您好,登錄后才能下訂單哦!
這篇文章主要介紹了Docker啟用TLS實(shí)現(xiàn)安全配置的方法的相關(guān)知識(shí),內(nèi)容詳細(xì)易懂,操作簡(jiǎn)單快捷,具有一定借鑒價(jià)值,相信大家閱讀完這篇Docker啟用TLS實(shí)現(xiàn)安全配置的方法文章都會(huì)有所收獲,下面我們一起來(lái)看看吧。
啟用tls
在docker服務(wù)器,生成ca私有和公共密鑰
$ openssl genrsa -aes256 -out ca-key.pem 4096 generating rsa private key, 4096 bit long modulus ............................................................................................................................................................................................++ ........++ e is 65537 (0x10001) enter pass phrase for ca-key.pem: verifying - enter pass phrase for ca-key.pem: $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem enter pass phrase for ca-key.pem: you are about to be asked to enter information that will be incorporated into your certificate request. what you are about to enter is what is called a distinguished name or a dn. there are quite a few fields but you can leave some blank for some fields there will be a default value, if you enter '.', the field will be left blank. ----- country name (2 letter code) [au]: state or province name (full name) [some-state]:queensland locality name (eg, city) []:brisbane organization name (eg, company) [internet widgits pty ltd]:docker inc organizational unit name (eg, section) []:sales common name (e.g. server fqdn or your name) []:$host email address []:sven@home.org.au
有了ca后,可以創(chuàng)建一個(gè)服務(wù)器密鑰和證書簽名請(qǐng)求(csr)
$host 是你的服務(wù)器ip
$ openssl genrsa -out server-key.pem 4096 generating rsa private key, 4096 bit long modulus .....................................................................++ .................................................................................................++ e is 65537 (0x10001) $ openssl req -subj "/cn=$host" -sha256 -new -key server-key.pem -out server.csr
接著,用ca來(lái)簽署公共密鑰:
$ echo subjectaltname = dns:$host,ip:$host:127.0.0.1 >> extfile.cnf $ echo extendedkeyusage = serverauth >> extfile.cnf
生成key:
$ openssl x509 -req -days 365 -sha256 -in server.csr -ca ca.pem -cakey ca-key.pem \ -cacreateserial -out server-cert.pem -extfile extfile.cnf signature ok subject=/cn=your.host.com getting ca private key enter pass phrase for ca-key.pem:
創(chuàng)建客戶端密鑰和證書簽名請(qǐng)求:
$ openssl genrsa -out key.pem 4096 generating rsa private key, 4096 bit long modulus .........................................................++ ................++ e is 65537 (0x10001) $ openssl req -subj '/cn=client' -new -key key.pem -out client.csr
修改extfile.cnf:
echo extendedkeyusage = clientauth > extfile-client.cnf
生成簽名私鑰:
$ openssl x509 -req -days 365 -sha256 -in client.csr -ca ca.pem -cakey ca-key.pem \ -cacreateserial -out cert.pem -extfile extfile-client.cnf signature ok subject=/cn=client getting ca private key enter pass phrase for ca-key.pem:
將docker服務(wù)停止,然后修改docker服務(wù)文件
[unit] description=docker application container engine documentation=http://docs.docker.io [service] environment="path=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin" execstart=/opt/kube/bin/dockerd --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -h unix:///var/run/docker.sock -h tcp://0.0.0.0:2375 execstartpost=/sbin/iptables -i forward -s 0.0.0.0/0 -j accept execreload=/bin/kill -s hup $mainpid restart=on-failure restartsec=5 limitnofile=infinity limitnproc=infinity limitcore=infinity delegate=yes killmode=process [install] wantedby=multi-user.target
然后重啟服務(wù)
systemctl daemon-reload systemctl restart docker.service
重啟后查看服務(wù)狀態(tài):
systemctl status docker.service ● docker.service - docker application container engine loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled) active: active (running) since thu 2019-08-08 19:22:26 cst; 1 min ago
已經(jīng)生效。
使用證書連接:
復(fù)制ca.pem,cert.pem,key.pem三個(gè)文件到客戶端
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -h=$host:2375 version連接即可
docker-java 啟用tls
項(xiàng)目里使用docker的java客戶端docker-java調(diào)用docker,為了支持tls,在創(chuàng)建客戶端時(shí),需要增加tls設(shè)置。
首先將ca.pem cert.pem key.pem這三個(gè)文件拷貝到本地,例如e:\\docker\\",
然后defaultdockerclientconfig里withdockertlsverify設(shè)為true,并設(shè)置certpath為剛拷貝的目錄。
defaultdockerclientconfig.builder builder = defaultdockerclientconfig.createdefaultconfigbuilder() .withdockerhost("tcp://" + server + ":2375") .withapiversion("1.30"); if (containerconfiguration.getdockertlsverify()) { builder = builder.withdockertlsverify(true) .withdockercertpath("e:\\docker\\"); } return dockerclientbuilder.getinstance(builder.build()).build()
關(guān)于“Docker啟用TLS實(shí)現(xiàn)安全配置的方法”這篇文章的內(nèi)容就介紹到這里,感謝各位的閱讀!相信大家對(duì)“Docker啟用TLS實(shí)現(xiàn)安全配置的方法”知識(shí)都有一定的了解,大家如果還想學(xué)習(xí)更多知識(shí),歡迎關(guān)注億速云行業(yè)資訊頻道。
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。