一、docker 使用TLS開啟2376
1.1 使用Openssl 生成CA、服務器和客戶端密鑰
#cd 到證書生成目錄 cd /etc/.docker/certs $HOST為服務器ip $ openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus ............................................................................................................................................................................................++ ........++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem: $ openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Henan Locality Name (eg, city) []:Zhengzhou Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inspur Organizational Unit Name (eg, section) []:Inspur Common Name (e.g. server FQDN or YOUR name) []:$HOST Email Address []:wjy@inspur.com
1.2 生成服務器密鑰和證書簽名請求
$ openssl genrsa -out server-key.pem 4096 Generating RSA private key, 4096 bit long modulus .....................................................................++ .................................................................................................++ e is 65537 (0x10001) $ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
1.3 指定IP地址和DNS名稱
echo subjectAltName = DNS:$HOST,IP:10.151.11.52,IP:127.0.0.1,IP:0.0.0.0 >> extfile.cnf #將docker守護進程密鑰的擴展使用屬性設置為僅使用於服務器的身份驗證 echo extendedKeyUsage = serverAuth >> extfile.cnf
1.4 生成簽名證書
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf Signature ok subject=/CN=your.host.com Getting CA Private Key Enter pass phrase for ca-key.pem:
1.5 生成客戶端密鑰和證書簽名請求
$ openssl genrsa -out key.pem 4096 Generating RSA private key, 4096 bit long modulus .........................................................++ ................++ e is 65537 (0x10001) $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr $ echo extendedKeyUsage = clientAuth > extfile-client.cnf #生成簽名證書 $ openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile-client.cnf Signature ok subject=/CN=client Getting CA Private Key Enter pass phrase for ca-key.pem: #刪除證書簽名請求和擴展配置文件 $ rm -v client.csr server.csr extfile.cnf extfile-client.cnf #刪除密鑰的寫權限,保護密鑰不受意外損壞 $ chmod -v 0400 ca-key.pem key.pem server-key.pem $ chmod -v 0444 ca.pem server-cert.pem cert.pem
#生成證書結果:
1.6 開啟docker 2376端口
#打開docker service文件 vim /etc/systemd/system/docker.service 在ExecStart=/usr/bin/dockerd-current 后面增加 --tlsverify --tlscacert=/etc/.docker/certs/ca.pem --tlscert=/etc/.docker/certs/server-cert.pem \--tlskey=/etc/.docker/certs/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock #重啟docker systemctl daemon-reload systemctl restart docker
1.7 配置客戶端
1. 創建證書目錄
mkdir -pv ~/.docker/certs/cd ~/.docker/certs/
2. 將服務端/etc/.docker/certs中ca.pem、cert.pem、key.pem這3個文件拷貝到當前目錄
scp ca.pem cert.pem key.pem ~/.docker/certs
文件為ca.pem、cert.pem、key.pem,IDEA工具連接直接選擇客戶端證書文件夾就行
1.8 IDEA連接docker配置(可選)
1、打開IDEA,點擊File->Settings, 在搜索欄輸入docker
2、在API URL中端口可以輸入自己開啟的2375或者2376
二、docker 開啟2375端口
#打開docker service文件
vim /etc/systemd/system/docker.service
在ExecStart=/usr/bin/dockerd-current 后面增加 -H tcp://0.0.0.0:2375
#重啟docker
systemctl daemon-reload
systemctl restart docker
三、docker-java配置使用2375或者2376端口
3.1 pom.xml中引入依賴的maven包
<dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java</artifactId> <version>3.2.5</version> </dependency> <dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java-core</artifactId> <version>3.2.5</version> </dependency> <dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java-transport-httpclient5</artifactId> <version>3.2.5</version> </dependency>
3.2連接2376端口
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder() .withDockerHost("tcp://10.151.11.51:2376") .withDockerTlsVerify(true) .withDockerCertPath("~/.docker/certs") .withRegistryUsername("admin") .withRegistryPassword("123456a?") .withRegistryUrl("http://10.151.11.51:5000") .build(); DockerHttpClient httpClient = new ApacheDockerHttpClient.Builder() .dockerHost(config.getDockerHost()) .sslConfig(config.getSSLConfig()) .build(); DockerClient dockerClient = DockerClientImpl.getInstance(config, httpClient);
3.3 連接2375端口
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder() .withDockerHost("tcp://10.151.11.51:2375") .withDockerTlsVerify(false) // .withDockerCertPath("~/.docker/certs") .withRegistryUsername("admin") .withRegistryPassword("123456a?") .withRegistryUrl("http://10.151.11.51:5000") .build(); DockerHttpClient httpClient = new ApacheDockerHttpClient.Builder() .dockerHost(config.getDockerHost()) .sslConfig(config.getSSLConfig()) .build(); DockerClient dockerClient = DockerClientImpl.getInstance(config, httpClient);
配置完成,可以使用docker-java對docker服務器的鏡像和鏡像倉庫中的鏡像進行操作。
參考鏈接:
https://docs.docker.com/engine/security/https/
https://github.com/docker-java/docker-java/blob/3.2.5/docs/getting_started.md