Ryan

Docker 服务 TLS 证书全自动生成
之前学习Docker时发现Windows下的Docker竟然是二次虚拟化,网络使用很不正常,懒得调试了,就使用良心...
扫描右侧二维码阅读全文
16
2019/03

Docker 服务 TLS 证书全自动生成

之前学习Docker时发现Windows下的Docker竟然是二次虚拟化,网络使用很不正常,懒得调试了,就使用良心云装了个Docker-CE。然后通过本地在WSL中使用docker-cli进行连接操控。
但是今天看到文章http://www.91ri.org/15837.html,才发现自己给服务器开了个大后门,然后就按照官方指引弄了个把小时把TLS认证弄好(英文太烂)。于是搜了一下发现有大佬弄了一键脚本,亲自测试并小改了一下。现在分享给大家。

食用

1.保存脚本到~/.docker/tls.sh,注意修改配置信息,IP必须对(不支持域名),如有需求,请自行修改脚本

#!/bin/bash
# 
# Created by L.STONE <web.developer.network@gmail.com>
# Mod By Ryan.L <github-benzBrake@woai.ru>
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------

# 以下是配置信息
# Config start
IP="8.8.8.8"
PASSWORD="123456"
COUNTRY="CN"
STATE="Beijing"
CITY=""
ORGANIZATION="iPlayLoli"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="github-benzBrake@woai.ru"
# Config end
# 工作目录
mkdir -p /etc/docker ~/.docker
cd ~/.docker
# 停止 docker
service docker stop
# 生成 CA 密钥
if [[ ! -f ca-key.pem ]]; then
    echo " - 生成 CA 密钥"
    openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key.pem" 4096
fi
# 生成 CA
if [[ ! -f ca.pem ]]; then
    echo " - 生成 CA"
    openssl req -new -x509 -days 365 -key "ca-key.pem" -sha256 -out "ca.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
fi
# 生成服务器密钥 & 服务器证书
if [[ ! -f server-key.pem ]]; then
    echo " - 生成服务器密钥"
    openssl genrsa -out "server-key.pem" 4096
fi
if [[ ! -f server.csr ]]; then
     openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key.pem" -out server.csr
fi
if [[ ! -f server-cert.pem ]]; then
    echo " - 生成服务器证书"
    echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
    echo "extendedKeyUsage = serverAuth" >> extfile.cnf
    openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "server-cert.pem" -extfile extfile.cnf
fi
rm -f extfile.cnf
# 生成客户端证书
if [[ ! -f key.pem ]]; then
    openssl genrsa -out "key.pem" 4096
fi
if [[ ! -f cert.pem ]]; then
    openssl req -subj '/CN=client' -new -key "key.pem" -out client.csr
    echo extendedKeyUsage = clientAuth >> extfile.cnf
    openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key.pem" -CAcreateserial -out "cert.pem" -extfile extfile.cnf
fi

chmod -v 0400 "ca-key.pem" "key.pem" "server-key.pem"
chmod -v 0444 "ca.pem" "server-cert.pem" "cert.pem"

# 打包客户端证书
echo " - 打包客户端证书为 tls-client-certs.tar.gz"
mkdir -p "tls-client-certs"
cp -f "ca.pem" "cert.pem" "key.pem" "tls-client-certs/"
cd "tls-client-certs"
tar zcf "tls-client-certs.tar.gz" *
mv "tls-client-certs.tar.gz" ../
cd ..
rm -rf "tls-client-certs"

# 拷贝服务端证书
mkdir -p /etc/docker/certs.d
cp -f "ca.pem" "server-cert.pem" "server-key.pem" /etc/docker/certs.d/
echo " - 修改 /etc/docker/daemon.json 文件"
if [[ -f /etc/docker/daemon.json ]]; then
    grep "/etc/docker/certs.d/server-key.pem" /etc/docker/daemon.json > /dev/null
    if [[ ! $? -eq 0 ]]; then
        cat >/etc/docker/daemon.json<<EOF
{
  "tlsverify": true,
  "tlscacert": "/etc/docker/certs.d/ca.pem",
  "tlscert": "/etc/docker/certs.d/server-cert.pem",
  "tlskey": "/etc/docker/certs.d/server-key.pem",
  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
EOF
    fi
else
    cat >/etc/docker/daemon.json<<EOF
{
  "tlsverify": true,
  "tlscacert": "/etc/docker/certs.d/ca.pem",
  "tlscert": "/etc/docker/certs.d/server-cert.pem",
  "tlskey": "/etc/docker/certs.d/server-key.pem",
  "hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
EOF
fi
# 覆盖启动参数,解决 docker 启动失败
if [[ ! -z $(command -v systemctl) ]];then
    mkdir -p /etc/systemd/system/docker.service.d
    if [[ ! -f /etc/systemd/system/docker.service.d/override.conf ]]; then
        cat >/etc/systemd/system/docker.service.d/override.conf<<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
EOF
    fi
    systemctl daemon-reload
fi
# 清理
rm -vf client.csr server.csr extfile.cnf ca.srl server-cert.pem server-key.pem cert.pem
# 启动 docker
service docker start
# 客户端远程连接
echo "Connect to server via docker-cli:"
echo "docker -H $IP:2376 --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/cert.pem --tlskey ~/.docker/key.pem ps -a"

# 客户端使用 cURL 连接
echo "Connect to server via curl:"
echo "curl --cacert ~/.docker/ca.pem --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://$IP:2376/containers/json"

echo -e "\e[1;32mAll be done.\e[0m"

2.执行sh ~/.docker/tls.sh
3.下载~/.docker/tls-client-certs.tar.gz
4.放到你使用的WSL的~/.docker目录并解压
5.添加本地环境变量

echo "export DOCKER_HOST=tcp://IP地址:2376" >> ~/.docker/文件名
echo "export DOCKER_TLS_VERIFY=1" >> ~/.docker/文件名

6.连接前加载环境变量

source ~/.docker/文件名
docker image ls
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
shadowsocks-client   latest              02704d124869        About an hour ago   18.3 MB
benzbrake/aira2      busybox             57dff08bd5d4        About an hour ago   8.58 MB
alpine               latest              5cb3aa00f899        8 days ago          5.53 MB
busybox              latest              d8233ab899d4        4 weeks ago         1.2 MB
progrium/busybox     latest              a67699e37dbd        5 months ago        4.8 MB
搬瓦工年付$187机房套餐补货了,电信联通优化,512M内存/500G流量/1G带宽,建站稳定,优惠码:BWH1ZBPVK,【点击购买】!
搬瓦工年付$28CN2高速线路,512M内存/500G流量/1G带宽,电信联通优化,延迟低,速度快,建站稳定,优惠码同上,【点击购买】!
Last modification:May 2nd, 2019 at 01:37 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment