Docker---docker生产环境之TLS通讯加密
Docker---docker生产环境之TLS通讯加密
一: 在docker中搭建TLS加密
- 在公司的docker业务中,一般为了防止链路劫持、会话劫持等问题导致docker通信时被中间人***,c/s两端应该通过加密方式通讯。
- 流程: 秘钥key---> 身份前面csr---->(服务器/客户端) (结合ca.pem) 制作证书pem
#实验环境
| 角色 | IP地址 | 软件包 |
| ---------------------- | ------------------ | --------- |
| master(docker服务端) | 192.168.100.200/24 | docker-ce |
| client(docker客户端) | 192.168.100.190/24 | docker-ce |
通过在服务端上创建tls密钥证书,再下发给客户端,客户端通过私钥访问容器,这样就保证的docker通讯的安全性
CA证书只是一个官方认证的证书
接下来要创建server、client节点的证书
此时创建证书有三步
1.设置私钥 确保安全加密
2.私钥签名 确保身份真实不可抵赖
3.制作证书
csr是一个签名文件
#---------------------------------------master操作
1.环境部署
echo "127.0.0.1 master" >> /etc/hosts
ping master "要能ping通"
2.创建ca秘钥
mkdir /root/tls && cd /root/tls
openssl genrsa -aes256 -out ca-key.pem 4096 '//使用rsa非对称秘钥,位数256位,-out 输出密钥文件ca-key.pem'
ls
"包含ca-key.pem"
3.创建ca证书 '//输入CA秘钥密码123123'
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
ls
"包含ca-key.pem ca.pem"
4.创建服务器server私钥
openssl genrsa -out server-key.pem 4096 '//创建服务器秘钥'
ls
"ca-key.pem ca.pem server-key.pem"
5.创建服务器server签名私钥
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
ls
"ca-key.pem ca.pem server.csr server-key.pem"
6.使用ca证书和签名私钥,创建server-cert.pem证书 "输入123123密码"
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
ls
"ca-key.pem ca.pem ca.srl server-cert.pem server.csr server-key.pem"
7.生成客户端client密钥
openssl genrsa -out key.pem 4096
ls
"ca-key.pem ca.pem ca.srl key.pem server-cert.pem server.csr server-key.pem"
8.生成客户端client签名
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
ls
"ca-key.pem ca.pem ca.srl client.csr key.pem server-cert.pem server.csr server-key.pem"
9.创建配置文件
echo extendedKeyUsage=clientAuth > extfile.cnf
ls
"ca-key.pem ca.srl extfile.cnf server-cert.pem server-key.pem ca.pem client.csr key.pem server.csr"
10.创建签名证书,输入123123密码
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf '//基于ca证书,ca秘钥生成签名证书'
ls
"ca-key.pem ca.srl client.csr key.pem server.csr ca.pem cert.pem extfile.cnf server-cert.pem server-key.pem"
11.删除多余文件(也可以不删)
rm -rf ca.srl client.csr extfile.cnf server.csr /tmp
ls
"ca-key.pem ca.pem cert.pem key.pem server-cert.pem server-key.pem"
12.修改docker的配置文件,并且重启服务
vi /usr/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock "注释"
添加ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/tls/ca.pem --tlscert=/root/tls/server-cert.pem --tlskey=/root/tls/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
systemctl daemon-reload
systemctl restart docker
13.将(ca.pem)ca证书,(cert.pem)签名证书,(key.pem)客户端密钥复制到client的/etc/docker目录下
scp ca.pem [email protected]:/etc/docker/
scp cert.pem [email protected]:/etc/docker/
scp key.pem [email protected]:/etc/docker/
#--------------------------Client操作
1.在client上设置基本环境,且验证TLS
echo "192.168.100.200 master" >> /etc/hosts
ping master
ls /etc/docker/
"ca.pem cert.pem daemon.json key.json key.pem"
cd /etc/docker/ "在/etc/docker/执行以下命令"
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version
2.测试
----master
docker pull nginx
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 images
"master能查看到自己本地的镜像"
----client
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 7e4d58f0e5f3 2 weeks ago 133MB
"client也能查看到"
//报错内容
[root@master tls]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2375 images
Cannot connect to the Docker daemon at tcp://master:2375. Is the docker daemon running?
[root@master tls]# docker --tlsverify --tlscacert=ca.pem --tlskey=server-key.pem --tlscert=server-cert.pem -H tcp://server:2376 images
error during connect: Get https://server:2376/v1.40/images/json: dial tcp: lookup server on 114.114.114.114:53: no such host
//报错一般是端口错误或者证书错误