docker添加TLS暴露2375
2024-05-10 13:28:59
创建TLS 安全连接
- 创建证书脚本
[root@node-219 docker]# cat tlscert.sh
#!/bin/bash
# @author: Bocloudif [ $# != 1 ] ; then
echo "USAGE: $0 [HOST_IP]"
exit 1;
fi #============================================#
# 下面为证书密钥及相关信息配置,注意修改 #
#============================================#
PASSWORD="Beyond#11"
COUNTRY=CN
PROVINCE=jiangsu
CITY=suzhou
ORGANIZATION=Bocloud
GROUP=OEM
NAME=Bocloud
HOST=$1
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"echo "your host is: $1"# 1.生成根证书RSA私钥,PASSWORD作为私钥文件的密码
openssl genrsa -passout pass:$PASSWORD -aes256 -out ca-key.pem 4096# 2.用根证书RSA私钥生成自签名的根证书
openssl req -passin pass:$PASSWORD -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -subj $SUBJ#============================================#
# 用根证书签发server端证书 #
#============================================## 3.生成服务端私钥
openssl genrsa -out server-key.pem 4096# 4.生成服务端证书请求文件
openssl req -new -sha256 -key server-key.pem -out server.csr -subj "/CN=$HOST"# 5.使tls连接能通过ip地址方式,绑定IP
echo subjectAltName = IP:127.0.0.1,IP:$HOST > extfile.cnf# 6.使用根证书签发服务端证书
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf#============================================#
# 用根证书签发client端证书 #
#============================================## 7.生成客户端私钥
openssl genrsa -out key.pem 4096# 8.生成客户端证书请求文件
openssl req -subj '/CN=client' -new -key key.pem -out client.csr# 9.客户端证书配置文件
echo extendedKeyUsage = clientAuth > extfile.cnf# 10.使用根证书签发客户端证书
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf#============================================#
# 清理 #
#============================================#
# 删除中间文件
rm -f client.csr server.csr ca.srl extfile.cnf# 转移目录
mkdir client server
cp {ca,cert,key}.pem client
cp {ca,server-cert,server-key}.pem server
rm {cert,key,server-cert,server-key}.pem# 设置私钥权限为只读
chmod -f 0400 ca-key.pem server/server-key.pem client/key.pem
- 执行脚本
生成TLS证书配置
[root@node-219 docker]# bash ./tlscert.sh 192.168.2.219
your host is: 192.168.2.219
Generating RSA private key, 4096 bit long modulus
.................................................++
.........++
e is 65537 (0x10001)
Generating RSA private key, 4096 bit long modulus
...............................++
..........++
e is 65537 (0x10001)
Signature ok
subject=/CN=192.168.2.219
Getting CA Private Key
Generating RSA private key, 4096 bit long modulus
..................................................................................................++
....................................................++
e is 65537 (0x10001)
Signature ok
subject=/CN=client
Getting CA Private Key
mkdir: cannot create directory ‘client’: File exists
mkdir: cannot create directory ‘server’: File exists
证书路径如下:
[root@node-219 docker]# ls
ca-key.pem ca.pem client server tlscert.sh
[root@node-219 docker]# pwd
/root/docker
- 配置服务端docker
cp证书到docker下。
[root@node-219 docker]# cp server/* /etc/docker
修改/usr/lib/systemd/system/docker.service文件,在 ExecStart=/usr/bin/dockerd -H fd:// 后添加上证书配置。
ExecStart=/usr/bin/dockerd -H fd:// --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H=unix:///var/run/docker.sock -H=0.0.0.0:2375
重启docker使配置生效。
[root@node-219 docker]# systemctl daemon-reload
[root@node-219 docker]# systemctl restart docker
外部访问的方式
- 客户端加tls参数访问
[root@node-216 ~]# docker --tlsverify --tlscacert=client/ca.pem --tlscert=client/cert.pem --tlskey=client/key.pem -H tcp://192.168.2.219:2375 images
REPOSITORY TAG IMAGE ID CREATED SIZE
deploy.bocloud/paas/tomcat jdk8-corretto acfc903a890c 8 weeks ago 418MB
deploy.bocloud/paas/sonarqube 7.9.1 6b7ac1689533 2 months ago 480MB
deploy.bocloud/paas/jenkins 2.174 d6170c74e3ca 8 months ago 704MB
deploy.bocloud/paas/postgresql-photon v1.5.0 35c891dea9cf 19 months ago 221MB
deploy.bocloud/paas/clair v2.0.1 930044c045e0 2 years ago 387MB- Docker API方式访问
