使用TLS证书保护Docker
当我们使用远程调用docker时,未设置TLS的docker,将可以被任何人调用,这是极其危险的。
在阿里云上跑的docker,这次就被不怀好意的人扫描到了默认端口,2375/2376, 被部署了挖矿软件,并且将我们自己的服务容器pause。
docker原生提供了使用TLS证书(客户端和服务端)进行安全保证。
创建证书
使用openssl来创建CA,并签署秘钥/证书。
首先创建一个certs目录,并内置三个子目录 ca、client、server。
$ mkdir -p ~/certs/{ca,client,server}
运行openssl创建CA秘钥和证书,并将CA证书保存在~/certs/ca 目录下。
$ openssl genrsa -out ~/certs/ca/ca-key.pem 2048
$ openssl req -x509 -new -nodes -key ~/certs/ca/ca-key.pem
-days 10000 -out ~/certs/ca/ca.pem -subj '/CN=docker-CA'
创建一个用于client的openssl配置文件~/certs/client/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
再创建一个用于server的openssl配置文件~/certs/server/openssl.cnf
alt_names中的ip为Docker Server的ip,即client需要访问的ip,若有多个docker服务,此处填写多个,否则client将无法访问Docker Server。
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = docker.local
IP.1 = 192.168.9.1
IP.2 = 192.168.9.2
为客户端创建并签署证书
$ openssl genrsa -out ~/certs/client/key.pem 2048
$ openssl req -new -key ~/certs/client/key.pem -out ~/certs/client/cert.csr
-subj '/CN=docker-client' -config ~/certs/client/openssl.cnf
$ openssl x509 -req -in ~/certs/client/cert.csr -CA ~/certs/ca/ca.pem
-CAkey ~/certs/ca/ca-key.pem -CAcreateserial
-out ~/certs/client/cert.pem -days 365 -extensions v3_req
-extfile ~/certs/client/openssl.cnf
为服务端创建并签署证书
$ openssl genrsa -out ~/certs/server/key.pem 2048
$ openssl req -new -key ~/certs/server/key.pem
-out ~/certs/server/cert.csr
-subj '/CN=docker-server' -config ~/certs/server/openssl.cnf
$ openssl x509 -req -in ~/certs/server/cert.csr -CA ~/certs/ca/ca.pem
-CAkey ~/certs/ca/ca-key.pem -CAcreateserial
-out ~/certs/server/cert.pem -days 365 -extensions v3_req
-extfile ~/certs/server/openssl.cnf
此时,所有证书已经创建完毕,目录结构如下:
.
├── ca
│ ├── ca-key.pem
│ ├── ca.pem
│ └── ca.srl
├── client
│ ├── cert.csr
│ ├── cert.pem
│ ├── key.pem
│ └── openssl.cnf
└── server
├── cert.csr
├── cert.pem
├── key.pem
└── openssl.cnf
在Docker中配置TLS证书
查看配置文件位置
$ systemctl show --property=FragmentPath docker
FragmentPath=/lib/systemd/system/docker.service
在配置文件中开启TLS,并配置服务端证书,将上一步生成好的server证书和ca.pem拷贝至/etc/docker/ssl。
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/cert.pem --tlskey=/etc/docker/ssl/key.pem
重新加载systemd和Docker服务
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
此时,Docker Server端的TLS配置已经完成。
在客户端中使用TLS证书
未使用TLS证书访问Docker Server
$ docker -H tcp://192.168.9.1:2376 version
Client:
Version: 17.03.0-ce
API version: 1.26
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 08:10:07 2017
OS/Arch: linux/amd64
Get http://101.37.164.86:3257/v1.26/version: malformed HTTP response "x15x03x01x00x02x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?
使用TLS证书访问DockerServer
$ docker --tlsverify --tlscacert=./ca.pem --tlscert=./client/cert.pem --tlskey=./client/key.pem -H tcp://192.168.9.1:2376 version
Client:
Version: 17.03.0-ce
API version: 1.26
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 08:10:07 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.1-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: c6d412e
Built: Mon Mar 27 17:14:09 2017
OS/Arch: linux/amd64
Experimental: false