Docker开启远程访问
参考:
https://blog.csdn.net/alinyua/article/details/81086124
https://docs.docker.com/engine/security/https/
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
https://docs.docker.com/config/daemon/
https://docs.docker.com/engine/reference/commandline/dockerd/
https://docs.docker.com/install/linux/linux-postinstall/
1.制作证书
- 服务端证书
mkdir cert
openssl genrsa -aes256 -out ca-key.pem 4096
# belle
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# -days 365设置证书的有效期。单位为天,默认情况下为30天。
# 输入密码belle,设置信息
openssl genrsa -out server-key.pem 4096
# $HOST 域名
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:belle.net.cn,IP:10.234.7.95,IP:10.234.7.94,IP:10.234.7.73,IP:10.234.7.131,IP:10.234.7.97, IP:10.240.18.9,IP:10.240.18.10,IP:10.240.18.11>> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
- 客户端证书,继续当前目录下
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
mv extfile.cnf extfile.cnf.old
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf- 配置证书
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem2.设置docker
- 配置
/etc/docker/daemon.json文件如下
{
"tlsverify": true,
"tlscacert": "/etc/epp/epp_data_center/cert/ca.pem",
"tlscert": "/etc/epp/epp_data_center/cert/server-cert.pem",
"tlskey": "/etc/epp/epp_data_center/cert/server-key.pem",
"hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}- 重启docker
systemctl daemon-reload
systemctl restart docker3.验证远程控制
# 复制证书至其他机器上后,执行
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2375 version