一、生成证书和密钥
1、准备证书目录和生成CA证书
# 创建证书目录
mkdir -p /etc/docker/tls
cd /etc/docker/tls# 生成CA密钥和证书
openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem \
-out ca-cert.pem -days 365 -nodes -subj "/CN=Docker CA"2、为Docker守护进程(server)配置TLS证书
# 生成服务器密钥和证书签名请求(CSR)
openssl req -newkey rsa:4096 -keyout server-key.pem \
-out server-csr.pem -nodes -subj "/CN=192.168.XX.230"# 创建一个配置文件
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = 192.168.XX.230
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.XX.230
IP.2 = 127.0.0.1
DNS.1 = localhost# 使用CA证书对服务器CSR进行签名
openssl x509 -req -in server-csr.pem -CA ca-cert.pem \
-CAkey ca-key.pem -CAcreateserial -out server-cert.pem \
-days 365 -extensions v3_req -extfile openssl.cnf2、为Docker命令(client)配置TLS证书
# 生成客户端密钥和证书签名请求(CSR)
openssl req -newkey rsa:4096 -keyout client-key.pem \
-out client-csr.pem -nodes -subj "/CN=client"# 生成客户端密钥和证书签名请求(CSR)
openssl x509 -req -in client-csr.pem -CA ca-cert.pem \
-CAkey ca-key.pem -CAcreateserial \
-out client-cert.pem -days 365二、配置Docker守护进程
编辑Docker守护进程的配置文件(通常是/etc/docker/daemon.json),添加以下内容
{
"tlsverify": true,
"tlscacert": "/etc/docker/tls/ca-cert.pem",
"tlscert": "/etc/docker/tls/server-cert.pem",
"tlskey": "/etc/docker/tls/server-key.pem",
"hosts": ["tcp://0.0.0.0:2376"]
}编辑Docker服务文件
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd
systemctl daemon-reload重启Docker守护进程
sudo systemctl restart docker三、配置Docker客户端
将生成的客户端证书和密钥放置在客户端机器上的一个目录中,例如~/.docker/tls:
mkdir -p ~/.docker/tls
cp client-cert.pem ~/.docker/tls/
cp client-key.pem ~/.docker/tls/
cp ca-cert.pem ~/.docker/tls/在运行docker命令时,指定客户端证书和密钥:
docker --tlsverify \
--tlscacert ~/.docker/tls/ca-cert.pem \
--tlscert ~/.docker/tls/client-cert.pem \
--tlskey ~/.docker/tls/client-key.pem \
-H tcp://192.168.XX.230:2376 \
images为了方便,可以设置环境变量以避免每次命令都指定证书路径:
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=~/.docker/tls
export DOCKER_HOST=tcp://192.168.XX.230:2376
环境变量场景,ca证书需要命名为ca.pem,否则找不到ca文件:Failed to initialize: unable to resolve docker endpoint: open /home/user1/.docker/tls/ca.pem: no such file or directory
好像也要指定,否则会报错:error during connect: Get "https://192.168.XX.230:2376/v1.45/containers/json?all=1": remote error: tls: certificate required
docker --tlscert ~/.docker/tls/client-cert.pem \
--tlskey ~/.docker/tls/client-key.pem \
ps -a
