docker TLS certificate authentication for remote access shell

docker open the remote access ports to prevent unauthorized access
Configuring certificate authentication
Configure the firewall or security policy
#!/bin/bash
# docker.tls.sh
# 环境centos 7 ,root
# 创建 Docker TLS 证书

##########配置信息

Port=2376
Node=$(hostname)
IP=$(ip add|sed -nr  's#^.*inet (.*)/[1-9].*(ens|eth).*$#\1#gp')
PASSWORD="88888888"
COUNTRY="CN"
STATE="Shanghai"
CITY="Shanghai"
ORGANIZATION="Elven"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="[email protected]"

##########生成证书

# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096  &>/dev/null
# Generate CA
openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"  &>/dev/null

echo "#Server"
# Generate Server key
openssl genrsa -out "server-key_$Node.pem" 4096  &>/dev/null
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnf

echo "#Client"
openssl genrsa -out "client-key_$Node.pem" 4096  &>/dev/null
openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnf

chmod  0400  "client-key_$Node.pem" "server-key_$Node.pem"
chmod  0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem"

##########docker配置
echo   
echo "Copy Certificate #" 
# server certificate 
mkdir -p ~ / .docker 
CP -avf "CA_ $ Node.pem" "Server-cert_ $ Node.pem" "Server-key_ Node.pem $" ~ / .docker 
# client certificate file 
cp -avf "client-cert_ $ Node.pem" "client-key_ $ Node.pem" ~ / .docker / 
# packing client certificate 
tar -zcf docker-tls-client_ $ Node.tar.gz Client-cert_ $ Node.pem CA_ $ $ Node.pem key_ Node.pem Client- 
CP-TLS-Client_ -af Docker ~ $ Node.tar.gz / .docker / 
LS -hl $ (pwd) / TLS-Docker * 

echo   
echo "modify docker startup item # /lib/systemd/system/docker.service" 
SetOPTS = "below. --tls \ 
--tlscacert the HOME = $ / .docker / CA $ {_} .pem the Node \ 
--tlscert the HOME = $ /.docker/server-cert_${Node}.pem \ 
--tlskey the HOME = $ /.docker/server-key_${Node}.pem \
-H 0.0.0.0:${Port} "
-i sed "S # ^ ExecStart. SetOPTS * # & $ #" /lib/systemd/system/docker.service 
grep '^ ExecStart' /lib/systemd/system/docker.service 
systemctl daemon reload- 

echo   
echo "client # remote connection end " 
echo" the IP Docker -H $: $ {Port} --tlsverify --tlscacert ~ / .docker / CA_ ~ $ Node.pem --tlscert / .docker / Client-cert_ $ Node.pem --tlskey ~ / .docker / client-PS Node.pem key_ $ -a " 
echo" # client connection using curl " 
echo" curl --cacert ~ / .docker / CA_ ~ $ Node.pem --cert / .docker / client ~ $ Node.pem --key -cert_ / .docker / Client-key_ $ Node.pem HTTPS: // the IP $: $ {Port} / Containers / JSON " 

#clean 
RM .srl * -f * CA * .pem * .csr .cnf 

echo   
echo -e "\ E [1; 32M # reboot to take effect docker 
systemctl restart docker 
\ E [0m"
#
docker TLS certificate authentication for remote access shell

Guess you like
