{"id":1467,"date":"2024-07-30T12:45:38","date_gmt":"2024-07-30T04:45:38","guid":{"rendered":"http:\/\/www.jusesgod.com\/?p=1467"},"modified":"2024-07-30T12:45:44","modified_gmt":"2024-07-30T04:45:44","slug":"%e4%bd%bf%e7%94%a8tls%e4%bf%9d%e6%8a%a4dockerapi","status":"publish","type":"post","link":"http:\/\/www.jusesgod.com\/?p=1467","title":{"rendered":"\u4f7f\u7528TLS\u4fdd\u62a4DockerAPI"},"content":{"rendered":"\n

###\u4e0b\u6587\u4e2d\u6240\u6709\u7684 $HOST \u90fd\u4f7f\u7528docker daemon\u7684host\u7684DNS\uff0c\u57fa\u672c\u5c31\u662f\u670d\u52a1\u5668ip
\u6211\u4eec\u8981\u505a\u7684\u662f\uff0c\u5728dockerd\u4e2d \u4f7f\u7528 tlservify \u548c tlscacert \u6807\u8bc6\u6765\u4fe1\u4efb\u4e00\u4e2a CA \u8bc1\u4e66\u3002<\/p>\n\n\n\n

1.\u5728Docker Daeom\u7684Host\u673a\u4e0a\u521b\u5efaCA\u7684\u79c1\u94a5\u548c\u516c\u94a5<\/p>\n\n\n

