CoreOS配置Docker API TLS認證

咱們常常會利用Portainer來管理docker環境，也常常會用Jenkins來自動構建和部署docker，遠程管理都會使用到Docker API，一般咱們只是開啓了沒有安全保護的2375（一般）端口，這個比較危險，會致使遠程劫持攻擊。那麼咱們就須要配置TLS認證的2376（一般）端口。

下面咱們針對CoreOS系統進行配置：

1、利用系統自帶的openssl生成相應的服務端和客戶端證書

咱們利用腳本自動生成，這樣很是便捷，腳本（auto-tls-certs.sh）以下：

#!/bin/bash
# 
# -------------------------------------------------------------
# 自動建立 Docker TLS 證書
# -------------------------------------------------------------

# 如下是配置信息
# --[BEGIN]------------------------------

CODE="dp"
IP="docker服務器ip"
PASSWORD="證書密碼"
COUNTRY="CN"
STATE="BEIJING"
CITY="BEIJING"
ORGANIZATION="公司"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="郵箱"

# --[END]--

# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key-$CODE.pem" 4096

# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr

echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf


# Generate Client Certs.
rm -f extfile.cnf

openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf

rm -vf client.csr server.csr

chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"

# 打包客戶端證書
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"

# 拷貝服務端證書
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/

對腳本中的變量進行修改後運行，自動會建立好tls證書，服務器的證書在/etc/docker/certs.d/目錄下:

客戶端的證書在運行腳本的目錄下，同時還自動打好了一個.tar.gz的包，很方便。

2、配置Docker服務（官方說明）

注意修改證書路徑。

Enable the secure remote API on a new socket

Create a file called /etc/systemd/system/docker-tls-tcp.socket to make Docker available on a secured TCP socket on port 2376.

[Unit]
Description=Docker Secured Socket for the API

[Socket]
ListenStream=2376
BindIPv6Only=both
Service=docker.service

[Install]
WantedBy=sockets.target

Then enable this new socket:

systemctl enable docker-tls-tcp.socket
systemctl stop docker
systemctl start docker-tls-tcp.socket

Drop-in configuration

Create /etc/systemd/system/docker.service.d/10-tls-verify.conf drop-in for systemd Docker service:

[Service]
Environment="DOCKER_OPTS=--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"

Reload systemd config files and restart docker service:

sudo systemctl daemon-reload
sudo systemctl restart docker.service

3、配置Portainer遠程TLS鏈接

證書對應選擇：

1. ca.pem
2. cert.pem
3. key.pem

這樣就完成了。注意若是以前開啓了未認證的2375端口，請關閉並禁用，重啓docker服務。

# 中止不安全的2375端口
systemctl stop docker-tcp.socket

# 禁用該端口
systemctl disable docker-tcp.socket

# 重啓docker服務
systemctl restart docker.service