(IDEA內建Docker插件實作項目打包鏡像一鍵部署與Docker CA加密認證)
Docker開啟遠端通路
修改該Docker服務檔案
#修改Docker服務檔案
vim /lib/systemd/system/docker.service
# 通常使用端口2375與守護程序進行非加密通信,使用端口2376與守護程序進行加密通信。
#修改ExecStart行,添加如下配置
-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
# 注釋最初配置
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 開啟遠端通路
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
加載配置與重新開機
重新加載配置檔案
systemctl daemon-reload
重新開機服務
systemctl restart docker.service
驗證是否開啟成功
檢視端口是否開啟
netstat -antp | grep dockerd #如果找不到netstat指令,使用yum install net-tools安裝
[root@administrator ~]# netstat -antp | grep dockerd
tcp6 0 0 :::2375 :::* LISTEN 4514/dockerd
直接curl看是否生效,測試通過localhost是否能使用Docker Engine API
curl http://127.0.0.1:2375/info
curl http://localhost:2375/version
通路:
http://ip:2375/version
測試遠端能否通過主機IP使用Docker Engine API
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiI9s2RkBnVHFmb1clWvB3MaVnRtp1XlBXe0xCMy81dvRWYoNHLwEzX5xCMx8FesU2cfdGLwMzX0xiRGZkRGZ0Xy9GbvNGLpZTY1EmMZVDUSFTU4VFRR9Fd4VGdsQTMfVmepNHLrJXYtJXZ0F2dvwVZnFWbp1zczV2YvJHctM3cv1Ce-cmbw5CMxIzN2EGO1YzY2MWY1QjZyYzXwMjNykDMxEzLchDMyIDMy8CXn9Gbi9CXzV2Zh1WavwVbvNmLvR3YxUjLyM3Lc9CX6MHc0RHaiojIsJye.png)
IDEA配置docker
IDEA安裝Docker插件
IDEA預設內建了Docker插件。如果沒有,從File->Settings->Plugins進入插件安裝界面,在搜尋框中輸入docker,點選Install按鈕進行安裝。安裝後重新開機Idea。
從File->Settings->Build,Execution,Deployment->Docker打開配置界面,配置docker,連接配接到遠端docker服務
![]()
IDEA內建Docker插件實作項目打包鏡像一鍵部署與Docker CA加密認證Docker開啟遠端通路IDEA配置dockerdocker-maven-pluginDocker CA加密認證
編寫Dockerfile檔案
在pom.xml檔案所在同級目錄,建立名為Dockerfile的檔案
# 基礎鏡像
FROM openjdk:8
#作者資訊
MAINTAINER author_information
#申明一個環境變量
ENV HOME_PATH /home
#指定容器啟動時,執行指令會在該目錄下執行
WORKDIR $HOME_PATH
#應用建構成功後的jar複制到容器指定目錄下
ADD target/SpringBoot-0.0.1-SNAPSHOT.jar $HOME_PATH/app.jar
#指定容器内部端口
EXPOSE 8888
#容器啟動時執行的指令
ENTRYPOINT ["java","-jar","app.jar"]
建立Dockerfile配置
Name: 配置名稱
Server: 選擇Docker遠端連接配接配置
Build
Dockerfile:選擇編寫的Dockerfile檔案
Image tag:設定生成鏡像的名稱
Run:容器運作相關的額外配置
Container name :設定容器名稱
Bind ports: 端口綁定
Before launch: 配置運作前進行的額外操作
clean package -DskipTests :重新編譯建構:清理、打包、跳過測試
執行Dockerfile配置
maven建構資訊
[INFO] --- maven-resources-plugin:3.1.0:testResources (default-testResources) @ SpringBoot ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory D:\WorkSpace\SpringBoot\SpringBoot\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.1:testCompile (default-testCompile) @ SpringBoot ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 2 source files to D:\WorkSpace\SpringBoot\SpringBoot\target\test-classes
[INFO]
[INFO] --- maven-surefire-plugin:2.22.2:test (default-test) @ SpringBoot ---
[INFO] Tests are skipped.
[INFO]
[INFO] --- maven-jar-plugin:3.2.0:jar (default-jar) @ SpringBoot ---
[INFO] Building jar: D:\WorkSpace\SpringBoot\SpringBoot\target\SpringBoot-0.0.1-SNAPSHOT.jar
[INFO]
[INFO] --- spring-boot-maven-plugin:2.3.2.RELEASE:repackage (repackage) @ SpringBoot ---
[INFO] Replacing main artifact with repackaged archive
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.479 s
[INFO] Finished at: 2021-12-13T10:52:41+08:00
[INFO] ------------------------------------------------------------------------
Process finished with exit code 0
Docker建構資訊
Deploying 'app Dockerfile: Dockerfile'...
