Shulou(Shulou.com)06/02 Report--

Preface

Before opening the 2375 Remote API of docker, I received a request from the company's security department to enable authorization. I looked through the official documents.

Protect the Docker daemon socket

Enable TLS

On the docker server, generate CA private and public keys

$openssl genrsa-aes256-out ca-key.pem 4096Generating RSA private key 4096 bit long modulus. .. +. + + e is 65537 (0x10001) Enter pass phrase for ca-key.pem:Verifying-Enter pass phrase for ca-key.pem:$ openssl req-new-x509-days 65537- Key ca-key.pem-sha256-out ca.pemEnter pass phrase for ca-key.pem:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: QueenslandLocality Name (eg, city) []: BrisbaneOrganization Name (eg, company) [Internet Widgits Pty Ltd]: Docker IncOrganizational Unit Name (eg, section) []: SalesCommon Name (e.g. Server FQDN or YOUR name) []: $HOSTEmail Address []: Sven@home.org.au

With CA, you can create a server key and certificate signing request (CSR)

$HOST is your server ip

$openssl genrsa-out server-key.pem 4096Generating RSA private key 4096 bit long modulus....++. ... + e is 65537 (0x10001) $openssl req-subj "/ CN=$HOST"-sha256-new-key server-key.pem-out server.csr

Next, use CA to sign the public key:

$echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 > > extfile.cnf $echo extendedKeyUsage = serverAuth > > extfile.cnf

Generate key:

$openssl x509-req-days 365-sha256-in server.csr-CA ca.pem-CAkey ca-key.pem\-CAcreateserial-out server-cert.pem-extfile extfile.cnfSignature oksubject=/CN=your.host.comGetting CA Private KeyEnter pass phrase for ca-key.pem:

Create a client key and certificate signing request:

$openssl genrsa-out key.pem 4096Generating RSA private key, 4096 bit long modulus...++.++e is 65537 (0x10001) $openssl req-subj'/ CN=client'-new-key key.pem-out client.csr

Modify extfile.cnf:

Echo extendedKeyUsage = clientAuth > extfile-client.cnf

Generate signed private key:

$openssl x509-req-days 365-sha256-in client.csr-CA ca.pem-CAkey ca-key.pem\-CAcreateserial-out cert.pem-extfile extfile-client.cnfSignature oksubject=/CN=clientGetting CA Private KeyEnter pass phrase for ca-key.pem:

Stop the Docker service and modify the docker service file

Description=Docker Application Container EngineDocumentation= http://docs.docker.io[Service]Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"ExecStart=/opt/kube/bin/dockerd-- tlsverify-- tlscacert=/root/docker/ca.pem-- tlscert=/root/docker/server-cert.pem-- tlskey=/root/docker/server-key.pem-H unix:///var/run/docker.sock-H tcp://0.0.0.0 : 2375ExecStartPost=/sbin/iptables-I FORWARD-s 0.0.0.0 ACCEPTExecReload=/bin/kill 0-j ACCEPTExecReload=/bin/kill-s HUP $MAINPIDRestart=on-failureRestartSec=5LimitNOFILE=infinityLimitNPROC=infinityLimitCORE=infinityDelegate=yesKillMode= process [install] WantedBy=multi-user.target

Then restart the service

Systemctl daemon-reloadsystemctl restart docker.service

Check the service status after restarting:

Systemctl status docker.service ● docker.service-Docker Application Container Engine Loaded: loaded (/ etc/systemd/system/docker.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago

It's already in effect.

Connect using a certificate:

Copy three ca.pem,cert.pem,key.pem files to the client

Docker-- tlsverify-- tlscacert=ca.pem-- tlscert=cert.pem-- tlskey=key.pem-H=$HOST:2375 version connection

Docker-java enables TLS

The java client docker-java of docker is used in the project to call docker. In order to support TLS, you need to add the TLS setting when creating the client.

First, copy the three ca.pem cert.pem key.pem files locally, such as E:\\ docker\ "

Then set withDockerTlsVerify to true in DefaultDockerClientConfig and set certpath to the directory you just copied.

DefaultDockerClientConfig.Builder builder = DefaultDockerClientConfig.createDefaultConfigBuilder () .withDockerHost ("tcp://" + server + ": 2375"). WithApiVersion ("2375"); if (containerConfiguration.getDockerTlsVerify ()) {builder = builder.withDockerTlsVerify (true). WithDockerCertPath ("E:\\ docker\");} return DockerClientBuilder.getInstance (builder.build ()) .DockerCertPath ()

The big work is done.

Summary

The above is the whole content of this article. I hope the content of this article has a certain reference and learning value for everyone's study or work. Thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.