Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use Docker remotely on the Atomic host. Xiaobian thinks it is quite practical, so share it with you as a reference. I hope you can gain something after reading this article.

Atomic Hosting from Atomic Project is a lightweight container-based operating system that can run Linux containers. It has been optimized for use as a container runtime system for cloud environments. For example, it can host Docker daemons and containers. Sometimes, you may need to run docker commands on that host and manage the server from somewhere else. This article describes how to remotely access the Docker daemon on the Fedora Atomic host (you can download it here). The whole process is automated by Ansible-a great tool when it comes to automating everything!

Security memorandum

Since we are connected via the network, we use TLS to protect Docker daemons. This procedure requires both client and server certificates. The OpenSSL package is used to create certificate keys that are used to establish TLS connections. Here, the Atomic host runs the daemon, and our local Fedora Workstation acts as the client.

Before you follow these steps, note that any process that has access to TLS certificates on the client has full root access on the server. So the client can do whatever it wants on the server. We need to grant certificate access only to specific client hosts that can be trusted. You should copy client certificates only to client hosts that are under your complete control. But even in this case, the security of the client machine is crucial.

However, this method is only one way to remotely access the daemon. Orchestration tools usually provide more secure control. The following simple method is suitable for personal experiments and may not be suitable for open networks.

Get Ansible Role

Chris Houseknecht wrote an Ansible role that would create all the required certificates. This way, you don't have to run openssl manually. These are available in the Ansible role repository. Clone it to your current work host.

$ mkdir docker-remote-access $ cd docker-remote-access $ git clone https://github.com/ansible/role-secure-docker-daemon.git

create a profile

Next, you must create Ansible configuration files, inventory, and playbook files to set up clients and daemons. The following instructions create client and server certificates on the Atomic host. Then, get the client certificate locally. ***, They configure daemons as well as clients to interact with each other.

Here is the directory structure you need. Create each of the following files as shown below.

$ tree docker-remote-access/ docker-remote-access/ ├── ansible.cfg ├── inventory ├── remote-access.yml └── role-secure-docker-daemon

ansible.cfg：

$ vim ansible.cfg[defaults] inventory=inventory

Inventory file:

$ vim inventory[daemonhost] 'IP_OF_ATOMIC_HOST' ansible_ssh_private_key_file='PRIVATE_KEY_FILE'

Replace IP_OF_ATOMIC_HOST in inventory file with IP of Atomic host. Replace PRIVATE_KEY_FILE with the location of the SSH private key file on the local system.

Script file (remote-access.yml):

$ vim remote-access.yml- name: Docker Client Set up hosts: daemonhost gather_facts: no tasks: - name: Make ~/.docker directory for docker certs local_action: file path='~/.docker' state='directory' - name: Add Environment variables to ~/.bashrc local_action: lineinfile dest='~/.bashrc' line='export DOCKER_TLS_VERIFY=1\nexport DOCKER_CERT_PATH=~/.docker/\nexport DOCKER_HOST=tcp://{{ inventory_hostname }}:2376\n' state='present' - name: Source ~/.bashrc file local_action: shell source ~/.bashrc - name: Docker Daemon Set up hosts: daemonhost gather_facts: no remote_user: fedora become: yes become_method: sudo become_user: root roles: - role: role-secure-docker-daemon dds_host: "{{ inventory_hostname }}" dds_server_cert_path: /etc/docker dds_restart_docker: no tasks: - name: fetch ca.pem from daemon host fetch: src: /root/.docker/ca.pem dest: ~/.docker/ fail_on_missing: yes flat: yes - name: fetch cert.pem from daemon host fetch: src: /root/.docker/cert.pem dest: ~/.docker/ fail_on_missing: yes flat: yes - name: fetch key.pem from daemon host fetch: src: /root/.docker/key.pem dest: ~/.docker/ fail_on_missing: yes flat: yes - name: Remove Environment variable OPTIONS from /etc/sysconfig/docker lineinfile: dest: /etc/sysconfig/docker regexp: '^OPTIONS' state: absent - name: Modify Environment variable OPTIONS in /etc/sysconfig/docker lineinfile: dest: /etc/sysconfig/docker line: "OPTIONS='--selinux-enabled --log-driver=journald --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H=0.0.0.0:2376 -H=unix:///var/run/docker.sock'" state: present - name: Remove client certs from daemon host file: path: /root/.docker state: absent - name: Reload Docker daemon command: systemctl daemon-reload - name: Restart Docker daemon command: systemctl restart docker.service

Visit Atomic Host

Now run the Ansible script:

$ ansible-playbook remote-access.yml

Make sure tcp port 2376 is open on your Atomic host. If you are using Openstack, add TCP port 2376 to your security rules. If you use AWS, add it to your security group.

Now, docker commands running as regular users on your workstation communicate with the Atomic host's daemons and execute commands there. You don't need to ssh manually or issue commands on the Atomic host. This allows you to launch containerized applications remotely, easily and securely.

If you want to clone Ansible scripts and profiles, here is the git repository.

About "how to use Docker remotely on Atomic host" this article is shared here, I hope the above content can be of some help to everyone, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.