Building image...
Preparing build context archive...
[==================================================>]231/231 files
Done
Sending build context to Docker daemon...
[==================================================>] 45.36MB
Done
Step 1/7 : FROM openjdk:8
8: Pulling from library/openjdk
5e0b432e8ba9: Pull complete
a84cfd68b5ce: Pull complete
e8b8f2315954: Pull complete
0598fa43a7e7: Pull complete
e0d35e3be804: Pull complete
cc526d02f40c: Pull complete
94f9f735b512: Pull complete
Digest: sha256:d847fdd469a97814a8c118bdb887402a629539002a8c95e4c288ba9389023273
Status: Downloaded newer image for openjdk:8
---> 5bbce51c9625
Step 2/7 : MAINTAINER author_information
---> Running in 6c284c4b5760
Removing intermediate container 6c284c4b5760
---> 69667ca16305
Step 3/7 : ENV HOME_PATH /home
---> Running in a7db17091292
Removing intermediate container a7db17091292
---> b4ea04a3f9e0
Step 4/7 : WORKDIR $HOME_PATH
---> Running in d30dd81b060c
Removing intermediate container d30dd81b060c
---> e0d7d8612471
Step 5/7 : ADD target/SpringBoot-0.0.1-SNAPSHOT.jar $HOME_PATH/app.jar
---> 9311a765d1fa
Step 6/7 : EXPOSE 8888
---> Running in 886760657fbf
Removing intermediate container 886760657fbf
---> 7eb01ec04b2b
Step 7/7 : ENTRYPOINT ["java","-jar","app.jar"]
---> Running in 52302bde47df
Removing intermediate container 52302bde47df
---> a5fe639b0ea4
Successfully built a5fe639b0ea4
Successfully tagged app-image:latest
Creating container...
Container Id: 1fa00700d7e44008c0147537633f989f5e0dad2ec2feb0d4dcf536f47eba07a5
Container name: 'app'
Starting container 'app'
'app Dockerfile: Dockerfile' has been deployed successfully.
項目啟動資訊
. ____ _ __ _ _
2021-12-13T02:52:50.486656996Z /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
2021-12-13T02:52:50.486662053Z ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
2021-12-13T02:52:50.486666493Z \\/ ___)| |_)| | | | | || (_| | ) ) ) )
2021-12-13T02:52:50.486670850Z ' |____| .__|_| |_|_| |_\__, | / / / /
2021-12-13T02:52:50.486682355Z =========|_|==============|___/=/_/_/_/
2021-12-13T02:52:50.486687022Z :: Spring Boot :: (v2.3.2.RELEASE)
2021-12-13T02:52:50.486692068Z
2021-12-13T02:52:50.943602301Z 2021-12-13 02:52:50.923 INFO 1 --- [ main] cn.ybzy.demo.Application : Starting Application v0.0.1-SNAPSHOT on 78ccbfcfd8b7 with PID 1 (/home/app.jar started by root in /home)
2021-12-13T02:52:50.943714240Z 2021-12-13 02:52:50.933 INFO 1 --- [ main] cn.ybzy.demo.Application : No active profile set, falling back to default profiles: default
2021-12-13T02:52:55.388436890Z 2021-12-13 02:52:55.374 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8888 (http)
2021-12-13T02:52:55.417423600Z 2021-12-13 02:52:55.406 INFO 1 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2021-12-13T02:52:55.417479871Z 2021-12-13 02:52:55.407 INFO 1 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.37]
2021-12-13T02:52:55.593516194Z 2021-12-13 02:52:55.583 INFO 1 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2021-12-13T02:52:55.593571747Z 2021-12-13 02:52:55.583 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4421 ms
2021-12-13T02:52:56.333579730Z _ _ |_ _ _|_. ___ _ | _
2021-12-13T02:52:56.333687060Z | | |\/|_)(_| | |_\ |_)||_|_\
2021-12-13T02:52:56.333693146Z / |
2021-12-13T02:52:56.333697576Z 3.3.2
2021-12-13T02:52:57.522491446Z 2021-12-13 02:52:57.512 INFO 1 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2021-12-13T02:52:58.490595954Z 2021-12-13 02:52:58.487 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8888 (http) with context path ''
