DOCKER_TLS_VERIFY、DOCKER_HOST 和 DOCKER_CERT_PATH Ubuntu
DOCKER_TLS_VERIFY, DOCKER_HOST, and DOCKER_CERT_PATH on Ubuntu
如果 DOCKER_TLS_VERIFY、DOCKER_HOST 和 DOCKER_CERT_PATH 没有在 Ubuntu 上设置,我自己导出变量的默认值是什么(我没有使用 Docker机器)?
ps aux | grep "docker daemon"
returns这个:
root 1828 2.4 0.5 764036 44804 ? Ssl 21:32 0:01 /usr/bin/docker daemon --raw-logs
alexzei+ 6557 0.0 0.0 15948 2268 pts/15 S+ 21:33 0:00 grep --color=auto docker daemon
你可以试试这个:
If you are working with applications like Apache Maven that expect
settings for DOCKER_HOST and DOCKER_CERT_PATH environment variables,
specify these to connect to Docker instances through Unix sockets. For
example:
export DOCKER_HOST=unix:///var/run/docker.sock
使用
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://0.0.0.0:2376"
export DOCKER_CERT_PATH="/etc/docker/server.pem"
您可以使用
找出系统上的值
ps aux | grep "docker daemon"
例如,在我的例子中,我得到
root 25161 0.0 1.8 545784 38496 ? Ssl 07:11 0:00 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2
但是您可能必须使用 sudo 到 运行 docker
sudo docker ps
默认值未设置,docker cli 默认使用 /var/run/docker.sock and/or systemd。但是,根据您对 ldg 的评论,您有一个应用程序需要设置这些,这表明它希望您在主机上配置 TLS 以进行远程访问。以下是配置 TLS 密钥的步骤:
设置 CA
# work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
# generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
# setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# make sure to set CN
服务器证书
# generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
# generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
# setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
# sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
# test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify \
--tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem \
--tlskey=/etc/docker/myserver-key.pem
您需要为 Docker 更新您的 OS 启动脚本以包含上述内容(如果您使用 -H unix:/var/run/docker.sock 代替 -H fd://没有 systemd).
客户端证书
在“.docker”中您可以添加:"ca.pem, key.pem, cert.pem" 然后 export DOCKER_TLS_VERIFY=1
# create a client key pair
openssl genrsa -out client-key.pem 2048
# generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
# sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out client-cert.pem -extfile extfile.cnf
# test client with
docker --tlsverify \
--tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
-H=tcp://127.0.0.1:2376 info`
然后 DOCKER_CERT_PATH 将是包含您的证书的文件夹,例如/home/user/.docker.
如果 DOCKER_TLS_VERIFY、DOCKER_HOST 和 DOCKER_CERT_PATH 没有在 Ubuntu 上设置,我自己导出变量的默认值是什么(我没有使用 Docker机器)?
ps aux | grep "docker daemon"
returns这个:
root 1828 2.4 0.5 764036 44804 ? Ssl 21:32 0:01 /usr/bin/docker daemon --raw-logs
alexzei+ 6557 0.0 0.0 15948 2268 pts/15 S+ 21:33 0:00 grep --color=auto docker daemon
你可以试试这个:
If you are working with applications like Apache Maven that expect settings for DOCKER_HOST and DOCKER_CERT_PATH environment variables, specify these to connect to Docker instances through Unix sockets. For example:
export DOCKER_HOST=unix:///var/run/docker.sock
使用
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://0.0.0.0:2376"
export DOCKER_CERT_PATH="/etc/docker/server.pem"
您可以使用
找出系统上的值ps aux | grep "docker daemon"
例如,在我的例子中,我得到
root 25161 0.0 1.8 545784 38496 ? Ssl 07:11 0:00 /usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver aufs --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=amazonec2
但是您可能必须使用 sudo 到 运行 docker
sudo docker ps
默认值未设置,docker cli 默认使用 /var/run/docker.sock and/or systemd。但是,根据您对 ldg 的评论,您有一个应用程序需要设置这些,这表明它希望您在主机上配置 TLS 以进行远程访问。以下是配置 TLS 密钥的步骤:
设置 CA
# work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
# generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
# setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# make sure to set CN
服务器证书
# generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
# generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
# setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
# sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
# test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify \
--tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem \
--tlskey=/etc/docker/myserver-key.pem
您需要为 Docker 更新您的 OS 启动脚本以包含上述内容(如果您使用 -H unix:/var/run/docker.sock 代替 -H fd://没有 systemd).
客户端证书
在“.docker”中您可以添加:"ca.pem, key.pem, cert.pem" 然后 export DOCKER_TLS_VERIFY=1
# create a client key pair
openssl genrsa -out client-key.pem 2048
# generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
# sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out client-cert.pem -extfile extfile.cnf
# test client with
docker --tlsverify \
--tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
-H=tcp://127.0.0.1:2376 info`
然后 DOCKER_CERT_PATH 将是包含您的证书的文件夹,例如/home/user/.docker.