欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Docker容器----TLS加密通讯

程序员文章站 2022-06-03 14:26:18
...

一、TLS加密通信

在公司的docker业务中,一般为了防止链路劫持、会话劫持等问题导致docker通信时
被中间人攻击,C/S两端应该通过加密方式通讯。

二、搭建部署

2.1、搭建环境

两台虚拟机都安装了 docker-ce。
server端-----192.168.100.136
client端------192.168.100.131

2.2、server端部署

//修改主机名
[aaa@qq.com ~]# hostnamectl set-hostname master
[aaa@qq.com ~]# su
//关闭防火墙
[aaa@qq.com ~]# systemctl stop firewalld
[aaa@qq.com ~]# mkdir /root/tls
[aaa@qq.com ~]# cd /root/tls/

//创建ca密码----ca-key.pem
[aaa@qq.com tls]# openssl genrsa -aes256 -out ca-key.pem 4096  #-aes256指**长度

Docker容器----TLS加密通讯

//创建ca证书----ca.pem
[aaa@qq.com tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem  
#-sha256 指哈希算法

Docker容器----TLS加密通讯

//1、创建服务器私钥----server-key.pem
[aaa@qq.com tls]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
......................++
...........................................................................................................................................++
e is 65537 (0x10001)
[aaa@qq.com tls]# ls
ca-key.pem  ca.pem  server-key.pem

//2、创建私钥签名----server.csr
[aaa@qq.com tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
[aaa@qq.com tls]# ls
ca-key.pem  ca.pem  server.csr  server-key.pem

//3、使用ca证书与私钥签名,创建server-cert.pem,生成ca.srl
[aaa@qq.com tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=*
Getting CA Private Key
Enter pass phrase for ca-key.pem:      #输入密码123123
[aaa@qq.com tls]# ls
ca-key.pem  ca.pem  ca.srl  server-cert.pem  server.csr  server-key.pem

Docker容器----TLS加密通讯

//生成客户端**----key.pem
[aaa@qq.com tls]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........++
............................................++
e is 65537 (0x10001)
[aaa@qq.com tls]# ls
ca-key.pem  ca.srl   server-cert.pem  server-key.pem
ca.pem      key.pem  server.csr

//生成客户端签名----client.csr
[aaa@qq.com tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
[aaa@qq.com tls]# ls
ca-key.pem  ca.srl      key.pem          server.csr
ca.pem      client.csr  server-cert.pem  server-key.pem

//创建配置文件----extfile.cnf
[aaa@qq.com tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
[aaa@qq.com tls]# ls
ca-key.pem  ca.srl      extfile.cnf  server-cert.pem  server-key.pem
ca.pem      client.csr  key.pem      server.csr

//创建签名证书----cert.pem
[aaa@qq.com tls]# openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:     #输入密码123123
[aaa@qq.com tls]# ls
ca-key.pem  ca.srl    client.csr   key.pem          server.csr
ca.pem      cert.pem  extfile.cnf  server-cert.pem  server-key.pem

//修改docker的配置文件,并且重启服务
[aaa@qq.com tls]# vi /usr/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/tls/ca.pem --tlscert=/root/tls/server-cert.pem --tlskey=/root/tls/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

[aaa@qq.com tls]# systemctl daemon-reload
[aaa@qq.com tls]# systemctl restart docker

将(ca.pem)ca证书、(cert.pem)签名证书、(key.pem)客户端**复制到client的/etc/docker目录下,使client客户端可以通过证书来访问

scp ca.pem aaa@qq.com:/etc/docker/
scp cert.pem aaa@qq.com:/etc/docker/
scp key.pem aaa@qq.com:/etc/docker/

2.3client部署基本环境,且验证TLS

//更改主机名和hosts文件
[aaa@qq.com ~]# hostnamectl set-hostname client
[aaa@qq.com ~]# su
[aaa@qq.com ~]# vi /etc/hosts
192.168.100.136 master
 
[aaa@qq.com ~]# cd /etc/docker/
[aaa@qq.com docker]# ls
ca.pem  cert.pem  daemon.json  key.json  key.pem

[aaa@qq.com ~]# cd /etc/docker/        ##需要进入/etc/docker这个目录才可以执行下列命令
//查看server端的docker版本
[aaa@qq.com docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2375 version

Docker容器----TLS加密通讯

//查看server端的images镜像
[aaa@qq.com docker]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2375 images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              602e111c06b6        2 days ago          127MB