2021-12-13T02:52:58.516487066Z 2021-12-13 02:52:58.514 INFO 1 --- [ main] cn.ybzy.demo.Application : Started Application in 9.952 seconds (JVM running for 11.366)
2021-12-13T02:53:03.163608112Z 2021-12-13 02:53:03.159 INFO 1 --- [nio-8888-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-13T02:53:03.163727603Z 2021-12-13 02:53:03.159 INFO 1 --- [nio-8888-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2021-12-13T02:53:03.179540679Z 2021-12-13 02:53:03.173 INFO 1 --- [nio-8888-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 14 ms
通路
IP:9999/test
測試
docker-maven-plugin
配置pom.xml建構資訊
<properties>
<java.version>1.8</java.version>
<docker.image.prefix>docker</docker.image.prefix>
</properties>
<plugin>
<groupId>com.spotify</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>1.0.0</version>
<configuration>
<!-- 鏡像名稱 docker/springboot-->
<imageName>${docker.image.prefix}/${project.artifactId}</imageName>
<!--指定标簽-->
<imageTags>
<imageTag>latest</imageTag>
</imageTags>
<!-- 基礎鏡像-->
<baseImage>openjdk:8</baseImage>
<!-- 制作者提供本人資訊 -->
<maintainer>author [email protected]</maintainer>
<!--切換到/home目錄 -->
<workdir>/home</workdir>
<cmd>["java", "-version"]</cmd>
<!--${project.build.finalName}.jar" 指的是打包後的jar封包件-->
<entryPoint>["java", "-jar", "${project.build.finalName}.jar"]</entryPoint>
<!-- 指定Dockerfile路徑
<dockerDirectory>${project.basedir}/src/main/docker</dockerDirectory>
-->
<!--指定遠端docker api位址-->
<dockerHost>http://IP:2375</dockerHost>
<!-- 複制jar包到docker容器指定目錄 -->
<resources>
<resource>
<targetPath>/home</targetPath>
<!--指定需要複制的根目錄,${project.build.directory} 表示target目錄-->
<directory>${project.build.directory}</directory>
<!--指定需要複制的檔案,${project.build.finalName}.jar 指的是打包後的jar封包件-->
<include>${project.build.finalName}.jar</include>
</resource>
</resources>
</configuration>
</plugin>
使用docker-maven插件自動生成如下檔案:
FROM openjdk:8
MAINTAINER author [email protected]
WORKDIR /home
ADD /home/springboot-0.0.1-SNAPSHOT.jar /home/
ENTRYPOINT ["java", "-jar", "springboot-0.0.1-SNAPSHOT.jar"]
CMD ["java", "-version"]
打包建構鏡像
對項目進行打包并建構鏡像到Docker上
mvn clean package docker:build
建構鏡像資訊
[INFO] Building image docker/springboot
Step 1/6 : FROM openjdk:8
---> 5bbce51c9625
Step 2/6 : MAINTAINER author [email protected]
---> Running in 26d43778f848
Removing intermediate container 26d43778f848
---> e84687af3956
Step 3/6 : WORKDIR /home
---> Running in d40701dc2fa2
Removing intermediate container d40701dc2fa2
---> c13ff0ee15ad
Step 4/6 : ADD /home/springboot-0.0.1-SNAPSHOT.jar /home/
---> 38c6d5dc9d29
Step 5/6 : ENTRYPOINT ["java", "-jar", "springboot-0.0.1-SNAPSHOT.jar"]
---> Running in 1b7e13b193cd
Removing intermediate container 1b7e13b193cd
---> 309a61b47f49
Step 6/6 : CMD ["java", "-version"]
---> Running in 14c3ab54e4d9
Removing intermediate container 14c3ab54e4d9
---> 26ae18adc558
ProgressMessage{id=null, status=null, stream=null, error=null, progress=null, progressDetail=null}
Successfully built 26ae18adc558
Successfully tagged docker/springboot:latest
[INFO] Built docker/springboot
[INFO] Tagging docker/springboot with latest
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 24.674 s
[INFO] Finished at: 2021-12-13T11:30:45+08:00
[INFO] ------------------------------------------------------------------------
Process finished with exit code 0
檢視鏡像
[root@administrator ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker/springboot latest 26ae18adc558 2 minutes ago 557MB
綁定Docker指令到Maven各個階段
可以把Docker分為build、tag、push,然後分别綁定Maven的package、deploy 階段
mvn deploy:完成整個 build、tag、push操作
mvn build:完成build、tag 操作
