docker远程访问TLS证书认证shell
docker开启远程访问端口,防止非法访问
- 配置证书认证
- 配置防火墙或安全策略
#!/bin/bash # docker.tls.sh # 环境centos 7 ,root # 创建 Docker TLS 证书 ##########配置信息 Port=2376 Node=$(hostname) IP=$(ip add|sed -nr 's#^.*inet (.*)/[1-9].*(ens|eth).*$#\1#gp') PASSWORD="88888888" COUNTRY="CN" STATE="Shanghai" CITY="Shanghai" ORGANIZATION="Elven" ORGANIZATIONAL_UNIT="Dev" COMMON_NAME="$IP" EMAIL="228@elven.vip" ##########生成证书 # Generate CA key openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096 &>/dev/null # Generate CA openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL" &>/dev/null echo "#Server" # Generate Server key openssl genrsa -out "server-key_$Node.pem" 4096 &>/dev/null # Generate Server Certs. openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf echo "extendedKeyUsage = serverAuth" >> extfile.cnf openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnf echo "#Client" openssl genrsa -out "client-key_$Node.pem" 4096 &>/dev/null openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr echo extendedKeyUsage = clientAuth >> extfile.cnf openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnf chmod 0400 "client-key_$Node.pem" "server-key_$Node.pem" chmod 0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem" ##########docker配置 echo echo "#拷贝证书" #服务端证书 mkdir -p ~/.docker cp -avf "ca_$Node.pem" "server-cert_$Node.pem" "server-key_$Node.pem" ~/.docker #客户端证书文件 cp -avf "client-cert_$Node.pem" "client-key_$Node.pem" ~/.docker/ # 打包客户端证书 tar -zcf docker-tls-client_$Node.tar.gz ca_$Node.pem client-cert_$Node.pem client-key_$Node.pem cp -af docker-tls-client_$Node.tar.gz ~/.docker/ ls -hl $(pwd)/docker-tls* echo echo "#修改docker启动项 /lib/systemd/system/docker.service" SetOPTS=" --tls \ --tlscacert=$HOME/.docker/ca_${Node}.pem \ --tlscert=$HOME/.docker/server-cert_${Node}.pem \ --tlskey=$HOME/.docker/server-key_${Node}.pem \ -H 0.0.0.0:${Port} " sed -i "s#^ExecStart.*#& $SetOPTS #" /lib/systemd/system/docker.service grep '^ExecStart' /lib/systemd/system/docker.service systemctl daemon-reload echo echo "#客户端远程连接" echo "docker -H $IP:${Port} --tlsverify --tlscacert ~/.docker/ca_$Node.pem --tlscert ~/.docker/client-cert_$Node.pem --tlskey ~/.docker/client-key_$Node.pem ps -a" echo "#客户端使用curl连接" echo "curl --cacert ~/.docker/ca_$Node.pem --cert ~/.docker/client-cert_$Node.pem --key ~/.docker/client-key_$Node.pem https://$IP:${Port}/containers/json" #clean rm -f ca*.srl *.pem *.cnf *.csr echo echo -e "\e[1;32m#重启docker生效 systemctl restart docker \e[0m" #
本文来自博客园,作者:blog-elvin-vip,转载请注明原文链接:https://www.cnblogs.com/elvi/p/10959232.html