docker open the remote access ports to prevent unauthorized access
- Configuring certificate authentication
- Configure the firewall or security policy
#!/bin/bash # docker.tls.sh # 环境centos 7 ,root # 创建 Docker TLS 证书 ##########配置信息 Port=2376 Node=$(hostname) IP=$(ip add|sed -nr 's#^.*inet (.*)/[1-9].*(ens|eth).*$#\1#gp') PASSWORD="88888888" COUNTRY="CN" STATE="Shanghai" CITY="Shanghai" ORGANIZATION="Elven" ORGANIZATIONAL_UNIT="Dev" COMMON_NAME="$IP" EMAIL="[email protected]" ##########生成证书 # Generate CA key openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096 &>/dev/null # Generate CA openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL" &>/dev/null echo "#Server" # Generate Server key openssl genrsa -out "server-key_$Node.pem" 4096 &>/dev/null # Generate Server Certs. openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf echo "extendedKeyUsage = serverAuth" >> extfile.cnf openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnf echo "#Client" openssl genrsa -out "client-key_$Node.pem" 4096 &>/dev/null openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr echo extendedKeyUsage = clientAuth >> extfile.cnf openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnf chmod 0400 "client-key_$Node.pem" "server-key_$Node.pem" chmod 0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem" ##########docker配置 echo echo "Copy Certificate #" # server certificate mkdir -p ~ / .docker CP -avf "CA_ $ Node.pem" "Server-cert_ $ Node.pem" "Server-key_ Node.pem $" ~ / .docker # client certificate file cp -avf "client-cert_ $ Node.pem" "client-key_ $ Node.pem" ~ / .docker / # packing client certificate tar -zcf docker-tls-client_ $ Node.tar.gz Client-cert_ $ Node.pem CA_ $ $ Node.pem key_ Node.pem Client- CP-TLS-Client_ -af Docker ~ $ Node.tar.gz / .docker / LS -hl $ (pwd) / TLS-Docker * echo echo "modify docker startup item # /lib/systemd/system/docker.service" SetOPTS = "below. --tls \ --tlscacert the HOME = $ / .docker / CA $ {_} .pem the Node \ --tlscert the HOME = $ /.docker/server-cert_${Node}.pem \ --tlskey the HOME = $ /.docker/server-key_${Node}.pem \ -H 0.0.0.0:${Port} " -i sed "S # ^ ExecStart. SetOPTS * # & $ #" /lib/systemd/system/docker.service grep '^ ExecStart' /lib/systemd/system/docker.service systemctl daemon reload- echo echo "client # remote connection end " echo" the IP Docker -H $: $ {Port} --tlsverify --tlscacert ~ / .docker / CA_ ~ $ Node.pem --tlscert / .docker / Client-cert_ $ Node.pem --tlskey ~ / .docker / client-PS Node.pem key_ $ -a " echo" # client connection using curl " echo" curl --cacert ~ / .docker / CA_ ~ $ Node.pem --cert / .docker / client ~ $ Node.pem --key -cert_ / .docker / Client-key_ $ Node.pem HTTPS: // the IP $: $ {Port} / Containers / JSON " #clean RM .srl * -f * CA * .pem * .csr .cnf echo echo -e "\ E [1; 32M # reboot to take effect docker systemctl restart docker \ E [0m" #