http://www.javashuo.com/article/p-fwwdijpu-bg.html
承接上文,在生产中如何安全的连接docker主机呢?咱们采用TLS秘钥方式。
步骤:
第一部分:首先在docker主机上生成秘钥,保存到指定地方;
第二部分:在管理节点(portainer)上,指定上述秘钥,添加节点。node
具体实施过程:
第一部分代码以下linux
read -s PASSWORD //定义一个密码变量 read SERVER //注意主机名变量要与系统对应 cd /etc/docker //切换到生产密钥的目录 openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048 openssl genrsa -out server-key.pem 2048 openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server.csr openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem //注意主机名要与为上面的SERVER变量一致 openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem openssl genrsa -out key.pem 2048 openssl req -subj '/CN=client' -new -key key.pem -out client.csr sh -c 'echo "extendedKeyUsage=clientAuth" > extfile.cnf' openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out cert.pem -extfile extfile.cnf chmod 0400 ca-key.pem key.pem server-key.pem //更改密钥权限 chmod 0444 ca.pem server-cert.pem cert.pem //更改密钥权限 rm client.csr server.csr //删除无用文件 sz {ca.pem,cert.pem,key.pem} //下载秘钥文件 /usr/bin/dockerd --tls \ //关闭docker,再运行此命令 --tlscacert=/etc/docker/ca.pem \ --tlscert=/etc/docker/server-cert.pem \ --tlskey=/etc/docker/server-key.pem \ -H 0.0.0.0:2376
原文参考:https://blog.csdn.net/bc_aptx4869/article/details/74984171git
第二部分在管理节点添加docker主机docker
测试是否联通centos
docker --tlsverify --tlscacert=/root/76/ca.pem --tlscert=/root/76/cert.pem --tlskey=/root/76/key.pem -H docker-node01:2376 version Client: Version: 1.13.1 API version: 1.26 Package version: docker-1.13.1-74.git6e3bb8e.el7.centos.x86_64 Go version: go1.9.4 Git commit: 6e3bb8e/1.13.1 Built: Tue Aug 21 15:23:37 2018 OS/Arch: linux/amd64 Server: Version: 1.13.1 API version: 1.26 (minimum version 1.12) Package version: docker-1.13.1-74.git6e3bb8e.el7.centos.x86_64 Go version: go1.9.4 Git commit: 6e3bb8e/1.13.1 Built: Tue Aug 21 15:23:37 2018 OS/Arch: linux/amd64 Experimental: false
最后总结一下使用状况:安全
欢迎你们多多给予修正与补充~~ide