"Docker remote connection settings" article describes the method Docker remote connection is turned on, but that method unsafe, because any client can connect up through the IP address of the Docker services, today we have to learn Docker official recommendation secure remote connection: TLS encrypted connections to ensure security through certificates.
Official Documents
Here is the official authority of the document: https: //docs.docker.com/engine/security/https/
Environmental Information
The combat environmental information as follows:
- Docker service where the machine (the machine below expressed in A): CentOS Linux release 7.6.1810
- Docker Services Version: 1.13.1
- Verify another machine remote connection (hereinafter expressed as machine B) is CentOS 7.6, mounted thereon Docker client 1.13.1
Steps
The actual steps are as follows:
- Production certificates, including CA, the server, the client;
- Docker service provided on the machine A TLS connection;
Docker service connection on the machine B from A remote machine;
Production Certificate (A machine)
- Build a directory on a Linux server into this directory, I have here is / root / work
- Create a root certificate RSA private key:
openssl genrsa -aes256 -out ca-key.pem 4096- Page prompts the Enter Pass phrase for ca-key.pem , when the input password keys, I've entered 1234 , will be asked to enter a carriage return, it will generate the same password twice in the current directory CA secret key file ca -key.pem ;
- In order to create a secret key CA certificate, a certificate issued by ourselves, it is a CA can be issued to a third party organization to:
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pemGenerated at this time ca.pem file is the CA certificate;
- Create a server private key:
openssl genrsa -out server-key.pem 4096At this time, the generated server-key.pem file is the private key of the server;
- Generating a server certificate signing request (CSR i.e. certificate signing request, which contains the public key information server)
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csrGenerated at this time server.csr file that the server certificate;
- Generate the signed server certificate (will be asked to enter a password during 1234):
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pemAt this generated server-cert.pem file server certificate is stamped in force;
- Generate customer private key:
openssl genrsa -out key.pem 4096Generated at this time key.pem file is the client private key;
- Generate a client certificate signing request:
openssl req -subj "/CN=client" -new -key key.pem -out client.csrGenerated at this time client.csr file is the client certificate signing request;
- Generate named extfile.cnf configuration file:
echo extendedKeyUsage=clientAuth > extfile.cnf- Generates a signed client certificate (will be asked to enter a password during 1234):
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf- The extra files deleted:
rm -rf ca.srl client.csr extfile.cnf server.csr- At this point left the following files:
| file name | effect |
|---|---|
| Ckpem | CA authority certificate |
| ca-key.pem | RSA private key of the root certificate |
| cert.pem | Client Certificate |
| key.pem | Private customers |
| server-cert.pem | The server certificate |
| server-key.pem | The server private key |
So far, all the certificate file is created, next to Docker do TLS security configuration;
Docker TLS connection is provided (A machine)
- Open the file /lib/systemd/system/docker.service , find what the figure below the red box:
- The contents of an entire row of FIG red box replaced with the following:
ExecStart=/usr/bin/dockerd-current --tlsverify --tlscacert=/root/work/ca.pem --tlscert=/root/work/server-cert.pem --tlskey=/root/work/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock \- Load the above configuration, and then restart the docker services:
systemctl daemon-reload && systemctl restart dockerConfiguration, remote TLS connection will be verified.
Verify remote TLS connection (B machines)
- Suppose we are in front of the computer for the operation A, IP address 192.168.121.138 ;
- Now then prepare a computer B, IP address is 192.168.121.132 , TLS encryption used to authenticate the remote connection Docker A;
- A machine execute the following command, on the A ca.pem, cert.pem, key.pem copy the three files to the B machine / root / work directory (please advance built this directory):
scp /root/work/ca.pem [email protected]:/root/work \
&& scp /root/work/cert.pem [email protected]:/root/work \
&& scp /root/work/key.pem [email protected]:/root/work- In the production of the certificate is not allowed to access the server via IP, it can not directly use IP B A A connection at the time of Docker's, so use to access the host A, B to increase a host computer configuration (B if the computer is Linux, on configured on the / etc / hosts file):
192.168.121.138 docker-daemon- Run the following commands in the B, A to connect the service Docker:
docker --tlsverify --tlscacert=/root/work/ca.pem --tlscert=/root/work/cert.pem --tlskey=/root/work/key.pem -H tcp://docker-daemon:2376 versionThe console displays the following information, which is part of the A Docker Information Server machine:
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-102.git7f2769b.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Wed May 1 14:55:20 2019
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-102.git7f2769b.el7.centos.x86_64
Go version: go1.10.3
Git commit: 7f2769b/1.13.1
Built: Mon Aug 5 15:09:42 2019
OS/Arch: linux/amd64
Experimental: false- Do not try to connect the certificate, various attempts have failed:
[root@centos7 work]# docker -H tcp://192.168.121.138:2375 images
Cannot connect to the Docker daemon at tcp://192.168.121.138:2375. Is the docker daemon running?
[root@centos7 work]# docker -H tcp://docker-daemon:2375 images
Cannot connect to the Docker daemon at tcp://docker-daemon:2375. Is the docker daemon running?
[root@centos7 work]# docker -H tcp://192.168.121.138:2376 images
Get http://192.168.121.138:2376/v1.26/images/json: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?
[root@centos7 work]# docker -H tcp://docker-daemon:2376 images
Get http://docker-daemon:2376/v1.26/images/json: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?So far, TLS encrypted remote connections combat Docker is complete, I hope you are setting up a remote connection is secure Docker, this will give your reference.