docker:1.13.1+
centos7
#!/usr/bin/env bash
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------
:<<!
author: lanwp
date: 2019/4/17
des: docker tls数字证书创建。subjectAltName 不设置服务器端subjectAltName不设置(不校验 serverIP,所有服务器均可用)subjectAltName 设置多个 subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1自动创建 Docker TLS 证书服务器证书ca.pemserver-cert.pemserver-key.pem客户端使用cert.pemca.pemkey.pem
!PASSWORD="123456" #私钥密码
DAYS=36500
#IP=""COUNTRY="CN"
STATE="省" # 省 可选
CITY="市" # 市 可选
ORGANIZATION="公司名称" # 组织 可选
ORGANIZATIONAL_UNIT="Dev" # 组织-单位可选
COMMON_NAME="test" # 域名或者IP,必须填写
EMAIL="test@163" # 可选 test@163function noCode() {
#---
# 创建ca-key.pem 和 ca.pem
#openssl genrsa -out ca-key.pem 4096
openssl genrsa -aes256 -passout "pass:${PASSWORD}" -out ca-key.pem 4096 # -passout "pass:$PASSWORD" 不用输入私钥privateKey
openssl req -new -x509 -days ${DAYS} -key "ca-key.pem" -sha256 -out "ca.pem" -passin "pass:${PASSWORD}" -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${ORGANIZATIONAL_UNIT}/CN=${COMMON_NAME}/emailAddress=${EMAIL}"#---
# Generate Server key
openssl genrsa -out "server-key.pem" 4096
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key.pem" -out server.csr# echo subjectAltName = DNS:docker166,IP:192.168.72.166,IP:127.0.0.1 >> extfilef
# echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfilef
echo "extendedKeyUsage = serverAuth" >> extfilef
# Generate server-cert.pem
openssl x509 -req -days ${DAYS} -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfilef -passin "pass:${PASSWORD}"rm -f extfilef#---
# Generate Cient
openssl genrsa -out "key.pem" 4096openssl req -subj '/CN=client' -new -key "key.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfilef
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:${PASSWORD}" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "cert.pem" -extfile extfilefrm -vf client.csr server.csr extfilefchmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
}# 保存目录
setSaveCaDir() {
# 运行脚本的路径 当前运行脚本文件名basename和目录dirname
local BASE_PATH = $PWD
if [ -d "$BASE_PATH/ssl" ];thenecho "文件夹存在"
elseecho "文件夹不存在"mkdir $PWD/ssl
fi
mkdir /root/.docker/
cd $PWD/ssl
}# setSaveCaDir
mkdir /root/.docker/ && cd /root/.docker/
noCode
cat <<EOF > /etc/docker/daemon.json
{"registry-mirrors": [""],"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],"tlsverify": true,"tlscacert": "/root/.docker/ca.pem","tlscert": "/root/.docker/server.pem","tlskey": "/root/.docker/server-key.pem"
}
重启docker 让配置生效
systemctl restart docker
使用root 用户执行
curl -k 127.0.0.1:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
或
curl -k 127.0.0.1:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem
命令
docker -H 127.0.0.1 ps
例子
[root@localhost ~]# docker -H 127.0.0.1 ps
Get 127.0.0.1:2375/v1.26/containers/json: net/http: HTTP/1.x transport connection broken: malformed HTTP response "x15x03x01x00x02x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?# 正常
[root@localhost ~]# docker --tls -H 127.0.0.1 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
089aaa126aa8 kibana:6.8.2 "/usr/local/" 29 hours ago Up 40 minutes 0.0.0.0:5601->5601/tcp kibana
2047a90b277b elasticsearch:6.8.2 "/usr/local/" 29 hours ago Up 40 minutes 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp elasticsearch
2baaae6c4d9f dimmaryanto93/logstash-input-jdbc-mysql:6.6.0 "/usr/local/" 2 days ago Up 40 minutes 0.0.0.0:5044->5044/tcp, 0.0.0.0:9600->9600/tcp logstash6-mysql
d9a998876509 redis:5.0.5 &#" 6 days ago Up 40 minutes 0.0.0.0:6379->6379/tcp some-redis
e4722d3396c6 zookeeper:3.5.5
本文发布于:2024-02-01 03:57:36,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/170673105833681.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
