Docker配置SSL访问

Docker开启SSL证书加密远程连接

步骤

1. 创建RSA私钥
2. 创建CA证书
3. 创建服务端私钥
4. 创建服务端签名请求证书文件
5. 创建extfile.cnf的配置文件
6. 创建签名生效的服务端证书文件
7. 创建客户端私钥
8. 创建客户端签名请求证书文件
9. 创建签名生效的客户端证书文件
10. 删除多余文件&文件授权
11. 配置Docker支持TSL链接

制作证书密钥

首先创建一个文件夹/etc/docker,并切换到该目录下：

mkdir /etc/docker && cd /etc/docker

创建根证书RSA私钥：

openssl genrsa -aes256 -out ca-key.pem 4096

创建CA证书：

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem

创建服务端私钥：

openssl genrsa -out server-key.pem 4096

创建服务端签名请求证书文件：

openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr

创建extfile.cnf的配置文件：

echo subjectAltName = IP:自己的IP,IP:0.0.0.0 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf

创建签名生效的服务端证书文件：

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

创建客户端私钥：

openssl genrsa -out key.pem 4096

创建客户端签名请求证书文件：

openssl req -subj "/CN=client" -new -key key.pem -out client.csr

追加extfile.cnf的配置文件：

echo extendedKeyUsage = clientAuth >> extfile.cnf

创建签名生效的客户端证书文件：

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf

删除多余文件：

rm -rf ca.srl client.csr extfile.cnf server.csr

文件授权：

chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

配置docker支持SSL

编辑/etc/docker/daemon.json配置文件：

{
  "log-driver": "json-file",
  "log-opts": {
    "cache-disabled": "false",
    "cache-max-file": "5",
    "cache-max-size": "20m",
    "cache-compress": "true",
    "env": "os,customer",
    "labels": "somelabel",
    "max-file": "5",
    "max-size": "10m"
  },
  "registry-mirrors": ["https://ustc-edu-cn.mirror.aliyuncs.com"],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsverify": true
}

编辑/etc/docker/daemon.json配置文件：

vim /lib/systemd/system/docker.service

修改ExecStart：

ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375

重启Docker：

systemctl daemon-reload && systemctl restart docker

验证Docker远程连接

将服务器中的三个文件(ca.pem、cert.pem、key.pem)复制到自己的电脑中。

可以使用IDEA的docker客户端连接测试。图形化工具亦可。

懒人脚本

#!/bin/bash

# 获取服务器公网IP和用户输入的ca密码
read -p "请输入您的服务器公网IP地址： " PUBLIC_IP
read -p "请输入您想要设置的CA密码： " CA_PASSWORD

# 生成SSL证书和密钥
sudo mkdir /etc/docker
sudo openssl genrsa -aes256 -out /etc/docker/ca-key.pem -passout pass:$CA_PASSWORD 4096
sudo openssl req -new -x509 -days 365 -key /etc/docker/ca-key.pem -sha256 -out /etc/docker/ca.pem -passin pass:$CA_PASSWORD -subj "/C=CH/ST=CA/O=Cikaros/OU=Cikaros/CN=$PUBLIC_IP"

sudo openssl genrsa -out /etc/docker/server-key.pem 4096
sudo openssl req -subj "/CN=$PUBLIC_IP" -sha256 -new -key /etc/docker/server-key.pem -out /etc/docker/server.csr

sudo echo subjectAltName = DNS:$PUBLIC_IP,IP:$PUBLIC_IP,IP:0.0.0.0 > /etc/docker/extfile.cnf
sudo openssl x509 -req -days 365 -sha256 -in /etc/docker/server.csr -CA /etc/docker/ca.pem -CAkey /etc/docker/ca-key.pem -CAcreateserial -out /etc/docker/server-cert.pem -extfile /etc/docker/extfile.cnf -passin pass:$CA_PASSWORD

# 生成客户端证书和密钥
sudo openssl genrsa -out /etc/docker/key.pem 4096
sudo openssl req -subj '/CN=client' -new -key /etc/docker/key.pem -out /etc/docker/client.csr
sudo openssl x509 -req -days 365 -sha256 -in /etc/docker/client.csr -CA /etc/docker/ca.pem -CAkey /etc/docker/ca-key.pem \-CAcreateserial -out /etc/docker/cert.pem -extfile /etc/docker/extfile.cnf -passin pass:$CA_PASSWORD

# 删除无用文件
sudo rm -v /etc/docker/client.csr /etc/docker/server.csr

# 为证书文件授权

sudo chmod -v 0400 /etc/docker/ca-key.pem /etc/docker/key.pem /etc/docker/server-key.pem
sudo chmod -v 0444 /etc/docker/ca.pem /etc/docker/server-cert.pem /etc/docker/cert.pem

# 修改daemon.json文件
sudo cat > /etc/docker/daemon.json << EOF
{
  "log-driver": "json-file",
  "log-opts": {
    "cache-disabled": "false",
    "cache-max-file": "5",
    "cache-max-size": "20m",
    "cache-compress": "true",
    "env": "os,customer",
    "labels": "somelabel",
    "max-file": "5",
    "max-size": "10m"
  },
  "registry-mirrors": ["https://ustc-edu-cn.mirror.aliyuncs.com"],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsverify": true
}
EOF

# 修改docker.service文件以允许远程端口访问
sudo sed -i 's/-H fd:\/\//-H fd:\/\/ -H tcp:\/\/0.0.0.0:2375/g' /lib/systemd/system/docker.service
sudo systemctl daemon-reload
sudo systemctl restart docker

echo "已完成Docker的SSL配置和远程访问端口设置。"