Docker启用TLS实现安全配置的步骤

前言

之前开启了docker的2375 Remote API，接到公司安全部门的要求，需要启用授权，翻了下官方文档

Protect the Docker daemon socket


启用TLS

在docker服务器，生成CA私有和公共密钥

$ openssl genrsa -aes256 -out ca-key.pem 4096

Generating RSA private key, 4096 bit long modulus

……………………………………………………………………………………………………………………………………………………………………..++

……..++

e is 65537 (0x10001)

Enter pass phrase for ca-key.pem:

Verifying – Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Enter pass phrase for ca-key.pem:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:Queensland

Locality Name (eg, city) []:Brisbane

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc

Organizational Unit Name (eg, section) []:Sales

Common Name (e.g. server FQDN or YOUR name) []:$HOST

Email Address []:Sven@home.org.au有了CA后，可以创建一个服务器密钥和证书签名请求(CSR)

$HOST 是你的服务器ip

$ openssl genrsa -out server-key.pem 4096

Generating RSA private key, 4096 bit long modulus

……………………………………………………………++

…………………………………………………………………………………….++

e is 65537 (0x10001)

$ openssl req -subj “/CN=$HOST” -sha256 -new -key server-key.pem -out server.csr接着，用CA来签署公共密钥:

$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf

$ echo extendedKeyUsage = serverAuth >> extfile.cnf生成key：

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \

-CAcreateserial -out server-cert.pem -extfile extfile.cnf

Signature ok

subject=/CN=your.host.com

Getting CA Private Key

Enter pass phrase for ca-key.pem:创建客户端密钥和证书签名请求:

$ openssl genrsa -out key.pem 4096

Generating RSA private key, 4096 bit long modulus

…………………………………………………++

…………….++

e is 65537 (0x10001)

$ openssl req -subj ‘/CN=client’ -new -key key.pem -out client.csr修改extfile.cnf：

echo extendedKeyUsage = clientAuth > extfile-client.cnf生成签名私钥：

$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \

-CAcreateserial -out cert.pem -extfile extfile-client.cnf

Signature ok

subject=/CN=client

Getting CA Private Key

Enter pass phrase for ca-key.pem:将Docker服务停止，然后修改docker服务文件

[Unit]

Description=Docker APPlication Container Engine

Documentation=http://docs.docker.io

[Service]

Environment=”PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin”

ExecStart=/opt/kube/bin/dockerd –tlsverify –tlscacert=/root/docker/ca.pem –tlscert=/root/docker/server-cert.pem –tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375

ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT

ExecReload=/bin/kill -s HUP $MAINPID

Restart=on-failure

RestartSec=5

LimitNOFILE=infinity

LimitNPROC=infinity

LimitCORE=infinity

Delegate=yes

KillMode=process

[Install]

WantedBy=multi-user.target然后重启服务

systemctl daemon-reload

systemctl restart docker.service 重启后查看服务状态：

systemctl status docker.service

● docker.service – Docker Application Container Engine

  Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)

  Active: active (running) since Thu 2022-08-08 19:22:26 CST; 1 min ago已经生效。

使用证书连接：

复制ca.pem,cert.pem,key.pem三个文件到客户端

docker –tlsverify –tlscacert=ca.pem –tlscert=cert.pem –tlskey=key.pem -H=$HOST:2375 version连接即可
docker-java 启用TLS

项目里使用docker的java客户端docker-java调用docker，为了支持TLS，在创建客户端时，需要增加TLS设置。

首先将ca.pem cert.pem key.pem这三个文件拷贝到本地，例如E:\\docker\\”,

然后DefaultDockerClientConfig里withDockerTlsVerify设为true，并设置certpath为刚拷贝的目录。

DefaultDockerClientConfig.Builder builder =

        DefaultDockerClientConfig.createDefaultConfigBuilder()

          .withDockerHost(“tcp://” + server + “:2375”)

          .withApiVersion(“1.30”);

      if (containerConfiguration.getDockerTlsVerify()) {

        builder = builder.withDockerTlsVerify(true)

          .withDockerCertPath(“E:\\docker\\”);

      }

  return DockerClientBuilder.getInstance(builder.build()).build()大工搞定。


总结

以上就是这篇文章的全部内容了，希望本文的内容对大家的学习或者工作具有一定的参考学习价值，谢谢大家对共生网络的支持。