环境:IntelliJ IDEA 2018.1.6 x64、CentOS 7
<>一、无CA认证
<>1、修改服务器配置,开放Docker的远程连接访问
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
<>将ExecStart属性value值改为
/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
<>2、重启docker
[root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl
restart docker
<>3、开放防火墙2375端口
[root@localhost ~]# /sbin/iptables -I INPUT -p tcp --dport 2375 -j ACCEPT [
root@localhost ~]# iptables-save # Generated by iptables-save v1.4.21 on Wed
Oct 17 09:33:07 2018 *nat :PREROUTING ACCEPT [31:5206] :INPUT ACCEPT [31:5206]
:OUTPUT ACCEPT[4:304] :POSTROUTING ACCEPT [4:304] :DOCKER - [0:0] -A PREROUTING
-m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT! -d 127.0.0.0/8 -m addrtype
--dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16! -o docker0 -j
MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT# Completed on Wed Oct 17
09:33:07 2018 # Generated by iptables-save v1.4.21 on Wed Oct 17 09:33:07 2018
*filter :INPUT ACCEPT[24:4973] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3:340]
:DOCKER -[0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [
0:0] :DOCKER-USER - [0:0] -A INPUT -p tcp -m tcp --dport 2375 -j ACCEPT -A
FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o
docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o
docker0 -j DOCKER -A FORWARD -i docker0! -o docker0 -j ACCEPT -A FORWARD -i
docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0! -o docker0
-j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A
DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j
RETURN -A DOCKER-USER -j RETURN COMMIT# Completed on Wed Oct 17 09:33:07 2018
<>4、随便写个接口,等会进行测试
<>5、idea安装docker integration插件
<>插件安装完成重启idea后可以看到底部多了个docker标志
<>5、接下来给项目打成jar包
<>6、然后编写DockerFile
我这里找了个相对比较小的jdk,是在官方镜像库找到的
也可以在国内的镜像库里找,如:FROM hub.c.163.com/library/java:8-jre
FROM 99taxis/mini-java8 ADD target/*.jar idea-docker-deploy.jar EXPOSE 8765
ENTRYPOINT ["java", "-jar", "idea-docker-deploy.jar"]
项目右键新建一个没有后缀的File
<>7、接下来配置idea一键部署
<>选中第一个
<>如图进行填写
<>8、运行容器
<>可以看到相应的日志
<>9、访问接口
<>成功
<>也可以在服务器上打命令查看
[root@localhost ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE
idea-docker-deploy latest 0b9861752b28 11 minutes ago 210MB
registry.cn-hangzhou.aliyuncs.com/zhaoyoung/mycentos 1.1 de8fc9f45769 26 hours
ago 455MB mycentos 1.1 de8fc9f45769 26 hours ago 455MB zhaoyoungtomcat9 latest
124517434916 45 hours ago 751MB myip_son latest 6c9507aea358 3 days ago 398MB
myip_father latest 2c22e721607a 3 days ago 299MB myip2 latest dcbb4656e640 3
days ago 299MB myip latest 9e3c14f76b1d 3 days ago 299MB mycentos 1.0
c2d4f6acb9af 4 days ago 455MB zhaoyoung/nodocstomcat 1.0 84498728984a 6 days
ago 463MB centos latest 75835a67d134 7 days ago 200MB redis 3.2 a17eb18b1c62 2
weeks ago 76MB tomcat latest 41a54fe1f79d 4 weeks ago 463MB hello-world latest
4ab4c602aa5e 5 weeks ago 1.84kB mysql 5.6 1f47fade220d 6 weeks ago 256MB
99taxis/mini-java8 latest 45f8a8f0a77a 16 months ago 194MB[root@localhost ~]#
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3f9cc9e975bb
0b9861752b28"java -jar idea-dock…" 11 minutes ago Up 11 minutes 0.0.0.0:8765->
8765/tcp idea-docker-deploy
<>二、Docker CA认证
前面提到的配置是允许所有人都可以访问的,因为docker默认是root权限的,你把2375端口暴露在外面,意味着别人随时都可以提取到你服务器的root权限,是很容易被黑客黑的,因此,docker官方推荐使用加密的tcp连接,以Https的方式与客户端建立连接
<>官方demo
<https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl>
<>1、创建ca文件夹,存放CA私钥和公钥
[root@localhost ~]# mkdir -p /usr/local/ca [root@localhost ~]# cd
/usr/local/ca/
<>2、创建密码
需要连续输入两次相同的密码
[root@localhost ca]# openssl genrsa -aes256 -out ca-key.pem 4096 Generating
RSA private key, 4096 bit long modulus...................++ ....................
