Docker远程TLS远程连接

参考地址1
参考地址2

1.脚本内容

#!/bin/bash
# @author zxk175

#============================================#
#    下面为证书密钥及相关信息配置,注意修改         #
#============================================#
IP="服务器外网IP"
IN_IP="127.0.0.1"
ZERO_IP="0.0.0.0"
PORT="2376"
CODE="证书后缀"
PASSWORD="证书密码"
COUNTRY="CN"
STATE="GD"
CITY="SZ"
ORGANIZATION="组织名称"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="邮箱"
SUBJ="/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"

# 创建目录
if [ ! -d "/etc/docker/certs.d/" ];then
    mkdir /etc/docker/certs.d
else
    echo "/etc/docker/certs.d/ 文件夹已经存在"
fi

HD=~/.docker/
if [ ! -d "$HD" ];then
    mkdir ~/.docker
else
    echo "$HD 文件夹已经存在"
fi

CE=~/certs
if [ ! -d "$CE" ];then
    mkdir ~/certs
else
    echo "$CE 文件夹已经存在"
fi

echo -e "\n"

# 如果目录已经存在则清空目录中已存在的信息
rm -rf /etc/docker/certs.d/*
rm -rf ~/.docker/*
rm -rf ~/certs/*

cd ~/certs

# 1.生成根证书RSA私钥，PASSWORD作为私钥文件的密码
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096

# 2.用根证书RSA私钥生成自签名的根证书
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca.pem" -passin "pass:$PASSWORD" -subj "$SUBJ"

echo -e "\n\e[1;31m============================================\e[0m"
echo -e "\e[1;31m    用根证书签发server端证书                   \e[0m"
echo -e "\e[1;31m============================================\e[0m"

# 3.生成服务端私钥"
openssl genrsa -out "server-key-$CODE.pem" 4096

# 4.生成服务端证书请求文件"
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr

# 5.使tls连接能通过ip地址方式，绑定IP"
echo subjectAltName = IP:127.0.0.1,IP:$IP > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
echo -e "\n\e[1;32mserver extfile.cnf内容\e[0m"
cat extfile.cnf
echo -e "\n"

# 6.使用根证书签发服务端证书
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf

echo -e "\n\e[1;31m============================================\e[0m"
echo -e "\e[1;31m    用根证书签发client端证书                   \e[0m"
echo -e "\e[1;31m============================================\e[0m"

# 7.生成客户端私钥
openssl genrsa -out "client-key-$CODE.pem" 4096

# 8.生成客户端证书请求文件
openssl req -subj '/CN=client' -new -key "client-key-$CODE.pem" -out client.csr

# 9.客户端证书配置文件
echo extendedKeyUsage = clientAuth > extfile.cnf
echo -e "\n\e[1;32mclient extfile.cnf内容\e[0m"
cat extfile.cnf
echo -e "\n"

# 10.使用根证书签发客户端证书
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "client-cert-$CODE.pem" -extfile extfile.cnf

# 11.设置私钥权限为只读
chmod -v 0400 "ca-key-$CODE.pem" "client-key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca.pem" "server-cert-$CODE.pem" "client-cert-$CODE.pem"

#============================================#
#                     清理                   #
#============================================#

# 删除临时文件
rm -f ca.srl client.csr server.csr extfile.cnf

# 打包客户端证书
mkdir -p "tls-client-certs-$CODE"
cp -f "ca.pem" "client-cert-$CODE.pem" "client-key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
# 修改pem名字 否则Idea无法识别pem
mv "client-key-$CODE.pem" key.pem && mv "client-cert-$CODE.pem" cert.pem
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"

# 拷贝服务端证书
cp "ca.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/

echo -e "\n\e[1;32m修改 /usr/lib/systemd/system/docker.service 文件\e[0m"
cat >/usr/lib/systemd/system/docker.service <<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://$ZERO_IP:$PORT
ExecStart=/usr/bin/dockerd --tlsverify \
--tlscacert=/etc/docker/certs.d/ca.pem \
--tlscert=/etc/docker/certs.d/server-cert-$CODE.pem \
--tlskey=/etc/docker/certs.d/server-key-$CODE.pem \
-H unix:///var/run/docker.sock -H tcp://$ZERO_IP:$PORT
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

StartLimitBurst=3

StartLimitInterval=60s

LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

TasksMax=infinity

Delegate=yes

KillMode=process

[Install]
WantedBy=multi-user.target
EOF

# 拷贝客户端证书文件"
cp "ca.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" "client-cert-$CODE.pem" "client-key-$CODE.pem" ~/.docker

echo -e "\n\e[1;32m重启Docker\e[0m"
systemctl daemon-reload && service docker restart

echo -e "\n\e[1;31m客户端远程连接\e[0m"
echo -e "\ndocker -H $IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a"
docker -H $IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a
echo -e "\ndocker -H $IN_IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a"
docker -H $IN_IP:$PORT --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/client-cert-$CODE.pem --tlskey ~/.docker/client-key-$CODE.pem ps -a

echo -e "\n\e[1;31m客户端使用 cURL 连接\e[0m"
echo -e "\ncurl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IP:$PORT/containers/json"
curl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IP:$PORT/containers/json
echo -e "\ncurl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IN_IP:$PORT/containers/json"
curl --cacert ~/.docker/ca.pem --cert ~/.docker/client-cert-$CODE.pem --key ~/.docker/client-key-$CODE.pem https://$IN_IP:$PORT/containers/json

echo -e "\n\e[1;32mAll be done.\e[0m"

2.在服务器根目录执行脚本内容

3.复制根目录下certs中的 tls-client-certs-xxxx.tar.gz 文件到客户端中备用

image.png