一、TLS加密通信
在公司的docker業務中,一般爲了防止鏈路劫持、會話劫持等問題導致docker通信時
被中間人攻擊,C/S兩端應該通過加密方式通訊。
二、搭建部署
2.1、搭建環境
兩臺虛擬機都安裝了 docker-ce。
server端-----192.168.100.136
client端------192.168.100.131
2.2、server端部署
//修改主機名
[root@localhost ~]# hostnamectl set-hostname master
[root@localhost ~]# su
//關閉防火牆
[root@master ~]# systemctl stop firewalld
[root@master ~]# mkdir /root/tls
[root@master ~]# cd /root/tls/
//創建ca密碼----ca-key.pem
[root@master tls]# openssl genrsa -aes256 -out ca-key.pem 4096 #-aes256指密鑰長度
//創建ca證書----ca.pem
[root@master tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
#-sha256 指哈希算法
//1、創建服務器私鑰----server-key.pem
[root@master tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
......................++
...........................................................................................................................................++
e is 65537 (0x10001)
[root@master tls]# ls
ca-key.pem ca.pem server-key.pem
//2、創建私鑰簽名----server.csr
[root@master tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[root@master tls]# ls
ca-key.pem ca.pem server.csr server-key.pem
//3、使用ca證書與私鑰簽名,創建server-cert.pem,生成ca.srl
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem: #輸入密碼123123
[root@master tls]# ls
ca-key.pem ca.pem ca.srl server-cert.pem server.csr server-key.pem
//生成客戶端密鑰----key.pem
[root@master tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........++
............................................++
e is 65537 (0x10001)
[root@localhost tls]# ls
ca-key.pem ca.srl server-cert.pem server-key.pem
ca.pem key.pem server.csr
//生成客戶端簽名----client.csr
[root@master tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
[root@localhost tls]# ls
ca-key.pem ca.srl key.pem server.csr
ca.pem client.csr server-cert.pem server-key.pem
//創建配置文件----extfile.cnf
[root@master tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
[root@localhost tls]# ls
ca-key.pem ca.srl extfile.cnf server-cert.pem server-key.pem
ca.pem client.csr key.pem server.csr
//創建簽名證書----cert.pem
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem: #輸入密碼123123
[root@localhost tls]# ls
ca-key.pem ca.srl client.csr key.pem server.csr
ca.pem cert.pem extfile.cnf server-cert.pem server-key.pem
//修改docker的配置文件,並且重啓服務
[root@master tls]# vi /usr/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/tls/ca.pem --tlscert=/root/tls/server-cert.pem --tlskey=/root/tls/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
[root@master tls]# systemctl daemon-reload
[root@master tls]# systemctl restart docker
將(ca.pem)ca證書、(cert.pem)簽名證書、(key.pem)客戶端密鑰複製到client的/etc/docker目錄下,使client客戶端可以通過證書來訪問
scp ca.pem [email protected]:/etc/docker/
scp cert.pem [email protected]:/etc/docker/
scp key.pem [email protected]:/etc/docker/
2.3client部署基本環境,且驗證TLS
//更改主機名和hosts文件
[root@client ~]# hostnamectl set-hostname client
[root@client ~]# su
[root@client ~]# vi /etc/hosts
192.168.100.136 master
[root@client ~]# cd /etc/docker/
[root@client docker]# ls
ca.pem cert.pem daemon.json key.json key.pem
[root@client ~]# cd /etc/docker/ ##需要進入/etc/docker這個目錄纔可以執行下列命令
//查看server端的docker版本
[root@client docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2375 version
//查看server端的images鏡像
[root@client docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2375 images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 602e111c06b6 2 days ago 127MB