docker远程访问TLS证书认证shell

docker开启远程访问端口，防止非法访问

配置证书认证
配置防火墙或安全策略

#!/bin/bash
# docker.tls.sh
# 环境centos 7 ,root
# 创建 Docker TLS 证书

##########配置信息

Port=2376
Node=$(hostname)
IP=$(ip add|sed -nr  's#^.*inet (.*)/[1-9].*(ens|eth).*$#\1#gp')
PASSWORD="88888888"
COUNTRY="CN"
STATE="Shanghai"
CITY="Shanghai"
ORGANIZATION="Elven"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="228@elven.vip"

##########生成证书

# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096  &>/dev/null
# Generate CA
openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"  &>/dev/null

echo "#Server"
# Generate Server key
openssl genrsa -out "server-key_$Node.pem" 4096  &>/dev/null
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnf

echo "#Client"
openssl genrsa -out "client-key_$Node.pem" 4096  &>/dev/null
openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnf

chmod  0400  "client-key_$Node.pem" "server-key_$Node.pem"
chmod  0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem"

##########docker配置
echo  
echo "#拷贝证书"
#服务端证书
mkdir -p ~/.docker
cp -avf "ca_$Node.pem" "server-cert_$Node.pem" "server-key_$Node.pem" ~/.docker
#客户端证书文件
cp -avf "client-cert_$Node.pem" "client-key_$Node.pem" ~/.docker/
# 打包客户端证书
tar -zcf docker-tls-client_$Node.tar.gz ca_$Node.pem client-cert_$Node.pem client-key_$Node.pem
cp -af docker-tls-client_$Node.tar.gz  ~/.docker/
ls -hl $(pwd)/docker-tls*

echo  
echo "#修改docker启动项 /lib/systemd/system/docker.service"
SetOPTS=" --tls \
--tlscacert=$HOME/.docker/ca_${Node}.pem \
--tlscert=$HOME/.docker/server-cert_${Node}.pem  \
--tlskey=$HOME/.docker/server-key_${Node}.pem \
-H 0.0.0.0:${Port} "
sed  -i "s#^ExecStart.*#& $SetOPTS #" /lib/systemd/system/docker.service
grep '^ExecStart' /lib/systemd/system/docker.service
systemctl daemon-reload

echo  
echo "#客户端远程连接"
echo "docker -H $IP:${Port} --tlsverify --tlscacert ~/.docker/ca_$Node.pem --tlscert ~/.docker/client-cert_$Node.pem --tlskey ~/.docker/client-key_$Node.pem ps -a"
echo "#客户端使用curl连接"
echo "curl --cacert ~/.docker/ca_$Node.pem --cert ~/.docker/client-cert_$Node.pem --key ~/.docker/client-key_$Node.pem https://$IP:${Port}/containers/json"

#clean
rm -f ca*.srl *.pem *.cnf *.csr

echo  
echo -e "\e[1;32m#重启docker生效
systemctl restart  docker
\e[0m"
#

posted @ 2019-06-01 12:53 blog-elvin-vip 阅读(2142) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Elvin笔记分享 | Elvin's notes to share

Linux运维工程师, 专注于DevOps和Kubernets, 已在腾讯云、阿里云、AWS运行k8s生产环境
Linux Operation Engineer, Focusing on DevOps and Kubernets, K8s production env has been running in Tencent Cloud, Alibaba Cloud and AWS.

docker远程访问TLS证书认证shell

公告

Elvin笔记分享 | Elvin's notes to share

Linux运维工程师, 专注于DevOps和Kubernets, 已在腾讯云、阿里云、AWS运行k8s生产环境 Linux Operation Engineer, Focusing on DevOps and Kubernets, K8s production env has been running in Tencent Cloud, Alibaba Cloud and AWS.

docker远程访问TLS证书认证shell

公告

Linux运维工程师, 专注于DevOps和Kubernets, 已在腾讯云、阿里云、AWS运行k8s生产环境
Linux Operation Engineer, Focusing on DevOps and Kubernets, K8s production env has been running in Tencent Cloud, Alibaba Cloud and AWS.