUNTRY="CN"STATE="BEIJING"CITY="BEIJING"ORGANIZATION="COMPANY" ORGANIZATION_UNIT="Dev"COMMON_NAME="$IP"EMAIL="Mailbox"# --[END]--# Generate CA keyopenssl genrsa -aes256 -passout "pass: $PASSWORD" -out "ca-key-$CODE.pem" 4096# Generate CAopenssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass: $PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"# Generate Server keyopenssl genrsa -out "server-key-$CODE.pem" 4096# Generate Server Certs.openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csrecho "subjectAltName = IP:$IP,IP: 127.0.0.1" >> extfile.cnfecho "extendedKeyUsage = serverAuth" >> extfile.cnfopenssl x509 -req -days 365 -sha256 -in server.csr -passin "pass: $PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf# Generate Client Certs.rm -f extfile.cnfopenssl genrsa -out "key-$CODE.pem" 4096openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csrecho extendedKeyUsage = clientAuth >> extfile.cnfopenssl x509 -req -days 365 -sha256 -in client.csr -passin "pass: $PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CACreateserial -out "cert-$CODE.pem" -extfile extfile.cnfrm -vf client.csr server.csrchmod -v 0400 "ca-key-$CODE.pem""key-$CODE.pem" "server-key-$CODE.pem"chmod -v 0444 "ca-$CODE. pem " "server-cert-$CODE.pem" "cert-$CODE.pem"#package client certificate mkdir -p "tls-client-certs-$CODE"cp -f "ca-$CODE. pem"" cert-$CODE. pem""key-$CODE. pem"" tls-client-certs-$CODE/"cd "tls-client-certs-$CODE"tar zcf "tls-client-certs-$CODE.tar.gz" *mv "tls-client-certs-$CODE.tar.gz" ../ cd .. rm -rf "tls-client-certs-$CODE"#Copy server certificate mkdir -p /etc/docker/certs.dcp "ca-$CODE.pem" "server-cert-$CODE. pem" "server-key-$CODE.pem" /etc/docker/certs.d/

After modifying the variables in the script and running it, the tls certificate will be automatically created. The server certificate is located in/etc/docker/certs.d/directory:

The client's certificate is in the directory where the script runs, and a.tar.gz package is automatically typed, which is very convenient.

II. Configure Docker service (official description)

Note the modification of the certificate path.

Enable the secure remote API on a new socket

Create a file called /etc/systemd/system/docker-tls-tcp.socket to make Docker available on a secured TCP socket on port 2376.

[Unit]Description=Docker Secured Socket for the API[Socket]ListenStream=2376BindIPv6Only=bothService=docker.service[Install]WantedBy=sockets.target

Then enable this new socket:

systemctl enable docker-tls-tcp.socketsystemctl stop dockersystemctl start docker-tls-tcp.socketDrop-in configuration

Create /etc/systemd/system/docker.service.d/10-tls-verify.conf drop-in for systemd Docker service:

[Service]Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"

Reload systemd config files and restart docker service:

sudo systemctl daemon-reload sudo systemctl restart docker.service III. Configure Portainer Remote TLS Connection

Certificate corresponding options:

ca.pem

cert.pem

key.pem

And that's it. Note: If unauthenticated port 2375 was previously opened, please close and disable it and restart docker service.

#Stop insecure port 2375 systemctl stop docker-tcp.socket#Disable this port systemctl disable docker-tcp.socket#Restart docker service systemctl restart docker.service Thank you for reading, the above is "CoreOS how to configure Docker API TLS authentication" content, after the study of this article, I believe everyone on CoreOS how to configure Docker API TLS authentication This problem has a deeper understanding, the specific use of the situation still needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.