1. Docker fully opens remote access
The Docker service is fully open to external access and the operations are as follows:
# 开启端口命令 (--permanent永久生效,没有此参数重启后失效)
firewall-cmd --zone=public --add-port=2375/tcp --permanent
# 重新载入
firewall-cmd --reload
# 使用 vim 编辑docker服务配置文件
vim /lib/systemd/system/docker.service
# 找到如下配置行
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 将其注释掉或者直接删除,替换成下面的配置行.然后保存退出
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
# 重新加载docker配置并重启服务
systemctl daemon-reload && systemctl restart docker
# 然后直接在命令行客户端输入如下命令,IP地址改为自己的
curl http://192.168.56.20:2375/version
# 或者在浏览器直接访问,IP地址改为自己的
http://192.168.56.20:2375/version
If the following information appears, it means that the remote access settings of the Docker service have been modified successfully.
Special points to note: Fully opening Docker's external access rights may be attacked by others. This is very unsafe. As long as others know your server address, they can connect to your Docker service at will without any authentication. Therefore, Fully open is only recommended for use on your own intranet, and is not recommended for full openness directly on the cloud server.
2. Docker opens remote access and enables authentication and communication encryption.
In order to solve the above security risks caused by Docker's fully open remote access, we need to perform communication authentication and encryption on the Docker service. The operation is as follows: First,
create a file directory to store certificates and private keys.
mkdir -p /data/certificate/linux-ca && cd /data/certificate/linux-ca
Then perform the following operations under the linux-ca folder:
- Generate a self-signed root certificate and private key:
Execute the following command to generate a root certificate private key file (for exampleca-key.pem
):
b. Execute the following command to generate a root certificate file (for exampleopenssl genrsa -aes256 -passout pass:123456 -out ca-key.pem 4096
ca.pem
) and sign it with the private key. When you generate a certificate, you assign it a validity period, usually a few years.# 直接指定证书的主题信息 openssl req -x509 -new -key ca-key.pem -sha256 -days 365 -passin pass:123456 -out ca.pem
- Generate a self-signed server certificate and private key:
a. Execute the following command to generate a private key file (for exampleserver-key.pem
):
b. Execute the following command to generate a certificate signing request file (for exampleopenssl genrsa -out server-key.pem 4096
server.csr
).
When generating a CSR file, you need to provide some information, such as organization name, organizational unit, country, etc.
c. Execute the following command to generate a self-signed server certificate (for example# 直接指定证书的主题信息 openssl req -new -key server-key.pem -out server.csr
server-cert.pem
) and sign it with the CSR file and private key.echo extendedKeyUsage = serverAuth >> extfile-server.cnf openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256 -passin pass:123456 -out server-cert.pem -extfile extfile-server.cnf
- Generate a self-signed client certificate and private key:
a. Execute the following command to generate a client private key file (for examplekey.pem
):
b. Execute the following command to generate a client certificate signing request file (for exampleopenssl genrsa -out key.pem 4096
client.csr
). When generating a CSR file, you need to provide some information, such as organization name, organizational unit, country, etc.
c. Execute the following command to generate a self-signed client certificate (for exampleopenssl req -new -key key.pem -out client.csr
cert.pem
) and sign it with the CSR file and private key. When you generate a certificate, you assign it a validity period, usually a few years.echo extendedKeyUsage = clientAuth > extfile-client.cnf openssl x509 -req -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -days 365 -sha256 -passin pass:123456 -out cert.pem -extfile extfile-client.cnf
Delete the four redundant request files:
rm -f server.csr client.csr extfile-server.cnf extfile-client.cnf
After completing the above steps, you will get the following files:
- Root certificate file:
ca.pem
- Root certificate private key file:
ca-key.pem
- Server-side certificate file:
server-cert.pem
- Server-side private key file:
server-key.pem
- Client certificate file:
cert.pem
- Client private key file:
key.pem
Special attention should be paid to the following four points:
4. The root certificate name must be ca.pem
5. The client certificate must be cert.pem
6. The client private key must be key.pem
7. The server must be added when entering the commonName information IP address, otherwise Docker may fail to start.
8. When the server and client create private keys, you cannot add an additional encryption password, otherwise the server and client will not be able to parse it.
