- 生成证书
- ca key
openssl genrsa -aes256 -out ca-key.pem 4096- ca
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem- server key
openssl genrsa -out server-key.pem 4096- 生成server 证书
openssl req -subj "/CN=192.168.1.144" -sha256 -new -key server-key.pem -out server.csrecho subjectAltName = IP:192.168.1.144,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnfopenssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf- 生成client证书
rm extfile.cnfopenssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csrecho extendedKeyUsage = clientAuth >> extfile.cnfopenssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf rm -v client.csr server.csrchmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem不推荐用dockerd
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376- 修改配置,使用证书
归集服务器证书
cp server-*.pem /etc/docker/
cp ca.pem /etc/docker/归集客户端证书
cp -v {ca,cert,key}.pem ~/.docker修改docker配置
vi /lib/systemd/system/docker.serviceExecStart=/usr/bin/dockerd
替换
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock重起docker
systemctl restart docker - centos 6.9
vi /etc/sysconfig/docker添加
OPTIONS='--selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock'iptables 开端口
iptables -I INPUT -p tcp --dport 2376 -j ACCEPT
iptables -L -n
/etc/init.d/iptables save重起docker
service docker restart- 客户端使用
证书拷贝到本地
scp -r root@192.168.1.144:~/.docker/ .使用bash文件
#!/bin/sh
docker -H 192.168.1.144:2376 --tlsverify --tlscacert=/Users/jiangtao/myapp/192.168.1.144/ca.pem --tlscert=/Users/jiangtao/myapp/192.168.1.144/cert.pem --tlskey=/Users/jiangtao/myapp/192.168.1.144/key.pem $@出现
Error response from daemon: client is newer than server (client API version: 1.24, server API version: 1.19)
export DOCKER_API_VERSION=1.19版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请联系我们举报,一经查实,本站将立刻删除。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/100420.html原文链接:https://javaforall.net
