http://blog.51cto.com/mysky0708/2298049
To undertake the above, in the production of how to secure the link Docker host it? We use the TLS secret key approach.
Steps:
First Part: First generate the secret key on the Docker host and save it to the designated place;
Part II: On the Management node (portainer), specify the above secret key and add the node.
Specific implementation process:
The first part of the code is as follows
Read-s PASSWORD//define a password variable read SERVER//note hostname variable to correspond to system cd/etc/docker//switch to production key directory OpenSSL genrsa-aes256-passout pas S: $PASSWORD-out ca-key.pem 2048openssl genrsa-out server-key.pem 2048openssl req-subj "/cn= $SERVER"-new-key Server-ke Y.pem-out server.csropenssl req-new-x509-days 365-key ca-key.pem-sha256-out CA.PEM//note hostname to be consistent with the server variables above OpenSSL x 509-req-days 365-in server.csr-ca ca.pem-cakey ca-key.pem-passin "pass: $PASSWORD"-cacreateserial-out SERVER-CERT.P Emopenssl genrsa-out key.pem 2048openssl req-subj '/cn=client '-new-key key.pem-out client.csrsh-c ' echo ' ExtendedKey Usage=clientauth "> extfile.cnf ' OpenSSL x509-req-days 365-in client.csr-ca ca.pem-cakey ca-key.pem-passin" pass:$ PASSWORD "-cacreateserial-out cert.pem-extfile extfile.cnfchmod 0400 Ca-key.pem Key.pem SERVER-KEY.PEM//change key permissions chmod 0 444 Ca.pem Server-cert.pem CERT.PEM//Change key permissions RM CLIENT.CSR SERVER.CSR//delete useless files sz {CA.PEM,CERT.PEM,KEY.PEM}//Download key file/us R/bin/dockerd--tls \//Close Docker, then run this command--tlscacert=/etc/docker/ca.pem--TLSCERT=/ETC/DOCKER/SERVER-CERT.PEM--tlskey=/etc/docker/ Server-key.pem-h 0.0.0.0:2376
Original reference: 74984171
The second section adds a docker host to the management node
Finally, summarize the usage situation:
- Pros: More secure management of Docker hosts
- Disadvantages:
- Use TLS (start Docker) with normal boot, only two select one, the two cannot coexist. It also means that using TLS cannot run Docker commands on the Docker host;
- The use of TLS, can not be started on the Portainer (under normal startup) of the container, only re-established;
- Using TLS, you cannot create a container using dockerfile (at least I have not found a method at this time.) )
Welcome to give a lot of amendments and supplements ~ ~
Docker cluster (ii)--PORTAINER+TLS secure connection to Docker host (detailed introduction and usage experience)