Docker-TLS encrypted communication

1, TLS encrypted communication

In the company's docker business, in order to prevent link hijacking, session hijacking and other problems from causing the docker to be contacted by an intermediary, both ends of C/S should communicate by encryption.

If the company uses its own image source, you can skip this step; otherwise, you need to verify at least: md5 and other characteristic values of baseimage, and then build further based on baseimage after confirming the consistency.
In general, to ensure that only the image is obtained from the trusted library, and the -- secure registry = [] parameter is not recommended, and the Gabor private warehouse is recommended.

2, Build deployment

2.1 construction environment

Docker CE is installed on both virtual machines.

Server server-

Client client -----

2.2. server deployment

[1]Change host name and hosts file
hostnamectl set-hostname master

vim /etc/hosts master

ping master  // Can be parsed

[2]Establish tls
mkdir /root/tls
cd /root/tls/

[3]Establish ca Password----ca-key.pem  // -aes256 refers to key length
openssl genrsa -aes256 -out ca-key.pem 4096  // Enter 123123

[4]Establish ca certificate----ca.pem  // -sha256 refers to hash algorithm
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem  // Enter 123123

[5]Create server private key----server-key.pem
openssl genrsa -out server-key.pem 4096

[6]Create private key signature----server.csr
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr 

[7]Use ca Certificate and private key signing, creating server-cert.pem,generate
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem

[8]Generate client key----key.pem
openssl genrsa -out key.pem 4096

[9]Generate client signature----client.csr
openssl req -subj "/CN=client" -new -key key.pem -out client.csr    

[10]create profile----extfile.cnf
echo extendedKeyUsage=clientAuth > extfile.cnf

[11]Create signing certificate----cert.pem,Required (signature client, ca Certificate, ca Key)
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf

[12]Delete redundant files
rm -rf client.csr extflie.cnf server.csr

[13]To configure docker File and restart the service
vim /usr/lib/systemd/system/docker.service
// Line 14 log out first, and add
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/tls/ca.pem --tlscert=/root/tls/server-cert.pem --tlskey=/root/tls/server-key.pem -H tcp:// -H unix:///var/run/docker.sock

systemctl daemon-reload
systemctl restart docker

//Check whether the port is on
netstat -anpt | grep dockerd

[14]take(ca.pem)ca Certificates(cert.pem)Signing certificate(key.pem)Client key copied to client Client's/etc/docker Directory, make client Clients can access through certificates
scp ca.pem root@
scp cert.pem root@
scp key.pem root@

2.3client deploy the basic environment and verify TLS

[1]Change host name and hosts file
hostnamectl set-hostname client 
vi /etc/hosts  //Add at the end master

[2]See server Terminal docker Edition
//You need to enter the directory / etc/docker to execute the following commands
cd /etc/docker/       
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version

Tags: Linux Docker OpenSSL vim Session

Posted on Wed, 29 Apr 2020 08:44:41 -0700 by Sneo