Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to realize the HTTP socket TLS encrypted connection of docker daemon". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to implement docker daemon's HTTP socket TLS encrypted connection".

The default docker daemon is connected through a non-network unix socket listening client. If we need the client to connect to docker daemon securely through the network, then we should configure TLS encryption and connect through http.

Use openssl to create ca certificates and issue keys. [root@srv00 ~] # openssl genrsa-aes256-out ca-key.pem 4096Generating RSA private key 4096 bit long modulus. ... + e is 65537 (0x10001) Enter pass phrase for ca-key.pem:Verifying-Enter pass phrase for ca-key.pem: [root@srv00 ~] # openssl req-new-x509- Days 365-key ca-key.pem-sha256-out ca.pemEnter pass phrase for ca-key.pem:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: ShanghaiLocality Name (eg, city) [Default City]: ShanghaiOrganization Name (eg, company) [Default Company Ltd]: dockerOrganizational Unit Name (eg, section) []: ITCommon Name (eg, your name or your server's hostname) []: srv00Email Address []: h@xxx.com

The ca certificate is issued well. You can apply for a certificate signature request (CSR). Please fill in the host name for common name.

Server certificate:

[root@srv00 ~] # openssl genrsa-out server-key.pem 4096Generating RSA private key 4096 bit long modulus..++.++e is 65537 (0x10001) [root @ srv00 ~] # openssl req-subj "/ CN=srv00"-sha256-new-key server-key.pem-out server.csr [root@srv00 ~] # echo subjectAltName = IP:192.168.1.80 IP:127.0.0.1 > extfile.cnf [root@srv00 ~] # openssl x509-req-days 365-sha256-in server.csr-CA ca.pem-CAkey ca-key.pem-CAcreateserial-out server-cert.pem-extfile extfile.cnfSignature oksubject=/CN=srv00Getting CA Private KeyEnter pass phrase for ca-key.pem:

Client certificate:

[root@srv00 ~] # openssl genrsa-out key.pem 4096Generating RSA private key 4096 bit long modulus...++... . + + e is 65537 (0x10001) [root@srv00 ~] # openssl req-subj '/ CN=client'-new-key key.pem-out client.csr [root@srv00 ~] # echo extendedKeyUsage = clientAuth > extfile.cnf [root@srv00 ~] # openssl x509-req-days 365-sha256-in client.csr-CA ca.pem-CAkey ca-key.pem-CAcreateserial-out cert.pem-extfile extfile.cnfSignature oksubject=/CN=clientGetting CA Private KeyEnter pass phrase for ca-key.pem:

CSR is useless. You can delete it.

[root@srv00 ~] # rm-rfv client.csr server.csr removed 'client.csr'removed' server.csr' installation certificate [root@srv00 ~] # chmod 400 * .pem

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.