................................................................................
................................................................................
................................................................................
................................................................................
......++ e is 65537 (0x10001) Enter pass phrase for ca-key.pem: Verifying -
Enter pass phrasefor ca-key.pem:
<>3、依次输入密码、国家、省、市、组织名称等
[root@localhost ca]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256
-out ca.pem Enter pass phrase for ca-key.pem: Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated into
your certificate request. What you are about to enter is what is called a
Distinguished Name or a DN. There are quite a few fields but you can leave some
blank For some fields there will be a default value, If you enter'.', the field
will be left blank. ----- Country Name(2 letter code) [XX]:CN State or Province
Name(full name) []:zj Locality Name (eg, city) [Default City]:hz Organization
Name(eg, company) [Default Company Ltd]:qdsg Organizational Unit Name (eg,
section) []:qdsg Common Name (eg, your name or your server's hostname) []:qdsg
Email Address[]:[email protected] [root@localhost ca]# openssl genrsa -out
server-key.pem 4096 Generating RSA private key, 4096 bit long modulus ..........
.................++ ................++ e is 65537 (0x10001)
<>4、生成server-key.pem
[root@localhost ca]# openssl genrsa -out server-key.pem 4096 Generating RSA
private key, 4096 bit long modulus..............................................
................................................................................
...................++ .................................................++ e is
65537(0x10001)
<>5、把下面的$Host换成你自己服务器外网的IP或者域名
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
比如
openssl req -subj "/CN=192.168.1.106" -sha256 -new -key server-key.pem -out
server.csr
或
openssl req -subj "/CN=www.baidu.com" -sha256 -new -key server-key.pem -out
server.csr
我这里使用局域网进行测试
[root@localhost ca]# openssl req -subj "/CN=192.168.1.106" -sha256 -new -key
server-key.pem -out server.csr
<>6、配置白名单
也就是你接下来要允许那些ip可以连接到服务器的docker,因为已经是ssl连接,所以我推荐配置0.0.0.0,也就是所有ip都可以连接(但只有拥有证书的才可以连接成功),这样配置好之后公司其他人也可以使用。如果你不想这样,那你可以配置ip,用逗号分隔开。下面的$Host依旧是你服务器外网的IP或者域名,请自行替换。
<>注意!!!!这里我踩了坑
<>如果你填写的是ip地址的话命令如下echo subjectAltName = IP:$HOST,IP:0.0.0.0 >> extfile.cnf
<>如果你填写的是域名的话命令如下 echo subjectAltName = DNS:$HOST,IP:0.0.0.0 >> extfile.cnf
我这里使用局域网进行测试
[root@localhost ca]# echo subjectAltName = IP:192.168.1.106,IP:0.0.0.0 >>
extfile.cnf
<>7、执行命令,将Docker守护程序密钥的扩展使用属性设置为仅用于服务器身份验证
[root@localhost ca]# echo extendedKeyUsage = serverAuth >> extfile.cnf
<>8、执行命令,并输入之前设置的密码,生成签名证书
[root@localhost ca]# openssl x509 -req -days 365 -sha256 -in server.csr -CA
ca.pem -CAkey ca-key.pem \-CAcreateserial -out server-cert.pem -extfile
extfile.cnf Signature ok subject=/CN=192.168.1.106 Getting CA Private Key Enter
pass phrasefor ca-key.pem:
<>9、生成客户端的key.pem,到时候把生成好的几个公钥私钥拷出去即可
[root@localhost ca]# openssl genrsa -out key.pem 4096 Generating RSA private
key, 4096 bit long modulus......................................................