\n$ openssl genrsa -aes256 -out ca-key.pem 4096\nGenerating RSA private key, 4096 bit long modulus\n..............................................................................++\n........++\ne is 65537 (0x10001)Enter pass phrase for ca-key.pem:\nVerifying - Enter pass phrase for ca-key.pem:\n\n\n\n\n$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem\nEnter pass phrase for ca-key.pem:\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [AU]:CN\nState or Province Name (full name) [Some-State]:Shanghai\nLocality Name (eg, city) []:Shanghai\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:GiantRoot Inc\nOrganizational Unit Name (eg, section) []:cloud server\nCommon Name (e.g. server FQDN or YOUR name) []:$HOST\nEmail Address []:jusesgod@163.com\n<\/pre><\/div>\n\n\n
**\u786e\u4fdd$HOST\u662f\u5ba2\u6237\u7aef\u7528\u6765\u8fde\u63a5Daemon\u7684\u540d\u79f0\u3002<\/p>\n\n\n\n
2.\u521b\u5efa\u670d\u52a1\u5668\u8bc1\u4e66<\/p>\n\n\n
\n$ openssl genrsa -out server-key.pem 4096\nGenerating RSA private key, 4096 bit long modulus\n.....................................................................++\n.................................................................................................++\ne is 65537 (0x10001)\n\n\n$ openssl req -subj "\/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr\n<\/pre><\/div>\n\n\n
3.\u901a\u8fc7\u6211\u4eec\u7684CA\u8bc1\u4e66\uff0c\u7ed9\u516c\u94a5\u7b7e\u540d
A:\u8bbe\u7f6e\u5141\u8bb8\u8bbf\u95ee\u7684\u8fde\u63a5\uff0c\u5141\u8bb8\u901a\u8fc7$HOST\u548c 127.0.0.1\u8bbf\u95ee<\/p>\n\n\n
\n$ echo subjectAltName = DNS:$HOST,IP:127.0.0.1 >> extfile.cnf\n<\/pre><\/div>\n\n\n
**\u5982\u679c$HOST\u662fip\u5730\u5740\u7684\u8bdd\uff0c\u5c31\u4e0d\u7528\u5199DNS:******\u4e86\uff0c\u76f4\u63a5\u5199IP:XXXXXXXX<\/p>\n\n\n\n
B:\u8bbe\u7f6eDocker Daemon\u7684\u952e\u7684\u6269\u5c55\u7528\u6cd5\u5c5e\u6027\u8bbe\u7f6e\u4e3a\u4ec5\u7528\u4e8e \u670d\u52a1\u5668\u8eab\u4efd\u9a8c\u8bc1<\/p>\n\n\n
\n$ echo extendedKeyUsage = serverAuth >> extfile.cnf\n<\/pre><\/div>\n\n\n
C:\u751f\u6210\u7b7e\u540d\u8bc1\u4e66<\/p>\n\n\n
\n$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf\nSignature ok\nsubject=\/CN=your.host.com\nGetting CA Private Key\nEnter pass phrase for ca-key.pem\n<\/pre><\/div>\n\n\n
4.\u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66<\/p>\n\n\n
\n$ openssl genrsa -out key.pem 4096\nGenerating RSA private key, 4096 bit long modulus\n.........................................................++\n................++\ne is 65537 (0x10001) \n$ openssl req -subj '\/CN=client' -new -key key.pem -out client.csr\n<\/pre><\/div>\n\n\n
\u8ba9\u952e\u80fd\u7b26\u5408\u5ba2\u6237\u6388\u6743\uff0c\u521b\u5efa\u4e00\u4e2a\u989d\u5916\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n
\n$ echo extendedKeyUsage = clientAuth > extfile-client.cnf\n<\/pre><\/div>\n\n\n
\u73b0\u5728\u7ed9\u7528\u6237\u8bc1\u4e66\u7b7e\u540d<\/p>\n\n\n
\n$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf\nSignature ok\nsubject=\/CN=client\nGetting CA Private Key\nEnter pass phrase for ca-key.pem:\n<\/pre><\/div>\n\n\n
\u6700\u540e\u53ef\u4ee5\u5220\u9664\u4e24\u4e2a\u8bc1\u4e66\u6587\u4ef6\uff0c\u8fd8\u6709\u90a3\u4e9b\u989d\u5916\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n
\n$ rm -v client.csr server.csr extfile.cnf extfile-client.cnf\n<\/pre><\/div>\n\n\n
\u4e3a\u4e86\u4fdd\u62a4CA\u7684\u53ea\u8bfb\u6027\uff0c\u5220\u9664\u8bc1\u4e66\u7684\u5199\u5c5e\u6027<\/p>\n\n\n
\n$ chmod -v 0400 ca-key.pem key.pem server-key.pem\n$ chmod -v 0444 ca.pem server-cert.pem cert.pem\n<\/pre><\/div>\n\n\n
\u73b0\u5728\u53ef\u4ee5\u8fd9\u6837\u542f\u52a8dockerd<\/p>\n\n\n
\n$ dockerd \\\n    --tlsverify \\\n    --tlscacert=ca.pem \\\n    --tlscert=server-cert.pem \\\n    --tlskey=server-key.pem \\\n    -H=0.0.0.0:2376\n<\/pre><\/div>\n\n\n
**\u6ce8\u610f\u5728docker.service\u6587\u4ef6\u4e2d\u7684\u914d\u7f6e\uff1a<\/p>\n\n\n
\nExecStart=\/usr\/bin\/dockerd --tlsverify --tlscacert=\/root\/.docker\/ca.pem --tlscert=\/root\/.docker\/server-cert.pem --tlskey=\/root\/.docker\/server-key.pem -H 0.0.0.0:2375 -H fd:\/\/ --containerd=\/run\/containerd\/containerd.sock\n<\/pre><\/div>\n\n\n
\u5ba2\u6237\u7aef<\/p>\n\n\n
\n$ docker --tlsverify \\\n    --tlscacert=ca.pem \\\n    --tlscert=cert.pem \\\n    --tlskey=key.pem \\\n    -H=$HOST:2376 version\n<\/pre><\/div>\n\n\n
\u6700\u540e\u901a\u8fc7\u670d\u52a1\u5668\u6d4b\u8bd5\u8bbf\u95ee\uff1a<\/p>\n\n\n
\n$ docker --tlsverify     --tlscacert=ca.pem     --tlscert=cert.pem     --tlskey=key.pem     -H=106.12.80.25 version\nClient: Docker Engine - Community\nVersion:           25.0.3\nAPI version:       1.44\nGo version:        go1.21.6\nGit commit:        4debf41\nBuilt:             Tue Feb  6 21:17:10 2024\nOS\/Arch:           linux\/amd64\nContext:           default\n\n\nServer: Docker Engine - Community\nEngine:\n  Version:          25.0.3\n  API version:      1.44 (minimum version 1.24)\n  Go version:       go1.21.6\n  Git commit:       f417435\n  Built:            Tue Feb  6 21:16:08 2024\n  OS\/Arch:          linux\/amd64\n  Experimental:     false\ncontainerd:\n  Version:          1.6.28\n  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb\nrunc:\n  Version:          1.1.12\n  GitCommit:        v1.1.12-0-g51d5e94\ndocker-init:\n  Version:          0.19.0\n  GitCommit:        de40ad0\n<\/pre><\/div>\n\n\n
\u5931\u8d25\u7ed3\u679c\uff1a<\/p>\n\n\n
\n$ docker --tlsverify     --tlscacert=ca.pem     --tlscert=cert.pem     --tlskey=key.pem     -H=106.12.80.25 version\nClient: Docker Engine - Community\nVersion:           25.0.3\nAPI version:       1.44\nGo version:        go1.21.6\nGit commit:        4debf41\nBuilt:             Tue Feb  6 21:17:10 2024\nOS\/Arch:           linux\/amd64\nContext:           default\nerror during connect: Get "https:\/\/106.12.80.25:2375\/v1.24\/version": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, not 106.12.80.25\n<\/pre><\/div>\n\n\n
\u5728idea\u4e2d\u914d\u7f6e\uff1a
Engin API URL\uff1ahttps:\/\/106.12.80.25:2375<\/a>
certificates folder\uff1a\u8bc1\u4e66\u6240\u5728\u76ee\u5f55
\u5c31\u80fd\u5b89\u5168\u8bbf\u95ee\u4e86\u3002<\/p>\n\n\n\n
\u53c2\u8003\u6587\u6863\uff1a
Docker\u6587\u6863\uff1aProtect the Docker daemon socket | Docker Docs<\/a>
Docker\u914d\u7f6etls\u4e2d\u6587\u6587\u6863\u00a0Docker\u5f00\u542f\u5b89\u5168\u7684TLS\u8fdc\u7a0b\u8fde\u63a5\u8bbf\u95ee\u65b9\u5f0f_docker_\u811a\u672c\u4e4b\u5bb6 (jb51.net)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
###\u4e0b\u6587\u4e2d\u6240\u6709\u7684 $HOST \u90fd\u4f7f\u7528docker ...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39,40],"tags":[],"class_list":["post-1467","post","type-post","status-publish","format-standard","hentry","category-cookbook","category-docker-and-app-release"],"_links":{"self":[{"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=\/wp\/v2\/posts\/1467","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1467"}],"version-history":[{"count":3,"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=\/wp\/v2\/posts\/1467\/revisions"}],"predecessor-version":[{"id":1470,"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=\/wp\/v2\/posts\/1467\/revisions\/1470"}],"wp:attachment":[{"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1467"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.jusesgod.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}