Docker cluster (ii)--PORTAINER+TLS secure connection to Docker host (detailed introduction and usage experience)

http://blog.51cto.com/mysky0708/2298049
To undertake the above, in the production of how to secure the link Docker host it? We use the TLS secret key approach.
Steps:
First Part: First generate the secret key on the Docker host and save it to the designated place;
Part II: On the Management node (portainer), specify the above secret key and add the node.

Specific implementation process:
The first part of the code is as follows

Read-s PASSWORD//define a password variable read SERVER//note hostname variable to correspond to system cd/etc/docker//switch to production key directory OpenSSL genrsa-aes256-passout pas S: $PASSWORD-out ca-key.pem 2048openssl genrsa-out server-key.pem 2048openssl req-subj "/cn= $SERVER"-new-key Server-ke Y.pem-out server.csropenssl req-new-x509-days 365-key ca-key.pem-sha256-out CA.PEM//note hostname to be consistent with the server variables above OpenSSL x 509-req-days 365-in server.csr-ca ca.pem-cakey ca-key.pem-passin "pass: $PASSWORD"-cacreateserial-out SERVER-CERT.P Emopenssl genrsa-out key.pem 2048openssl req-subj '/cn=client '-new-key key.pem-out client.csrsh-c ' echo ' ExtendedKey Usage=clientauth "> extfile.cnf ' OpenSSL x509-req-days 365-in client.csr-ca ca.pem-cakey ca-key.pem-passin" pass:$ PASSWORD "-cacreateserial-out cert.pem-extfile extfile.cnfchmod 0400 Ca-key.pem Key.pem SERVER-KEY.PEM//change key permissions chmod 0 444 Ca.pem Server-cert.pem CERT.PEM//Change key permissions RM CLIENT.CSR SERVER.CSR//delete useless files sz {CA.PEM,CERT.PEM,KEY.PEM}//Download key file/us R/bin/dockerd--tls \//Close Docker, then run this command--tlscacert=/etc/docker/ca.pem--TLSCERT=/ETC/DOCKER/SERVER-CERT.PEM--tlskey=/etc/docker/ Server-key.pem-h 0.0.0.0:2376

Original reference: 74984171

The second section adds a docker host to the management node

• Add Docker host name (server variable) and corresponding IP address in Hosts file
• Upload {CA.PEM,CERT.PEM,KEY.PEM} to the specified location

• Test connectivity

  docker --tlsverify --tlscacert=/root/76/ca.pem --tlscert=/root/76/cert.pem --tlskey=/root/76/key.pem -H docker-node01:2376 versionClient:Version:         1.13.1API version:     1.26Package version: docker-1.13.1-74.git6e3bb8e.el7.centos.x86_64Go version:      go1.9.4Git commit:      6e3bb8e/1.13.1Built:           Tue Aug 21 15:23:37 2018OS/Arch:         linux/amd64Server:Version:         1.13.1API version:     1.26 (minimum version 1.12)Package version: docker-1.13.1-74.git6e3bb8e.el7.centos.x86_64Go version:      go1.9.4Git commit:      6e3bb8e/1.13.1Built:           Tue Aug 21 15:23:37 2018OS/Arch:         linux/amd64Experimental:    false

• Add to Portainer
  

Finally, summarize the usage situation:

• Pros: More secure management of Docker hosts
• Disadvantages:
  • Use TLS (start Docker) with normal boot, only two select one, the two cannot coexist. It also means that using TLS cannot run Docker commands on the Docker host;
  • The use of TLS, can not be started on the Portainer (under normal startup) of the container, only re-established;
  • Using TLS, you cannot create a container using dockerfile (at least I have not found a method at this time.) ）

Welcome to give a lot of amendments and supplements ~ ~

Docker cluster (ii)--PORTAINER+TLS secure connection to Docker host (detailed introduction and usage experience)