-
生成证书参考如下
$ HOST=example.com
$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..........++++
.........................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZNH
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:alayama@163.com
$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
........................................................................................................................................................++++
...............................................++++
e is 65537 (0x010001)
$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
$ echo subjectAltName = DNS:$HOST,IP:127.0.0.1 >> extfile.cnf
$ echo extendedKeyUsage = serverAuth >> extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=CN = example.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:
$ openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.........................................................................................................................................................................................++++
................++++
e is 65537 (0x010001)
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
$ echo extendedKeyUsage = clientAuth > extfile-client.cnf
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=CN = client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
$ rm -v client.csr server.csr extfile.cnf extfile-client.cnf
rm: remove regular file ‘client.csr’? y
removed ‘client.csr’
rm: remove regular file ‘server.csr’? y
removed ‘server.csr’
rm: remove regular file ‘extfile.cnf’? y
removed ‘extfile.cnf’
rm: remove regular file ‘extfile-client.cnf’? y
removed ‘extfile-client.cnf’
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
mode of ‘ca-key.pem’ changed from 0600 (rw-------) to 0400 (r--------)
mode of ‘key.pem’ changed from 0600 (rw-------) to 0400 (r--------)
mode of ‘server-key.pem’ changed from 0600 (rw-------) to 0400 (r--------)
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
mode of ‘ca.pem’ changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of ‘server-cert.pem’ changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of ‘cert.pem’ changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
-####生成证书的命令详解
- 绑定IP或者域名
把下面的$Host换成你自己服务器外网的IP或者域名:比如:openssl req -subj “/CN=192.168.1.0” -sha256…
或:openssl req -subj “/CN=www.laohan.com” -sha256…(这么做前提是你有域名,该域名DNS解析后指向你的服务器)
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
- 配置白名单
接下来要允许那些ip可以连接到服务器的docker,因为已经是ssl连接,所以我推荐配置0.0.0.0,也就是所有Ip都可以连接(但只有拥有证书的才可以连接成功),这样配置好之后公司其他人也可以使用.如果你不想这样,那你可以配置Ip,用逗号分隔开.下面的$Host依旧是你服务器外网的IP或者域名,请自行替换.(这里如果你使用的是服务器Ip的话,请将前面的DNS换成IP,否则配下来连接还是不会成功,如果你使用的是服务器域名,那么就用DNS就可以了)
echo subjectAltName = DNS:$HOST,IP:0.0.0.0 >> extfile.cnf
-
配置docker使用加密方式
$ vim /usr/lib/systemd/system/docker.service
...第左右13行
ExecStart=/usr/bin/dockerd -H fd:// \
--tlsverify --tlscacert=/data/docker_cert/ca.pem \
--tlscert=/data/docker_cert/server-cert.pem \
--tlskey=/data/docker_cert/server-key.pem \
-H tcp://0.0.0.0:2376 \
--containerd=/run/containerd/containerd.sock
...
$ service docker restart
可以在浏览器使用https://$HOST:PORT进行测试,如果提示证书不正确说明配置成功,只有拿到证书的客户端才可以访问远程docker服务。
image.png
-
IDEA连接远程Docker
将ca.pem,cert.pem,key.pem三个证书下载到本地。
在IDEA中打开File->Settings->Docker,填写URL和证书目录,
image.png
image.png
-
配置maven docker插件
<plugin>
<groupId>io.fabric8</groupId>
<artifactId>docker-maven-plugin</artifactId>
</plugin>
###具体配置如下
<plugin>
<groupId>io.fabric8</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>0.39.1</version>
<configuration>
<certPath>C:\Code\cert</certPath>
<dockerHost>https://xxxxxxxxxx:9092</dockerHost>
<useColor>true</useColor>
<images>
<image>
<alias>${project.name}</alias>
<name>lymboy/${project.name}</name>
<build>
<from>ccr.ccs.tencentyun.com/lymboy/java8:1.0</from>
<maintainer>alayama@163.com</maintainer>
<tags>
<tag>${project.version}</tag>
</tags>
<workdir>/opt/</workdir>
<ports>
<port>8080</port>
</ports>
<entryPoint>
<exec>
<arg>java</arg>
<arg>-jar</arg>
<arg>/opt/${project.name}.jar</arg>
</exec>
</entryPoint>
<assembly>
<mode>dir</mode>
<targetDir>/opt</targetDir>
<descriptorRef>artifact</descriptorRef>
</assembly>
</build>
</image>
</images>
</configuration>
<dependencies>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.15</version>
</dependency>
</dependencies>
</plugin>
添加上述maven插件后,通过maven命令就可以直接将项目构建成docker镜像并推送到远程docker服务。
mvn clean package -Dfile.encoding=UTF-8 docker:build
上述的插件配置等价于如下Dockerfile
FROM ccr.ccs.tencentyun.com/lymboy/java8:1.0
MAINTAINER alayama@163.com
EXPOSE 8080
COPY maven /opt/
WORKDIR /opt/
ENTRYPOINT ["java","-jar","/opt/example.jar"]
当应用镜像推送到远程docker服务后,可以在IDEA Services直接运行指定的镜像。
image.png
参开出处:(35条消息) Docker配置远程访问_lymboy的博客-CSDN博客_docker配置远程连接
