环境与版本

本文适用于Centos7 和 Centos8

完全开放(有安全隐患)

此方法不需要安全验证,网络可以访问就可以操作Docker。不安全,适用于虚拟机或内网环境。

  1. 修改vim /lib/systemd/system/docker.service 文件,在ExecStart 项后添加-H tcp://0.0.0.0:2375
  2. systemctl daemon-reload
  3. service docker restart

证书访问(安全)

此方法需要使用证书才能访问,适用所有场景。

附上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/bin/bash
# docker-tls.sh
# 环境centos 7 ,root
# 创建 Docker TLS 证书
# 配置Docker远程访问
##########配置信息

Port=2376
Node=$(hostname)
IP=xx.xx.xx.xx
PASSWORD="88888888"
COUNTRY="CN"
STATE="Shanghai"
CITY="Shanghai"
ORGANIZATION="Elven"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="5264thirty@gmail.com"

##########生成证书

# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key_$Node.pem" 4096  &>/dev/null
# Generate CA
openssl req -new -x509 -days 730 -key "ca-key_$Node.pem" -sha256 -out "ca_$Node.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"  &>/dev/null

echo "#Server"
# Generate Server key
openssl genrsa -out "server-key_$Node.pem" 4096  &>/dev/null
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key_$Node.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "server-cert_$Node.pem" -extfile extfile.cnf

echo "#Client"
openssl genrsa -out "client-key_$Node.pem" 4096  &>/dev/null
openssl req -subj '/CN=client' -new -key "client-key_$Node.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 730 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca_$Node.pem" -CAkey "ca-key_$Node.pem" -CAcreateserial -out "client-cert_$Node.pem" -extfile extfile.cnf

chmod  0400  "client-key_$Node.pem" "server-key_$Node.pem"
chmod  0444 "ca_$Node.pem" "server-cert_$Node.pem" "client-cert_$Node.pem"

##########docker配置
echo
echo "#拷贝证书"
#服务端证书
mkdir -p ~/.docker
cp -avf "ca_$Node.pem" "server-cert_$Node.pem" "server-key_$Node.pem" ~/.docker
#客户端证书文件
cp -avf "client-cert_$Node.pem" "client-key_$Node.pem" ~/.docker/
# 打包客户端证书
tar -zcf docker-tls-client_$Node.tar.gz ca_$Node.pem client-cert_$Node.pem client-key_$Node.pem
cp -af docker-tls-client_$Node.tar.gz  ~/.docker/
ls -hl $(pwd)/docker-tls*

echo
echo "#修改docker启动项 /lib/systemd/system/docker.service"
SetOPTS=" --tls \
--tlscacert=$HOME/.docker/ca_${Node}.pem \
--tlscert=$HOME/.docker/server-cert_${Node}.pem  \
--tlskey=$HOME/.docker/server-key_${Node}.pem \
-H 0.0.0.0:${Port} "
sed  -i "s#^ExecStart.*#& $SetOPTS #" /lib/systemd/system/docker.service
grep '^ExecStart' /lib/systemd/system/docker.service
systemctl daemon-reload

echo
echo "#客户端远程连接"
echo "docker -H $IP:${Port} --tlsverify --tlscacert ~/.docker/ca_$Node.pem --tlscert ~/.docker/client-cert_$Node.pem --tlskey ~/.docker/client-key_$Node.pem ps -a"
echo "#客户端使用curl连接"
echo "curl --cacert ~/.docker/ca_$Node.pem --cert ~/.docker/client-cert_$Node.pem --key ~/.docker/client-key_$Node.pem https://$IP:${Port}/containers/json"

echo "-----------Idea 特殊说明-----------------"
echo "如果使用idea连接docker需要"
echo "将ca_${Node}.pem 文件名修改为ca.pem"
echo "将server-cert_${Node}.pem 文件名修改为cert.pem"
echo "将server-key_${Node}.pem 文件名修改为key.pem"
echo "-----------Idea 特殊说明-----------------"

#clean
rm -f ca*.srl *.pem *.cnf *.csr

echo
echo -e "\e[1;32m#重启docker生效
systemctl restart  docker
\e[0m"
#

脚本注意事项

  1. 运行前修改配置文件中的IP项为Docker服务器的IP。
  2. Idea远程使用的话,证书文件名需要修改,详情查看脚本输出。
  3. 端口为2375。

测试查看

使用netstat -tunlp 查看当前服务器开启并监听的端口,如果有2375或2376 ,则表示开始成功,如果无法访问请检查防火墙和白名单(云服务器)。