在上一篇文章中简单的进行docker的连接,但是会有暴露端口的漏洞存在,也就是说黑客获取了你的ip地址以及端口号以后可以对你的docker进行破坏(为所欲为),这种方式在实际项目中不可取,必须做安全连接,通过密钥的方式做认证。

如何在服务器上或者本地虚拟机上生成密钥文件可参考官方文档:https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl

或者跟着我的步骤

1.首先选择一个存放密钥文件的地方 我这里选择/home/user/certs来存放 /user/certs是我自己创建的  进到certs文件中运行openssl genrsa -aes256 -out ca-key.pem 4096 

[root@ywh certs]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................++
..............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:               //这里会让设置密码我设置的是123456 这个以后会用到
Verifying - Enter pass phrase for ca-key.pem:   //这里是让你再次输入密码确认密码不会显示出来,你只管输入按回车就可以了
[root@ywh certs]# 

2.运行:openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem  最后还有个邮箱的我没有放上来 填什么都行

[root@ywh certs]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................++
..............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:   //输入你刚才的密码
Verifying - Enter pass phrase for ca-key.pem:
[root@ywh certs]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn       //从这开始让你输入一些信息以便进行加密,其实填什么也无所谓
State or Province Name (full name) []:ywh
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:xx
Common Name (eg, your name or your server's hostname) []:192.168.0.3   //值得注意的是这里要填写你的ip地址

3.运行:openssl genrsa -out server-key.pem 4096 生成server-key.pem

[root@ywh certs]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................++
.........................++
e is 65537 (0x10001)

4.运行:openssl req -subj "/CN=192.168.0.3" -sha256 -new -key server-key.pem -out server.csr  CN中写你在上面填写的IP

openssl req -subj "/CN=192.168.0.3" -sha256 -new -key server-key.pem -out server.csr

5.运行:echo subjectAltName = DNS:192.168.0.3,IP:192.168.0.3,IP:0.0.0.0,IP:127.0.0.1 >> extfile.cnf  配置哪些主机可以访问你 0.0.0.0代表所有主机都可以通过密钥文件的方式访问

6.运行:echo extendedKeyUsage = serverAuth >> extfile.cnf

7.运行:openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem  -CAcreateserial -out server-cert.pem -extfile extfile.cnf


[root@ywh certs]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
>   -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=192.168.0.3
Getting CA Private Key
Enter pass phrase for ca-key.pem:

8.运行:openssl genrsa -out key.pem 4096

9.运行:openssl req -subj '/CN=client' -new -key key.pem -out client.csr

10.运行:echo extendedKeyUsage = clientAuth >> extfile.cnf

11.运行:openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf

[root@ywh certs]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
>   -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

12.rm -v client.csr server.csr 删除临时文件 

     配置权限chmod -v 0400 ca-key.pem key.pem server-key.pem 

     和chmod -v 0444 ca.pem server-cert.pem cert.pem

[root@ywh certs]# rm -v client.csr server.csr
rm:是否删除普通文件 "client.csr"?y
已删除"client.csr"
rm:是否删除普通文件 "server.csr"?y
已删除"server.csr"
[root@ywh certs]# chmod -v 0400 ca-key.pem key.pem server-key.pem
mode of "ca-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "server-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
[root@ywh certs]# chmod -v 0444 ca.pem server-cert.pem cert.pem
mode of "ca.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of "server-cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of "cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
[root@ywh certs]# 

现在在/home/user/certs下应该有8个文件

[root@ywh certs]# ll
总用量 32
-r--------. 1 root root 3326 8月  30 10:44 ca-key.pem
-r--r--r--. 1 root root 2065 8月  30 10:48 ca.pem
-rw-r--r--. 1 root root   17 8月  30 11:04 ca.srl
-r--r--r--. 1 root root 1895 8月  30 11:04 cert.pem
-rw-r--r--. 1 root root  117 8月  30 11:04 extfile.cnf
-r--------. 1 root root 3243 8月  30 11:03 key.pem
-r--r--r--. 1 root root 1899 8月  30 11:02 server-cert.pem
-r--------. 1 root root 3247 8月  30 10:53 server-key.pem

13.找docker.service文件 vi /lib/systemd/system/docker.service下的ExecStart添加

-D --tlsverify=true --tlscert=/home/user/certs/server-cert.pem --tlskey=/home/user/certs/server-key.pem --tlscacert=/home/user/certs/ca.pem -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -D --tlsverify=true --tlscert=/home/user/certs/server-cert.pem --tlskey=/home/user/certs/server-key.pem --tlscacert=/home/user/certs/ca.pem -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