................................................................................
................................................................................
................................................................................
.....................................................................++ ........
................................................................................
..............................................++ e is 65537 (0x10001)
<>10、执行命令
[root@localhost ca]# openssl req -subj '/CN=client' -new -key key.pem -out
client.csr
<>11、执行命令,要使密钥适合客户端身份验证,请创建扩展配置文件
[root@localhost ca]# echo extendedKeyUsage = clientAuth >> extfile.cnf
<>12、生成cert.pem,需要输入前面设置的密码,生成签名证书
[root@localhost ca]# openssl x509 -req -days 365 -sha256 -in client.csr -CA
ca.pem -CAkey ca-key.pem \-CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok subject=/CN=client Getting CA Private Key Enter pass phrase for
ca-key.pem:
<>13、删除不需要的文件,两个证书签名请求
[root@localhost ca]# rm -v client.csr server.csr rm:是否删除普通文件 "client.csr"?y 已删除
"client.csr"
<>14、修改权限,要保护您的密钥免受意外损坏,请删除其写入权限。要使它们只能被您读取,更改文件模式
[root@localhost ca]# chmod -v 0400 ca-key.pem key.pem server-key.pem mode of
"ca-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------) mode of "key.pem"
changed from 0644(rw-r--r--) to 0400 (r--------) mode of "server-key.pem"
changed from 0644(rw-r--r--) to 0400 (r--------)
<>证书可以是对外可读的,删除写入权限以防止意外损坏
[root@localhost ca]# chmod -v 0444 ca.pem server-cert.pem cert.pem mode of
"ca.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--) mode of
"server-cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--) mode of
"cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
<>15、归集服务器证书
[root@localhost ca]# cp server-*.pem /etc/docker/ [root@localhost ca]# cp
ca.pem /etc/docker/
<>16、修改Docker配置,使Docker守护程序仅接受来自提供CA信任的证书的客户端的连接
[root@localhost ca]# vim /lib/systemd/system/docker.service
将
ExecStart=/usr/bin/dockerd
替换为:
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert
=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H
tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
<>17、重新加载daemon并重启docker
[root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl
restart docker
<>18、开放2376端口
[root@localhost ca]# /sbin/iptables -I INPUT -p tcp --dport 2376 -j ACCEPT [
root@localhost ca]# iptables-save # Generated by iptables-save v1.4.21 on Wed
Oct 17 14:47:38 2018 *nat :PREROUTING ACCEPT [225:14836] :INPUT ACCEPT [
225:14836] :OUTPUT ACCEPT [1:76] :POSTROUTING ACCEPT [1:76] :DOCKER - [0:0] -A
PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT! -d 127.0.0.0/8 -m
addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16! -o docker0
-j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT# Completed on Wed Oct 17
14:47:38 2018 # Generated by iptables-save v1.4.21 on Wed Oct 17 14:47:38 2018
*filter :INPUT ACCEPT[8:2858] :FORWARD DROP [0:0] :OUTPUT ACCEPT [39:30400]
:DOCKER -[0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [
0:0] :DOCKER-USER - [0:0] -A INPUT -p tcp -m tcp --dport 2376 -j ACCEPT -A
INPUT -p tcp -m tcp --dport 2375 -j ACCEPT -A FORWARD -j DOCKER-USER -A FORWARD
-j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i
docker0! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A
DOCKER-ISOLATION-STAGE-1 -i docker0! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A
DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j
DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT#
Completed on Wed Oct 17 14:47:38 2018
<>19、重启docker
[root@localhost ca]# service docker restart
<>20、保存相关客户端的pem文件到本地
<>21、idea的配置
<>22、若出现以下错误,请查看前面的步骤是否遗漏或出错
<>本文借鉴同事的博客 <https://blog.csdn.net/lovexiaotaozi/article/details/82797236>
,并以自己的实践进行记录,感谢同事~
热门工具 换一换