In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-08 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly explains "how to configure Docker API TLS authentication for CoreOS". The explanation in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian and study and learn "how to configure Docker API TLS authentication for CoreOS" together.
We often use Portainer to manage docker environments, and we often use Jenkins to automatically build and deploy docker. Remote management uses Docker APIs. Usually we just open port 2375 (usually) without security protection. This is more dangerous and can lead to remote hijacking attacks. Then we need to configure port 2376 (normally) for TLS authentication.
Here's how we configure CoreOS:
First, use the system's own openssl to generate the corresponding server and client certificates
We use scripts to generate automatically, which is very convenient. The script (auto-tls-certs.sh) is as follows:
#!/ bin/bash#-------------------------------------------------------------The following is configuration information # --[BEGIN]---------------------CODE="dp"IP="docker server ip"PASSWORD="certificate password"COUNTRY="CN"STATE="BEIJING"CITY="BEIJING"ORGANIZATION="COMPANY" ORGANIZATION_UNIT="Dev"COMMON_NAME="$IP"EMAIL="Mailbox"# --[END]--# Generate CA keyopenssl genrsa -aes256 -passout "pass: $PASSWORD" -out "ca-key-$CODE.pem" 4096# Generate CAopenssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass: $PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"# Generate Server keyopenssl genrsa -out "server-key-$CODE.pem" 4096# Generate Server Certs.openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csrecho "subjectAltName = IP:$IP,IP: 127.0.0.1" >> extfile.cnfecho "extendedKeyUsage = serverAuth" >> extfile.cnfopenssl x509 -req -days 365 -sha256 -in server.csr -passin "pass: $PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf# Generate Client Certs.rm -f extfile.cnfopenssl genrsa -out "key-$CODE.pem" 4096openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csrecho extendedKeyUsage = clientAuth >> extfile.cnfopenssl x509 -req -days 365 -sha256 -in client.csr -passin "pass: $PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CACreateserial -out "cert-$CODE.pem" -extfile extfile.cnfrm -vf client.csr server.csrchmod -v 0400 "ca-key-$CODE.pem""key-$CODE.pem" "server-key-$CODE.pem"chmod -v 0444 "ca-$CODE. pem " "server-cert-$CODE.pem" "cert-$CODE.pem"#package client certificate mkdir -p "tls-client-certs-$CODE"cp -f "ca-$CODE. pem"" cert-$CODE. pem""key-$CODE. pem"" tls-client-certs-$CODE/"cd "tls-client-certs-$CODE"tar zcf "tls-client-certs-$CODE.tar.gz" *mv "tls-client-certs-$CODE.tar.gz" ../ cd .. rm -rf "tls-client-certs-$CODE"#Copy server certificate mkdir -p /etc/docker/certs.dcp "ca-$CODE.pem" "server-cert-$CODE. pem" "server-key-$CODE.pem" /etc/docker/certs.d/
After modifying the variables in the script and running it, the tls certificate will be automatically created. The server certificate is located in/etc/docker/certs.d/directory:
The client's certificate is in the directory where the script runs, and a.tar.gz package is automatically typed, which is very convenient.
II. Configure Docker service (official description)
Note the modification of the certificate path.
Enable the secure remote API on a new socket
Create a file called /etc/systemd/system/docker-tls-tcp.socket to make Docker available on a secured TCP socket on port 2376.
[Unit]Description=Docker Secured Socket for the API[Socket]ListenStream=2376BindIPv6Only=bothService=docker.service[Install]WantedBy=sockets.target
Then enable this new socket:
systemctl enable docker-tls-tcp.socketsystemctl stop dockersystemctl start docker-tls-tcp.socketDrop-in configuration
Create /etc/systemd/system/docker.service.d/10-tls-verify.conf drop-in for systemd Docker service:
[Service]Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"
Reload systemd config files and restart docker service:
sudo systemctl daemon-reload sudo systemctl restart docker.service III. Configure Portainer Remote TLS Connection
Certificate corresponding options:
ca.pem
cert.pem
key.pem
And that's it. Note: If unauthenticated port 2375 was previously opened, please close and disable it and restart docker service.
#Stop insecure port 2375 systemctl stop docker-tcp.socket#Disable this port systemctl disable docker-tcp.socket#Restart docker service systemctl restart docker.service Thank you for reading, the above is "CoreOS how to configure Docker API TLS authentication" content, after the study of this article, I believe everyone on CoreOS how to configure Docker API TLS authentication This problem has a deeper understanding, the specific use of the situation still needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.