[root@node-216 ~]# curl https://192.168.2.219:2375/images/json --cert client/cert.pem --key client/key.pem --cacert client/ca.pem
[{"Containers":-1,"Created":1571710621,"Id":"sha256:acfc903a890c280823c7672e3f775e8f15bd97259ed77a5873fd7a1cb53f2db3","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/tomcat@sha256:9a08962cc4e8d1ff850ab85048dbfdf5ef8bfd5706cd30df4345557f1eb35e7c"],"RepoTags":["deploy.bocloud/paas/tomcat:jdk8-corretto"],"SharedSize":-1,"Size":417867037,"VirtualSize":417867037},{"Containers":-1,"Created":1571474225,"Id":"sha256:6b7ac16895331e3867d06762bf773c87e6512a7ae60f4f4fd037800093b271d5","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/sonarqube@sha256:e4465c1a587a9f07def0f4ae99e88e3755eb2b016261a6fc5fbb46fb4e8cfd4e"],"RepoTags":["deploy.bocloud/paas/sonarqube:7.9.1"],"SharedSize":-1,"Size":479541766,"VirtualSize":479541766},{"Containers":-1,"Created":1555988207,"Id":"sha256:d6170c74e3ca7f4e133de55416bec9f110f96d41de2f757d288769500808737b","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/jenkins@sha256:484cdb6e7a7d3d49f3e26faa07e4c96dadf08ce82a40a7aef5546a48b0ec02a6"],"RepoTags":["deploy.bocloud/paas/jenkins:2.174"],"SharedSize":-1,"Size":703658287,"VirtualSize":703658287},{"Containers":-1,"Created":1525274683,"Id":"sha256:35c891dea9cfb0aa4afb3912736cba8a44af1b37897ccad2f9c134031420354e","Labels":null,"ParentId":"","RepoDigests":["deploy.bocloud/paas/postgresql-photon@sha256:f748660abdd45316fbcee918017591b367020b5129d4e79a718a6c40e7dea326"],"RepoTags":["deploy.bocloud/paas/postgresql-photon:v1.5.0"],"SharedSize":-1,"Size":221102591,"VirtualSize":221102591},{"Containers":-1,"Created":1497986555,"Id":"sha256:930044c045e082b0b2bdded18bb16ee1a115f12942a773ae0e163c9e0417e3ba","Labels":{},"ParentId":"","RepoDigests":["deploy.bocloud/paas/clair@sha256:9bf420f9e3af9377133a0e439b9aaf7f849dfdceaa0af0b9983166337e86bbbf"],"RepoTags":["deploy.bocloud/paas/clair:v2.0.1"],"SharedSize":-1,"Size":386887602,"VirtualSize":386887602}]
参考文档
docker添加TLS暴露2375相关推荐
- Docker开启TLS和CA认证, 解决暴露2375端口引发的安全漏洞, 并使用idea连接并推送镜像
Docker AC认证教程 解决暴露2375端口引发的安全漏洞 创建证书生成脚本 cert.sh, 放置/script目录 "提示" /mydata/cert/docker这个目录 ...
- Docker暴露2375端口导致服务器被攻击解决方法!
相信了解过docker remote API的同学对2375端口都不陌生了,2375是docker远程操控的默认端口,通过这个端口可以直接对远程的docker daemon进行操作. 当$HOST主机 ...
- Docker开启TLS和CA认证
前言:Docker直接开启2375端口是不安全的,别人只要连上之后就可以任意操作,下面是开启Docker的TLS和CA认证方法,并使用Jenkins和Portainer连接. 一.生成证书 查看服务器 ...
- Docker添加或者更改容器的端口映射
QUESTION:Docker添加或者更改容器的端口映射? ANSWER: 初学Docker容器,按照教程的基本命令,拉取创建了几个容器,都是在一开始新建的时候 docker run -p 指定对应 ...
- docker在设置开放2375端口遇到的坑
安装后需要暴露2375 linux系统看过来,windows没有这个文件 第一步: vim /usr/lib/systemd/system/docker.service 第二步: 大部分网站都是说 E ...
- docker添加新的环境变量_Docker的安装及部署Spring Boot项目操作详解!
本文使用Docker部署Spring Boot项目.部署之前需要环境中已经安装Docker和Maven(用于打包),所以本文先进行安装Docker和Maven:接着搭建一个Spring Boot项目, ...
- 解决Docker添加Docker官方的GPG密钥报错gpg: can‘t open ‘–‘: No such file or directory
解决Docker添加Docker官方的GPG密钥报错gpg: can't open '–': No such file or directory ubuntu下载安装docker添加Docker官方的 ...
- ubuntu下docker添加国内镜像
ubuntu下docker添加国内镜像 第一步: 更换镜像地址 到etc/docker目录中设置daemon.json文件(值得注意的是,如果是首次安装,理论上是不会有 cd /etc/docker ...
- 【Docker】windows环境下的docker如何开放远程2375端口
前言 截止至文章发表时,DockerDesktop的最新版本为v4.11.1.本文以该版本为准. Docker在windows运行在Hyper-v的虚拟机中或者wsl windows子系统中. 原因说 ...
最新文章
- Pixhawk原生固件PX4之位姿控制算法解读
- android 多种特效TextView
- My FioriTest navigation from master page to detail page
- 2013年 833c语言程序 江南大学 (A卷)
- 从实践出发,腾讯云深入解读云端数据库技术
- 架构师之路(39)---IoC框架
- UVa 11383 少林决胜(二分图最佳完美匹配)
- android UI设计属性中英对照表(未修订)
- launchMode的几种模式
- 在rhel6 64位环境下部署LNMP环境
- 数据库性能优化面试题,全网最新
- 为啥E进制计算机的效率最高?
- Spring Boot + WebSocket实现网页在线实时聊天
- python用keras库做个股票分析小程序
- 当百度与重庆相遇,李彦宏的AI越过山丘?
- 分享几个我常用渗透网站
- python实例豆瓣代码_Python实例:通过selenium模拟登陆豆瓣
- 项目管理必看书籍,全部打包送给你
- 通过HttpURLConnection连接上传文件和参数并接收
- Android入门篇(四):自动拨打电话、手动拨打电话