14.运行

systemctl daemon-reload 

service docker restart  //重启docker

systemctl status docker //这条命令可以看见你是否设置的生效

配置好安全连接以后在地址栏中是不可以访问的了,如果还可以访问是不对的 因为你没有使用密钥文件的方式访问

这时候需要通过密钥来认证以后才能访问了,首先把密钥文件下载到本机的磁盘上,可以使用【sz  你的文件名】命令把文件传输到本机磁盘上,如果显示没有sz命令,可以使用yum install lrzsz下载,下载完可以直接使用。

需要下载到本地的文件有:

1.ca-key.pem     2.ca.pem    3.cert.pem    4.key.pem

docker-java官方推荐连接方式为:(这种连接方式是在你对2375做了安全连接以后才能用的,如果没有做安全连接请使用我上一篇文章的方法进行连接)

//进行安全认证
DockerClientConfig config = DefaultDockerClientConfig.createDefaultConfigBuilder().withDockerTlsVerify(true)
		.withDockerCertPath("F:/data/local/").withDockerHost("tcp://192.168.0.3:2375")
		.withDockerConfig("F:/data/local/").withApiVersion("1.38").withRegistryUrl("https://index.docker.io/v1/")
		.withRegistryUsername("dockeruser").withRegistryPassword("ilovedocker")
		.withRegistryEmail("dockeruser@github.com").build();
DockerCmdExecFactory dockerCmdExecFactory =  new  JerseyDockerCmdExecFactory()
		  .withReadTimeout(1000)
		  .withConnectTimeout(1000)
		  .withMaxTotalConnections(100)
		  .withMaxPerRouteConnections(10);
//进行连接
DockerClient dockerClient = DockerClientBuilder.getInstance(config).withDockerCmdExecFactory(dockerCmdExecFactory).build();
Info info = dockerClient.infoCmd().exec();
System.out.println(info);

dockerHost:地址是你docker所在的宿主机的外网地址以及你开放的端口号

dockercertPath:放入的是你密钥在windows的文件存放地址

dockerconfig:放的是什么我不太清楚,但是我放入密钥文件地址也没出错

apiVersion:dockerAPI的版本,可通过docker version命令在宿主机上获取版本号

RegistryUrl:这个按着默认的写即可

.withRegistryUsername("dockeruser"):默认

.withRegistryPassword("ilovedocker"):默认

.withRegistryEmail("dockeruser@github.com"):默认

输出:跟在地址栏访问获得的结果是一样的,都是以json格式展示

com.github.dockerjava.api.model.Info@2e54db99
[architecture=x86_64,containers=1,containersStopped=1,containersPaused=0,containersRunning=0,cpuCfsPeriod=true,cpuCfsQuota=true,cpuShares=true,cpuSet=true,debug=true,discoveryBackend=<null>,dockerRootDir=/var/lib/docker,driver=overlay2,driverStatuses=[[Backing Filesystem, xfs], [Supports d_type, true], [Native Overlay Diff, true]],systemStatus=<null>,plugins={Volume=[local], Network=[bridge, host, macvlan, null, overlay], 
Authorization=null, Log=[awslogs, fluentd, gcplogs, gelf, journald, json-file, logentries, splunk, syslog]},executionDriver=<null>,
loggingDriver=json-file,
experimentalBuild=false,httpProxy=,httpsProxy=,id=MID4:FUBP:XWQB:TBNV:LPLN:IUIU:32MG:HBYM:6O2K:HBUW:257R:7DY4,ipv4Forwarding=true,bridgeNfIptables=true,
bridgeNfIp6tables=true,images=1,indexServerAddress=https://index.docker.io/v1/,initPath=<null>,initSha1=<null>,kernelVersion=3.10.0-862.el7.x86_64,labels={},
memoryLimit=true,memTotal=1910075392,name=ywh,ncpu=4,nEventsListener=0,nfd=24,nGoroutines=47,noProxy=,oomKillDisable=true,osType=linux,oomScoreAdj=<null>,
operatingSystem=CentOS Linux 7 (Core),registryConfig=com.github.dockerjava.api.model.InfoRegistryConfig@6d24ffa1[indexConfigs={docker.io=com.github.dockerjava.api.model.InfoRegistryConfig$IndexConfig@65a4798f[mirrors=[https://tpp5ie36.mirror.aliyuncs.com/],name=docker.io,official=true,secure=true]},insecureRegistryCIDRs=[127.0.0.0/8],mirrors=[https://tpp5ie36.mirror.aliyuncs.com/]],sockets=<null>,swapLimit=true,systemTime=2018-08-30T11:38:18.472151804+08:00,serverVersion=18.06.1-ce,clusterStore=,clusterAdvertise=,swarm=SwarmInfo[nodeID=,nodeAddr=,localNodeState=INACTIVE,controlAvailable=false,error=,remoteManagers=<null>,nodes=<null>,managers=<null>,clusterInfo=<null>]]

以上就可以在java中连接docker-api了,可以进行安全的连接了,没有密钥文件是不可能访问到的。

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