centos下修改docker鏈接docker_host默認方式爲tls方式

1.安裝docker，請參考官網文檔 centos下安裝docker

2.安裝完成應該能夠使用docker的各類命令鏈接docker host。docker host運行在本機上，但與localhost不一樣。默認設置下，docker host（docker daemon）監聽docker.sock。本機下應該有docker.sock文件，使得各類docker命令可以成功的在docker host上運行指令或者取回信息。下面將介紹如何修改默認的鏈接方式爲tls方式。

3.openssl生成證書：

    修改docker鏈接docker daemon鏈接方式爲tls方式，須要前提條件是生成好的證書。證書可用openssl生成。建議新建一個文件夾用來存放將要生成的各類證書。CD到存放證書的目錄

    a.生成key和ca證書（生成key的時候輸入的密碼在後面生成證書的時候會屢次用到,使用docker daemon host 的DNS名字代替下面的$HOST）：

$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SH
State or Province Name (full name) [Some-State]:ShangHai
Locality Name (eg, city) []:ShangHai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:$HOST
Email Address []:example@xxx.com

    b.生成server-key和和csr文件（使用docker daemon host 的DNS名字代替下面的$HOST）

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)
$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

    c.使你的tls鏈接能經過ip地址方式，綁定本機IP（使用本機IP代替下面的$LOCALIP）

$ echo subjectAltName = IP:$LOCALIP,IP:127.0.0.1 > extfile.cnf

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

    d.生成客戶端訪問須要的key和證書等文件

$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
................++
e is 65537 (0x10001)
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

    c.生成客戶端證書配置文件

$ echo extendedKeyUsage = clientAuth > extfile.cnf

    d.註冊key

$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

4.將生成的證書添加的docker的配置文件中，centos下docker的配置文件是/etc/sysconfig/docker,編輯配置文件

vi /etc/sysconfig/docker

5.修改配置文件OPTIONS配置（下面的證書地址換成你生成的對應證書的位置）

OPTIONS='--selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/var/docker/server-cert.pem --tlskey=/var/docker/server-key.pem -H tcp://0.0.0.0:2376'

6.保存退出，重啓docker服務，輸入docker images查看鏡像

docker images
Get http://10.32.173.215:2376/v1.20/images/json: malformed HTTP response "\x15\x03\x01\x00\x02\x02".
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?

    顯示不能鏈接到docker daemon host。雖然docker daemon已經配置好而且從新啓動了，可是至關於服務端更改了配置。因此客戶端鏈接到docker daemon host的配置也須要修改。

7.修改docker鏈接配置

    a.在root目錄下建立目錄.docker

mkdir ~/.docker

    b.將客戶端證書文件copy至.docker目錄

cp -cv {ca,cert,key}.pem ~/.docker/

    c.添加環境變量DOCKER_HOST和DOCKER_TLS_VERIFY

vi /etc/profile

    d.在打開的文件中最後加上新的環境變量($YOURIP替換成docker daemon host的IP即本機IP)

export DOCKER_HOST=tcp://$YOURIP:2376
export DOCKER_TLS_VERIFY=1

8.配置完成，輸入docker images可鏈接docker daemon host查看鏡像。至此，docker daemon host鏈接方式已經修改成tls方式。調用遠程API的時候須要使用的證書就是~/.docker文件夾中的證書。