Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how Docker opens secure TLS remote connection access". In daily operation, I believe many people have doubts about how Docker opens secure TLS remote connection access. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "how Docker opens secure TLS remote connection access". Next, please follow the editor to study!

1.1 insecure remote access 1.1.1 Editing docker.service files: vi / usr/lib/systemd/system/docker.service

Find the [Service] node, modify the ExecStart attribute, and add-H tcp://0.0.0.0:2375

ExecStart=/usr/bin/dockerd-H fd://-- containerd=/run/containerd/containerd.sock-H tcp://0.0.0.0:2375

This is equivalent to opening port 2375 to the outside world, of course, you can also modify it to other ports according to your own situation.

1.1.2 reload Docker configuration effective systemctl daemon-reload systemctl restart docker

Let's test it by visiting 2375 through the browser. The format is: http://ip:2375/version.

If you cannot access it, you can try opening port 2375 of the firewall as follows:

Firewall-cmd-zone=public-add-port=2375/tcp-permanentfirewall-cmd-reload

If you still cannot access it, if the machine you are using is a CVM, such as Aliyun, Tencent Cloud, etc., you need to check whether Port 2375 is open in the server security group rules. If not, add the port configuration.

So we can connect to the test directly in the Docker plug-in in Idea:

1.1.3 warning!

The above methods must not be used in the production environment, I personally experience. This method is the same as if your Redis is open to the public 6379 without setting a password.

The last time I did this, I was hacked.

It's easy to hack your machine, because port 2375 is exposed on the public network, so anyone can access the docker on your host. You can create a ubuntu with your docker and create a volume data volume channel and mount it to the / etc directory of your host.

So that your host root password will be snooped. Then others can use your docker to dig mines on your machine with root privileges.

2.1 establish a secure connection based on TLS digital signature

1. Create CA private key and CA public key

First create a ca folder to store the private and public keys

Mkdir-p / usr/local/cacd / usr/local/ca

Then, on the host of the Docker daemon, generate the CA private key and public key:

Openssl genrsa-aes256-out ca-key.pem 4096

After executing the above instructions, we will be asked to enter the password before we can proceed to the next step. Here I set the password to: niceyoo

2. Complete CA certificate information

Execute the following instructions:

Openssl req-new-x509-days 365-key ca-key.pem-sha256-out ca.pem

Then enter: access password, country, province, city, organization name, unit name, any name, mailbox and so on. In order to save trouble, I used niceyoo instead of organizations, units and so on.

Niceyoo cn beijing beijing niceyoo niceyoo niceyoo apkdream@163.com

At this point, the CA certificate is created, and with CA, you can create a server key and certificate signing request (CSR) to make sure that the "common name" matches the host name you used to connect to Docker.

3. Generate server-key.pem

Openssl genrsa-out server-key.pem 4096

4. Sign the public key with CA

This step is very important. previous tutorials have been like this in this step, but watch out for holes! Don't knock on the following orders yet!

There are two ways to write your host IP or domain name, but I have tried to use IP many times and always report an error. Be sure to use the domain name!

Some students may wonder that my host is not bound with a domain name? The domain name here can be written by yourself, for example, what I wrote is

Openssl req-subj "/ CN=docker-deamo"-sha256-new-key server-key.pem-out server.csr

Then, for example, the IP of my Tencent Cloud machine is 123.456.789.

When I connect remotely using IDEA locally, the address should be https://docker-deamo:2375.

Note that it is still not possible to resolve this domain name. After all, it is customized and you need to define it in the local hosts file. If you are not under windows, the hosts file of linux is in the etc directory:

This is OK!

Because you can establish an TLS connection through the IP address and the DNS name, you need to specify the IP address when you create the certificate. For example, 10.211.55.4 is allowed to connect:

Openssl req-subj "/ CN=10.211.55.4"-sha256-new-key server-key.pem-out server.csr

If you are using the URL (for example: www.sscai.club), you can replace it:

Openssl req-subj "/ CN=www.sscai.club"-sha256-new-key server-key.pem-out server.csr

Note: the ip or domain name here refers to the address to be used for external use in the future.

5. Matching whitelist

It is also recommended to use the domain name only, that is, only fill in the domain name after DNS and do not use IP.

Echo subjectAltName = DNS:$HOST,IP:XX.XX.XX.XX,IP:XX.XX.XX.XX > > extfile.cnf

Replace $HOST with your own ip address or URL, depending on whether your exposed docker link is ip or URL.

Docker on the docker-deamo server, allowing only customer connections with ip address 221.217.177.151

Echo subjectAltName = DNS:docker-deamo,IP:221.217.177.151 > > extfile.cnf

6. Execute orders

Set the extended usage property of the Docker daemon key to server authentication only:

Echo extendedKeyUsage = serverAuth > > extfile.cnf

7. Generate signature integers

Openssl x509-req-days 365-sha256-in server.csr-CA ca.pem-CAkey ca-key.pem\-CAcreateserial-out server-cert.pem-extfile extfile.cnf

You need to enter the password set above after execution

8. Generate key.pem of the client

Openssl genrsa-out key.pem 4096openssl req-subj'/ CN=client'-new-key key.pem-out client.csr

9. Make the secret key suitable for client authentication

Create an extension profile:

Echo extendedKeyUsage = clientAuth > > extfile.cnfecho extendedKeyUsage = clientAuth > extfile-client.cnf

10. Generate signature integers

Openssl x509-req-days 365-sha256-in client.csr-CA ca.pem-CAkey ca-key.pem\-CAcreateserial-out cert.pem-extfile extfile-client.cnf

To generate cert.pem, you need to re-enter the previously set password: niceyoo

11. Delete unwanted files and request two integer signatures

After cert.pem,server-cert.pem is generated, you can safely delete two certificate signing requests and extension profiles:

Rm-v client.csr server.csr extfile.cnf extfile-client.cnf

12. Modifiable permissions

To protect your key from accidental corruption, remove its write permissions. To make them available to you only, change the file mode as follows:

Chmod-v 0400 ca-key.pem key.pem server-key.pem

The certificate can be made readable, remove write permissions to prevent accidental damage:

Chmod-v 0444 ca.pem server-cert.pem cert.pem

13. Collection server certificate

Cp server-*.pem / etc/docker/cp ca.pem / etc/docker/

14. Modify Docker configuration

Causes the Docker daemon to receive only links from clients that provide certificates that CA trusts

Vim / lib/systemd/system/docker.service

Replace the value of the ExecStart attribute:

ExecStart=/usr/bin/dockerd-- tlsverify-- tlscacert=/usr/local/ca/ca.pem-- tlscert=/usr/local/ca/server-cert.pem-- tlskey=/usr/local/ca/server-key.pem-H tcp://0.0.0.0:2375-H unix:///var/run/docker.sock

15. Reload daemon and restart docker

Systemctl daemon-reloadsystemctl restart docker

Let's go to the docker module in IDEA to verify and take a look at the previous connection:

Obviously, the connection cannot be made. At this point, we need to get the certificate created by the docker host and use the certificate to connect:

Pull these four certificate files to the local folder, which will be used to specify in idea. It needs to be said that the links in TCP need to be changed to Https format, as shown in the following figure:

At this point, the study on "how Docker opens secure TLS remote connection access" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.