docker管理工具之证书的制作与证书的加密

1.证书的制作

##下载registry镜像
lftp 172.25.254.251:/pub/docs/docker> get registry.tar 
##导入镜像
[root@foundation52 kiosk]# docker load -i registry.tar
##
[root@foundation52 kiosk]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
4064ffdc82fe: Pull complete 
c12c92d1c5a2: Pull complete 
4fbc9b6835cc: Pull complete 
765973b0f65f: Pull complete 
3968771a7c3a: Pull complete 
Digest: sha256:51bb55f23ef7e25ac9b8313b139a8dd45baa832943c8ad8f7da2ddad6355b3c8
Status: Downloaded newer image for registry:2
becdda0248cbdf39ab532d5b81f1530d89c485e8fa6fc254c2f2de65b4a03465
[root@foundation52 kiosk]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
becdda0248cb        registry:2          "/entrypoint.sh /e..."   39 seconds ago      Up 36 seconds       0.0.0.0:5000->5000/tcp   thirsty_bhaskara
[root@foundation35 ~]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
[root@foundation35 ~]# docker tag nginx localhost:5000/nginx
## push表示将本地的镜像上传到镜像仓库
[root@foundation35 ~]# docker push localhost:5000/nginx
The push refers to a repository [localhost:5000/nginx]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
[root@foundation35 ~]# docker rmi localhost:5000/nginx
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx@sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f
[root@foundation35 ~]# docker rmi nginx
Untagged: nginx:latest
Untagged: nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Deleted: sha256:c82521676580c4850bb8f0d72e47390a50d60c8ffe44d623ce57be521bca9869
Deleted: sha256:2c1f65d17acf8759019a5eb86cc20fb8f8a7e84d2b541b795c1579c4f202a458
Deleted: sha256:8f222b457ca67d7e68c3a8101d6509ab89d1aad6d399bf5b3c93494bbf876407
Deleted: sha256:cdb3f9544e4c61d45da1ea44f7d92386639a052c620d1550376f22f5b46981af
[root@foundation35 ~]# docker pull localhost:5000/nginx
Using default tag: latest
latest: Pulling from nginx
2da35ff30a7d: Pull complete 
831fb1a65ced: Pull complete 
7a63da4e8a19: Pull complete 
Digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f
Status: Downloaded newer image for localhost:5000/nginx:latest
[root@foundation35 ~]# docker tag localhost:5000/nginx nginx
[root@foundation35 ~]# docker rmi localhost:5000/nginx
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx@sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f
[root@foundation35 ~]# docker images nginx
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c82521676580        3 weeks ago         109 MB

[root@foundation52 docker]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                         PORTS                    NAMES
f6c961c0fcad        registry            "/tmp/docker/certs..."   3 minutes ago       Created                                                 unruffled_feynman
becdda0248cb        registry:2          "/entrypoint.sh /e..."   15 minutes ago      Up 15 minutes                  0.0.0.0:5000->5000/tcp   thirsty_bhaskara
##删除5000端口
[root@foundation52 docker]# docker rm -f f6
f6
[root@foundation52 docker]# docker rm -f be
be

##添加解析
[root@foundation52 ~]# vim /etc/hosts
######################
添加： 172.25.254.52 westos.org

[root@foundation52 ~]# ping westos.org
PING westos.org172.25.52.250 (172.25.52.250) 56(84) bytes of data.
64 bytes from westos.org172.25.52.250 (172.25.52.250): icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from westos.org172.25.52.250 (172.25.52.250): icmp_seq=2 ttl=64 time=0.082 ms
^Z
[1]+  Stopped                 ping westos.org
[root@foundation52 ~]# cd /tmp/docker/
[root@foundation52 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
...........................++
............................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
[root@foundation52 docker]# mkdir certs
[root@foundation52 docker]# cd certs/
[root@foundation52 certs]# ll
total 8
-rw-r--r-- 1 root root 2098 Aug 22 16:39 domain.crt
-rw-r--r-- 1 root root 3272 Aug 22 16:39 domain.key
[root@foundation52 certs]# cd ..
[root@foundation52 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v `pwd`/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> -p 443:443 \
> registry:2
d5e1dec99b8d950538f8a04f63bb3219015d1d08daa94e7287cbd60274901a21
[root@foundation52 docker]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
d5e1dec99b8d        registry:2          "/entrypoint.sh /e..."   11 seconds ago      Up 10 seconds       0.0.0.0:443->443/tcp, 5000/tcp   registry
[root@foundation52 docker]# netstat -antlp |grep :443
tcp6       0      0 :::443                  :::*                    LISTEN      13765/docker-proxy  
[root@foundation52 docker]#  cd /opt/registry/
[root@foundation52 registry]# ls
[root@foundation52 registry]#  iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:443

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.17.0.2:443
[root@foundation52 registry]# cd /etc/docker
[root@foundation52 docker]# ls
daemon.json  key.json
[root@foundation52 docker]# mkdir certs.d
[root@foundation52 docker]# cd certs.d/
[root@foundation52 certs.d]# mkdir westos.org
[root@foundation52 certs.d]#  cd westos.org
[root@foundation52 westos.org]# cp /tmp/docker/certs/domain.crt ./ca.crt
[root@foundation52 westos.org]# ls
ca.crt
[root@foundation52 westos.org]# docker tag nginx westos.org/rhel7
[root@foundation52 westos.org]# docker push westos.org/rhel7
The push refers to a repository [westos.org/rhel7]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948

