Docker cluster (ii)--PORTAINER+TLS secure connection to Docker host (detailed introduction and usage experience)

Source: Internet
Author: User
Tags openssl x509

http://blog.51cto.com/mysky0708/2298049
To undertake the above, in the production of how to secure the link Docker host it? We use the TLS secret key approach.
Steps:
First Part: First generate the secret key on the Docker host and save it to the designated place;
Part II: On the Management node (portainer), specify the above secret key and add the node.

Specific implementation process:
The first part of the code is as follows

Read-s PASSWORD//define a password variable read SERVER//note hostname variable to correspond to system cd/etc/docker//switch to production key directory OpenSSL genrsa-aes256-passout pas S: $PASSWORD-out ca-key.pem 2048openssl genrsa-out server-key.pem 2048openssl req-subj "/cn= $SERVER"-new-key Server-ke Y.pem-out server.csropenssl req-new-x509-days 365-key ca-key.pem-sha256-out CA.PEM//note hostname to be consistent with the server variables above OpenSSL x 509-req-days 365-in server.csr-ca ca.pem-cakey ca-key.pem-passin "pass: $PASSWORD"-cacreateserial-out SERVER-CERT.P Emopenssl genrsa-out key.pem 2048openssl req-subj '/cn=client '-new-key key.pem-out client.csrsh-c ' echo ' ExtendedKey Usage=clientauth "> extfile.cnf ' OpenSSL x509-req-days 365-in client.csr-ca ca.pem-cakey ca-key.pem-passin" pass:$ PASSWORD "-cacreateserial-out cert.pem-extfile extfile.cnfchmod 0400 Ca-key.pem Key.pem SERVER-KEY.PEM//change key permissions chmod 0 444 Ca.pem Server-cert.pem CERT.PEM//Change key permissions RM CLIENT.CSR SERVER.CSR//delete useless files sz {CA.PEM,CERT.PEM,KEY.PEM}//Download key file/us R/bin/dockerd--tls \//Close Docker, then run this command--tlscacert=/etc/docker/ca.pem--TLSCERT=/ETC/DOCKER/SERVER-CERT.PEM--tlskey=/etc/docker/ Server-key.pem-h 0.0.0.0:2376

Original reference: 74984171

The second section adds a docker host to the management node

    • Add Docker host name (server variable) and corresponding IP address in Hosts file
    • Upload {CA.PEM,CERT.PEM,KEY.PEM} to the specified location
    • Test connectivity

      docker --tlsverify --tlscacert=/root/76/ca.pem --tlscert=/root/76/cert.pem --tlskey=/root/76/key.pem -H docker-node01:2376 versionClient:Version:         1.13.1API version:     1.26Package version: docker-1.13.1-74.git6e3bb8e.el7.centos.x86_64Go version:      go1.9.4Git commit:      6e3bb8e/1.13.1Built:           Tue Aug 21 15:23:37 2018OS/Arch:         linux/amd64Server:Version:         1.13.1API version:     1.26 (minimum version 1.12)Package version: docker-1.13.1-74.git6e3bb8e.el7.centos.x86_64Go version:      go1.9.4Git commit:      6e3bb8e/1.13.1Built:           Tue Aug 21 15:23:37 2018OS/Arch:         linux/amd64Experimental:    false
    • Add to Portainer

Finally, summarize the usage situation:

    • Pros: More secure management of Docker hosts
    • Disadvantages:
      • Use TLS (start Docker) with normal boot, only two select one, the two cannot coexist. It also means that using TLS cannot run Docker commands on the Docker host;
      • The use of TLS, can not be started on the Portainer (under normal startup) of the container, only re-established;
      • Using TLS, you cannot create a container using dockerfile (at least I have not found a method at this time.) )

Welcome to give a lot of amendments and supplements ~ ~

Docker cluster (ii)--PORTAINER+TLS secure connection to Docker host (detailed introduction and usage experience)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.