Then configure the Docker daemon configuration file daemon.json. The specific operations are as follows:
# 先查看 /etc/docker/daemon.json 是否存在,如果不存在则创建,存在则直接修改
cat /etc/docker/daemon.json
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"tls": true,
"tlsverify": true,
"tlscacert": "/data/certificate/linux-ca/ca.pem",
"tlscert": "/data/certificate/linux-ca/server-cert.pem",
"tlskey": "/data/certificate/linux-ca/server-key.pem",
"registry-mirrors": [
"http://hub-mirror.c.163.com",
"https://ung2thfc.mirror.aliyuncs.com",
"https://mirror.ccs.tencentyun.com",
"https://registry.docker-cn.com",
"https://docker.mirrors.ustc.edu.cn",
"https://mirror.baidubce.com"
]
}
EOF
systemctl daemon-reload && systemctl restart docker
In the above operation, we need to fill in the correct certificate and private key storage address. If you follow my steps above, there is no problem and you don’t need to change anything. If the storage address of your certificate and private key is a self-defined address, then you need to modify the address in daemon.json accordingly.
After completing the above content, we cannot obtain information when using https://192.168.56.10:2375/version in the browser, prompting that identity authentication is required.
3. Quickly complete Docker service activation authentication and communication encryption
In order to solve the problem of the cumbersome process in the second step, I wrote two automated configuration Shell scripts and uploaded them to the public network. They can help us complete all the processes in the second step very quickly. You can choose to use me directly
. The created script operates as follows:
# 证书脚本
curl -O https://backup-1305596318.cos.ap-guangzhou.myqcloud.com/shell/cert.sh
chmod +x cert.sh
source cert.sh
# Docker守护进程脚本
curl -O https://backup-1305596318.cos.ap-guangzhou.myqcloud.com/shell/daemon.sh
chmod +x daemon.sh
source daemon.sh
If you create it yourself and then use it, you can refer to the following steps. The specific operations are as follows:
3.1 First is the Shell script to create the certificate and private key
We only need to create a cert.sh script file with any name, and then fill in the following content:
#!/bin/bash
# 从控制台读取必要输入信息
read -p "please input the cert store path: " certDir
echo your cert store path is: "$certDir"
read -p "please input the ca-key's password: " password
echo your password is: "$password"
read -p "please input the IP of your server: " ip
echo your server IP is: "$ip"
# 检查输入的证书路径是否已经存在
# 如果不存在,则创建;如果存在则删除后创建
if [ ! -d "$certDir" ]; then
echo ""
echo "$certDir , not exist, it will be create"
echo ""
mkdir -p $certDir
else
echo ""
echo "$certDir , already exist , it will be delete then create"
echo ""
rm -rf $certDir
mkdir -p $certDir
fi
cd $certDir
# 定义服务端证书扩展配置
server_conf="[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = CN
stateOrProvinceName = JX
localityName = SR
organizationName = PY
organizationalUnitName = XS
commonName = $ip
emailAddress = [email protected]
[v3_req]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 0.0.0.0"
# 将服务端证书的扩展配置写入extfile-server.cnf文件
echo "$server_conf" > extfile-server.cnf
# 定义客户端证书扩展配置
client_conf="[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = CN
stateOrProvinceName = JX
localityName = SR
organizationName = PY
organizationalUnitName = XS
commonName = $ip
emailAddress = [email protected]
[v3_req]
extendedKeyUsage = clientAuth"
# 将客户端证书的扩展配置写入extfile-client.cnf文件
echo "$client_conf" > extfile-client.cnf
# 创建根证书RSA私钥
openssl genrsa -aes256 -passout pass:$password -out ca-key.pem 4096
# 创建CA证书
openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$password -sha256 -out ca.pem -subj "/C=CN/CN=$ip"
# 创建服务端私钥
openssl genrsa -out server-key.pem 4096
# 创建服务端签名请求证书文件
openssl req -subj "/CN=$ip" -sha256 -new -key server-key.pem -out server.csr
# 创建签名生效的服务端证书文件
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$password" -CAcreateserial -out server-cert.pem -extfile extfile-server.cnf
# 创建客户端私钥
openssl genrsa -out key.pem 4096
# 创建客户端签名请求证书文件
openssl req -subj "/CN=$ip" -new -key key.pem -out client.csr
# 创建签名生效的客户端证书文件
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$password" -CAcreateserial -out cert.pem -extfile extfile-client.cnf
# 删除多余文件
# 使用了 -v 参数,rm 命令将会显示每个被删除的文件或目录的名称,以便您能够看到操作的进展和结果。
rm -f -v client.csr server.csr extfile-server.cnf extfile-client.cnf
# 为所有用户设置对这些文件的读取权限
chmod -v 444 ca-key.pem key.pem server-key.pem
chmod -v 444 ca.pem server-cert.pem cert.pem
This script only requires us to enter three parameters in the console: the storage address of the certificate and private key, the root private key password, and the server IP address . There is nothing else to do.
If you follow the above steps to create the cert.sh script file and fill in the script content, then we can execute the script through the following command
source /xxx/cert.sh
Use the source command followed by the absolute address or relative address of the script to execute the script.
