Docker 远程连接

ubuntu16 修改 IP 地址

vi /lib/systemd/system/docker.service
修改
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

Docker 服务 TLS 证书全自动生成

转载https://segmentfault.com/a/1190000018530483

注意事项

  • 客户端用的key保存到~/.docker/tls-client-certs.tar.gz
  • 需要使用openssl 命令因此需要配置文件输出地址
 #centos7.3地址修改    vim  /etc/pki/tls/openssl.cnf

修改位置
[ CA_default ]
dir             = /etc/docker/openssl   

shell 文件内容

#!/bin/bash
# 
# Created by L.STONE 
# Mod By Ryan.L 
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------

# 以下是配置信息
# Config start
IP="8.8.8.8"
PASSWORD="123456"
COUNTRY="CN"
STATE="Beijing"
CITY=""
ORGANIZATION="iPlayLoli"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="[email protected]"
# Config end
# 工作目录
mkdir -p /etc/docker ~/.docker
cd ~/.docker
# 停止 docker
service docker stop
# 生成 CA 密钥
if [[ ! -f ca-key.pem ]]; then
    echo " - 生成 CA 密钥"
    openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key.pem" 4096
fi
# 生成 CA
if [[ ! -f ca.pem ]]; then
    echo " - 生成 CA"
    openssl req -new -x509 -days 365 -key "ca-key.pem" -sha256 -out "ca.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
fi
# 生成服务器密钥 & 服务器证书
if [[ ! -f server-key.pem ]]; then
    echo " - 生成服务器密钥"
    openssl genrsa -out "server-key.pem" 4096
fi
if [[ ! -f server.csr ]]; then
     openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key.pem" -out server.csr
fi
if [[ ! -f server-cert.pem ]]; then
    echo " - 生成服务器证书"
    echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
    echo "extendedKeyUsage = serverAuth" >> extfile.cnf
    openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "server-cert.pem" -extfile extfile.cnf
fi
rm -f extfile.cnf
# 生成客户端证书
if [[ ! -f key.pem ]]; then
    openssl genrsa -out "key.pem" 4096
fi
if [[ ! -f cert.pem ]]; then
    openssl req -subj '/CN=client' -new -key "key.pem" -out client.csr
    echo extendedKeyUsage = clientAuth >> extfile.cnf
    openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "cert.pem" -extfile extfile.cnf
fi

chmod -v 0400 "ca-key.pem" "key.pem" "server-key.pem"
chmod -v 0444 "ca.pem" "server-cert.pem" "cert.pem"

# 打包客户端证书
echo " - 打包客户端证书为 tls-client-certs.tar.gz"
mkdir -p "tls-client-certs"
cp -f "ca.pem" "cert.pem" "key.pem" "tls-client-certs/"
cd "tls-client-certs"
tar zcf "tls-client-certs.tar.gz" *
mv "tls-client-certs.tar.gz" ../
cd ..
rm -rf "tls-client-certs"

# 拷贝服务端证书
mkdir -p /etc/docker/certs.d
cp -f "ca.pem" "server-cert.pem" "server-key.pem" /etc/docker/certs.d/
echo " - 修改 /etc/docker/daemon.json 文件"
if [[ -f /etc/docker/daemon.json ]]; then
    grep "/etc/docker/certs.d/server-key.pem" /etc/docker/daemon.json > /dev/null
    if [[ ! $? -eq 0 ]]; then
        cat >/etc/docker/daemon.json</etc/docker/daemon.json</etc/systemd/system/docker.service.d/override.conf<

你可能感兴趣的:(Docker 远程连接)