一、docker 使用TLS开启2376
1.1 使用Openssl 生成CA、服务器和客户端密钥
#cd 到证书生成目录 cd /etc/.docker/certs $HOST为服务器ip $ openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus ............................................................................................................................................................................................++ ........++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem: $ openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Henan Locality Name (eg, city) []:Zhengzhou Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inspur Organizational Unit Name (eg, section) []:Inspur Common Name (e.g. server FQDN or YOUR name) []:$HOST Email Address []:wjy@inspur.com
1.2 生成服务器密钥和证书签名请求
$ openssl genrsa -out server-key.pem 4096 Generating RSA private key, 4096 bit long modulus .....................................................................++ .................................................................................................++ e is 65537 (0x10001) $ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
1.3 指定IP地址和DNS名称
echo subjectAltName = DNS:$HOST,IP:10.151.11.52,IP:127.0.0.1,IP:0.0.0.0 >> extfile.cnf #将docker守护进程密钥的扩展使用属性设置为仅使用于服务器的身份验证 echo extendedKeyUsage = serverAuth >> extfile.cnf
1.4 生成签名证书
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf Signature ok subject=/CN=your.host.com Getting CA Private Key Enter pass phrase for ca-key.pem:
1.5 生成客户端密钥和证书签名请求
$ openssl genrsa -out key.pem 4096 Generating RSA private key, 4096 bit long modulus .........................................................++ ................++ e is 65537 (0x10001) $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr $ echo extendedKeyUsage = clientAuth > extfile-client.cnf #生成签名证书 $ openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile-client.cnf Signature ok subject=/CN=client Getting CA Private Key Enter pass phrase for ca-key.pem: #删除证书签名请求和扩展配置文件 $ rm -v client.csr server.csr extfile.cnf extfile-client.cnf #删除密钥的写权限,保护密钥不受意外损坏 $ chmod -v 0400 ca-key.pem key.pem server-key.pem $ chmod -v 0444 ca.pem server-cert.pem cert.pem
#生成证书结果:
1.6 开启docker 2376端口
#打开docker service文件 vim /etc/systemd/system/docker.service 在ExecStart=/usr/bin/dockerd-current 后面增加 --tlsverify --tlscacert=/etc/.docker/certs/ca.pem --tlscert=/etc/.docker/certs/server-cert.pem \--tlskey=/etc/.docker/certs/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock #重启docker systemctl daemon-reload systemctl restart docker
1.7 配置客户端
1. 创建证书目录
mkdir -pv ~/.docker/certs/cd ~/.docker/certs/
2. 将服务端/etc/.docker/certs中ca.pem、cert.pem、key.pem这3个文件拷贝到当前目录
scp ca.pem cert.pem key.pem ~/.docker/certs
文件为ca.pem、cert.pem、key.pem,IDEA工具连接直接选择客户端证书文件夹就行
1.8 IDEA连接docker配置(可选)
1、打开IDEA,点击File->Settings, 在搜索栏输入docker
2、在API URL中端口可以输入自己开启的2375或者2376
二、docker 开启2375端口
#打开docker service文件
vim /etc/systemd/system/docker.service
在ExecStart=/usr/bin/dockerd-current 后面增加 -H tcp://0.0.0.0:2375
#重启docker
systemctl daemon-reload
systemctl restart docker
三、docker-java配置使用2375或者2376端口
3.1 pom.xml中引入依赖的maven包
<dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java</artifactId> <version>3.2.5</version> </dependency> <dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java-core</artifactId> <version>3.2.5</version> </dependency> <dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java-transport-httpclient5</artifactId> <version>3.2.5</version> </dependency>
3.2连接2376端口
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder() .withDockerHost("tcp://10.151.11.51:2376") .withDockerTlsVerify(true) .withDockerCertPath("~/.docker/certs") .withRegistryUsername("admin") .withRegistryPassword("123456a?") .withRegistryUrl("http://10.151.11.51:5000") .build(); DockerHttpClient httpClient = new ApacheDockerHttpClient.Builder() .dockerHost(config.getDockerHost()) .sslConfig(config.getSSLConfig()) .build(); DockerClient dockerClient = DockerClientImpl.getInstance(config, httpClient);
3.3 连接2375端口
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder() .withDockerHost("tcp://10.151.11.51:2375") .withDockerTlsVerify(false) // .withDockerCertPath("~/.docker/certs") .withRegistryUsername("admin") .withRegistryPassword("123456a?") .withRegistryUrl("http://10.151.11.51:5000") .build(); DockerHttpClient httpClient = new ApacheDockerHttpClient.Builder() .dockerHost(config.getDockerHost()) .sslConfig(config.getSSLConfig()) .build(); DockerClient dockerClient = DockerClientImpl.getInstance(config, httpClient);
配置完成,可以使用docker-java对docker服务器的镜像和镜像仓库中的镜像进行操作。
参考链接:
https://docs.docker.com/engine/security/https/
https://github.com/docker-java/docker-java/blob/3.2.5/docs/getting_started.md