3.2 Create Docker daemon configuration script
We create a daemon.sh script file with any name, and then fill in the following content:
#!/bin/bash
# 读取控制台输入,需要输入一个目录
read -p "please input the cert store path: " certDir
echo your cert store path is: "$certDir"
# 检查输入的证书路径是否已经存在
# 如果不存在,则直接退出
if [ ! -d "$certDir" ]; then
echo ""
echo "$certDir , not exist, please input a correct cert path"
exit
fi
json_content='{
"tls": true,
"tlsverify": true,
"tlscacert": "$certDir/ca.pem",
"tlscert": "$certDir/server-cert.pem",
"tlskey": "$certDir/server-key.pem",
"registry-mirrors": [
"http://hub-mirror.c.163.com",
"https://ung2thfc.mirror.aliyuncs.com",
"https://mirror.ccs.tencentyun.com",
"https://registry.docker-cn.com",
"https://docker.mirrors.ustc.edu.cn",
"https://mirror.baidubce.com"
]
}'
# 替换变量
json_content=$(echo "$json_content" | sed "s|\$certDir|$certDir|g")
daemonDir='/etc/docker'
# 如果docker配置目录不存在则创建;存在则删除后创建
if [ ! -d "$daemonDir" ]; then
echo ""
echo "$daemonDir not exist, it will be create"
mkdir -p "$daemonDir" && cd "$daemonDir"
# 将替换后的内容保存到新的 JSON 文件
echo "$json_content" > "$daemonDir/daemon.json"
else
echo ""
echo "$daemonDir already exist, it will be delete then create"
rm -rf "$daemonDir"
mkdir -p "$daemonDir" && cd "$daemonDir"
# 将替换后的内容保存到新的 JSON 文件
echo "$json_content" > "$daemonDir/daemon.json"
fi
systemctl daemon-reload && systemctl restart docker
Then we can execute the script through the source command followed by the absolute address or relative address of the script.
source /xxx/daemon.sh
This script mainly performs three settings: communication encryption, service authentication, and image acceleration configuration for the Docker service. The usage method is the same as the previous script. During the execution of the script, we will be prompted to enter the storage address of the previously created certificate and private key. We must fill in the correct address, otherwise the Docker service will not be able to read the certificate and private key.
4. IDEA connects to Docker service
Download the certificate folder to Windows locally.
You only need these three files: ca.pem, cert.pem, key.pem. Download them locally and load them into a folder. In the
specific IDEA configuration, you can follow the following Steps to set up:
- Open IDEA and enter Settings.
- Navigate to the Docker section (usually Docker under Build, Execution, Deployment).
- Find the TCP socket configuration options below Connect to Docker daemon with configuration
- Fill in the Docker service connection address in the Engine API URL, for example: https://192.168.56.10:2375
- Select the folder containing three certificate files in the Certificates folder to authenticate the client to the server.
- Save the settings and try to connect to the Docker service.
It should be noted that the specific setting steps may vary depending on the version of IDEA. Please make appropriate adjustments according to the version you are using.
5. Maven connects Docker service
Sometimes we need to configure our own project to configure the connection configuration of the Docker service to facilitate quick project packaging and deployment in Docker. Therefore, we need the following configuration:
<!-- 项目maven插件统一管理 -->
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler.version}</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
<encoding>${project.build.sourceEncoding}</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${spring-boot.version}</version>
</plugin>
<!-- docker插件,用于制作镜像 -->
<plugin>
<groupId>com.spotify</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>${docker-maven.version}</version>
<!-- docker配置 -->
<configuration>
<!-- docker远程地址 -->
<dockerHost>${docker.host}</dockerHost>
<!-- docker打包镜像名称 -->
<imageName>${docker.image.prefix}/${project.artifactId}:${project.version}</imageName>
<!-- DockerFile的存放位置 -->
<dockerDirectory>${project.basedir}</dockerDirectory>
<!-- 由于docker服务使用加密通信,开启了认证,因此需要提供通信证书 -->
<dockerCertPath>C:\Users\23203\Desktop\linux-ca</dockerCertPath>
<!-- 配置制作镜像时需要依赖的资源,此处依赖项目jar包 -->
<resources>
<resource>
<targetPath>/</targetPath>
<directory>${project.build.directory}</directory>
<include>${project.build.finalName}.jar</include>
</resource>
</resources>
</configuration>
</plugin>
</plugins>
</pluginManagement>
Because the configuration is too long, I only selected the key parts to display. If you want to configure the full configuration, you can leave me a message or send me a private message.
If you think my blog is good, don’t forget to like and favorite it. It would be even better if you can also comment and communicate! ! !