2.证书的加密

[root@foundation52 kiosk]# cd /tmp/docker/
[root@foundation52 docker]# mkdir auth
[root@foundation52 docker]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
[root@foundation52 docker]# docker volume ls
DRIVER              VOLUME NAME
local               017f3f8d7cae7b732ef372eef90c4d3a6f65701e581a5704e837f9bed51af355
local               27ec2bb38d509f1aada158c0051ab50acd2dc40880a0763296d79f6a2065b74e
.............
[root@foundation52 docker]# docker volume rm `docker volume ls -q`
017f3f8d7cae7b732ef372eef90c4d3a6f65701e581a5704e837f9bed51af355
27ec2bb38d509f1aada158c0051ab50acd2dc40880a0763296d79f6a2065b74e
.............
[root@foundation52 docker]# docker volume ls
DRIVER              VOLUME NAME

##
[root@foundation52 docker]# docker run --entrypoint htpasswd registry:2 -Bbn haha westos > auth/htpasswd
[root@foundation52 docker]# cat auth/htpasswd
haha:$2y$05$iAk4eCp8ntMaWIfSwxvqeej4VrsRrieI3yiAC.fJ7zznp81PVlaQu
## >>表示追加
[root@foundation52 docker]# docker run --entrypoint htpasswd registry:2 -Bbn admin admin >> auth/htpasswd
[root@foundation52 docker]# cat auth/htpasswd
haha:$2y$05$iAk4eCp8ntMaWIfSwxvqeej4VrsRrieI3yiAC.fJ7zznp81PVlaQu
admin:$2y$05$xuQmKgjMheEbpPr45AdSYO9TpxsPWy0VSs/UIBIYDZ.0Qy0ysQu/O

[root@foundation52 docker]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@foundation52 docker]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
cad9935c58b7        registry:2          "htpasswd -Bbn adm..."   24 seconds ago      Exited (0) 22 seconds ago                       elated_davinci
a76411db42c5        registry:2          "htpasswd -Bbn hah..."   47 seconds ago      Exited (0) 43 seconds ago                       youthful_keller

##更改用户密码 第一次必须加 -cm
[root@foundation52 docker]# htpasswd -cm htpaswd haha
New password: 
Re-type new password: 
Adding password for user haha
[root@foundation52 docker]# cat htpaswd
haha:$apr1$I0l6qswB$fW6C2EEzw28FbzS/oD6h80
##此后便可直接加 -m
[root@foundation52 docker]# htpasswd -m htpaswd admin
New password: 
Re-type new password: 
Adding password for user admin
[root@foundation52 docker]# cat htpaswd
haha:$apr1$I0l6qswB$fW6C2EEzw28FbzS/oD6h80
admin:$apr1$PRHSaDPG$e9j5Fn2n6OI/EhPf11KLI1
[root@foundation52 docker]# rm -f htpaswd 
[root@foundation52 docker]# docker container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Deleted Containers:
e5775c9bb2389069749f0248462aa04b3473a3f189c1472f9be7e7e1f7c4a271
500f2ce33b774f048dd7f144016f6d033b3e09865410ca5a56478daa3bdcdc08

Total reclaimed space: 0 B
[root@foundation52 docker]# docker run -d \
> --restart=always \
> -v `pwd`/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> -v `pwd`/auth:/auth -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -p 443:443 \
> registry:2
eb27ad6bf246581518ddeb463b22a958352f867c320f29131532d8305873110e
[root@foundation52 docker]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
99ee302d848c        registry:2          "/entrypoint.sh /e..."   11 seconds ago      Up 9 seconds        0.0.0.0:443->443/tcp, 5000/tcp   flamboyant_boyd
##用户登陆
[root@foundation52 docker]# docker login -u haha -p westos westos.org
Login Succeeded
[root@foundation52 docker]# ping westos.org
PING westos.org (172.25.254.52) 56(84) bytes of data.
64 bytes from westos.org (172.25.254.52): icmp_seq=1 ttl=64 time=0.039 ms
^Z
[1]+  Stopped                 ping westos.org
##因为做了证书加密 所以只有用户登陆了之后才能push
[root@foundation52 docker]# docker push westos.org/rhel7
The push refers to a repository [westos.org/rhel7]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948

[root@foundation52 docker]# cd 
[root@foundation52 ~]# cd .docker/
[root@foundation52 .docker]# ls
config.json
[root@foundation52 .docker]# cat config.json 
{
    "auths": {
        "westos.org": {
            "auth": "aGFoYTp3ZXN0b3M="
        }
    }
}
[root@foundation52 .docker]# netstat -antlp | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN      4964/docker-proxy   
[root@foundation52 .docker]# cat config.json 
{
    "auths": {
        "westos.org": {
            "auth": "aGFoYTp3ZXN0b3M="
        }
    }
[root@foundation52 .docker]# cd 
[root@foundation52 ~]# rm -rf .docker/
##将nginx镜像标示为westos.org/nginx 即为更改镜像名称
[root@foundation52 ~]# docker tag nginx westos.org/nginx
##上传镜像
[root@foundation52 ~]# docker push westos.org/nginx
The push refers to a repository [westos.org/nginx]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948