Docker enables TLS for security configuration

Previously, I opened docker's 2375 remote API. Upon receiving the request from the company's security department, I need to enable authorization. I turned to the official document

Protect the Docker daemon socket

Enable TLS

On the docker server, generate CA private and public keys

$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key,4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter '.',the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg,city) []:Brisbane
Organization Name (eg,company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg,section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:$HOST
Email Address []:Sven@home.org.au

With a Ca, you can create a server key and certificate signing request (CSR)

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key,4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)

$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Next, use CA to sign the public key:

$ echo subjectAltName = DNS:$HOST,IP:$HOST:127.0.0.1 >> extfile.cnf

 $ echo extendedKeyUsage = serverAuth >> extfile.cnf
 

Generate key:

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Create client key and certificate signing request:

$ openssl genrsa -out key.pem 4096
Generating RSA private key,4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)

$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

Modify extfile cnf：

echo extendedKeyUsage = clientAuth > extfile-client.cnf

Generate signature private key:

$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Stop the docker service and modify the docker service file

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io

[Service]
Environment="PATH=/opt/kube/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/opt/kube/bin/dockerd  --tlsverify --tlscacert=/root/docker/ca.pem --tlscert=/root/docker/server-cert.pem --tlskey=/root/docker/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target

Then restart the service

systemctl daemon-reload
systemctl restart docker.service 

重启后查看服务状态：

systemctl status docker.service
● docker.service - Docker Application Container Engine
   Loaded: loaded (/etc/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-08-08 19:22:26 CST; 1 min ago

It has come into force.

Connect using certificate:

Copy ca.pem, cert.pem, key PEM three files to the client

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key. PEM - H = $host: 2375 version

Docker Java enables TLS

The project uses docker's Java client docker java to call docker. In order to support TLS, TLS settings need to be added when creating the client.

First, add ca.pem cert.pem key PEM copies these three files locally, for example, e: \ \ docker \ \ ",

Then set withdockertlsverify to true in defaultdockerclientconfig, and set certpath to the directory just copied.

DefaultDockerClientConfig.Builder builder =
                DefaultDockerClientConfig.createDefaultConfigBuilder()
                    .withDockerHost("tcp://" + server + ":2375")
                    .withApiVersion("1.30");
            if (containerConfiguration.getDockerTlsVerify()) {
                builder = builder.withDockerTlsVerify(true)
                    .withDockerCertPath("E:\\docker\\");
            }
	return  DockerClientBuilder.getInstance(builder.build()).build()
			

Big work done.