-DskipDockerBuild: 跳過build鏡像
-DskipDockerTag: 跳過tag鏡像
-DskipDockerPush: 跳過push鏡像
-DskipDocker: 跳過整個階段
mvn package -DskipDockerTag: 跳過tag過程
</configuration>
<executions>
<!--當執行mvn package時,執行: mvn clean package docker:build -->
<execution>
<id>build-image</id>
<phase>package</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
<!--當執行mvn package時,會對鏡像進行标簽設定-->
<execution>
<id>tag-image</id>
<phase>package</phase>
<goals>
<goal>tag</goal>
</goals>
<configuration>
<image>${docker.image.prefix}/${project.artifactId}:latest</image>
<newName>${docker.image.prefix}/${project.artifactId}:${project.version}</newName>
</configuration>
</execution>
<execution>
<id>push-image</id>
<phase>deploy</phase>
<goals>
<goal>push</goal>
</goals>
<configuration>
<imageName>${docker.image.prefix}/${project.artifactId}:${project.version}</imageName>
</configuration>
</execution>
</executions>
</plugin>
使用私有Docker倉庫位址
docker-maven-plugin插件很容易實作push鏡像到私有Docker倉庫中
建立私有倉庫
docker run -di --name=registry -p 5000:5000 registry
修改daemon.json,添加docker信任的私有倉庫位址
vi /etc/docker/daemon.json
{
"insecure-registries":["Ip:5000"]
}
重新開機docker 服務
systemctl restart docker
修改POM檔案
<configuration>
<!--将鏡像推送到Docker私有倉庫-->
<registryUrl>IP:5000</registryUrl>
<pushImage>true</pushImage>
<imageName>IP:5000/${docker.image.prefix}/${project.artifactId}:${project.version</imageName>
</configuration>
執行mvn deploy,檢視私有倉庫
http://IP:5000/v2/_catalog
Docker CA加密認證
官方Demo:
https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
Docker認證指令配置
建立ca檔案夾,存放CA私鑰和公鑰
mkdir ca && cd ca
在Docker守護程序的主機上,生成CA私鑰和公鑰
openssl genrsa -aes256 -out ca-key.pem 4096
執行指令後,要求設定密碼,輸入密碼以及再次輸入密碼确認
[root@administrator ca]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................................++
............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
[root@administrator ca]# ls
ca-key.pem
[root@administrator ca]#
補全CA憑證資訊,依次輸入密碼、國家、省、市、組織名稱、郵箱等資訊
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
[root@administrator ca]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:CD
Organization Name (eg, company) [Default Company Ltd]:YBZY
Organizational Unit Name (eg, section) []:YBZY
Common Name (eg, your name or your server's hostname) []:CJ
Email Address []:[email protected]
[root@administrator ca]# ls
ca-key.pem ca.pem
[root@administrator ca]#
現在有了CA,可以建立伺服器密鑰和證書簽名請求 (CSR)。確定“Common Name”與用于連接配接到Docker 的主機名比對
生成server-key.pem
openssl genrsa -out server-key.pem 4096
[root@administrator ca]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
................++
...........................................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@administrator ca]# ls
ca-key.pem ca.pem server-key.pem
[root@administrator ca]#
CA來簽署公鑰
由于可以通過 IP 位址和 DNS 名稱建立 TLS 連接配接,是以在建立證書時需要指定 IP 位址。例如,要允許使用10.10.10.20和連接配接127.0.0.1
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
$Host換成自己伺服器外網的IP或者域名,即遠端裝置連接配接伺服器Docker的一個位址
[root@administrator ca]# openssl req -subj "/CN=x.x.x.x" -sha256 -new -key server-key.pem -out server.csr
[root@administrator ca]# ls
ca-key.pem ca.pem server.csr server-key.pem
[root@administrator ca]#
配置白名單
允許指定ip可以連接配接到伺服器的docker,可以配置多個Ip,用逗号分隔開
因為是ssl連接配接,是以推薦配置0.0.0.0,也就是所有ip都可以連接配接,但必須擁有證書的才可以連接配接成功
ip方式
echo subjectAltName = IP:$HOST,IP:0.0.0.0 >> extfile.cnf
域名方式
echo subjectAltName = DNS:$HOST,IP:0.0.0.0 >> extfile.cnf
[root@administrator ca]# echo subjectAltName = IP:x.x.x.x,IP:0.0.0.0 >> extfile.cnf
[root@administrator ca]# ls
ca-key.pem ca.pem extfile.cnf server.csr server-key.pem
[root@administrator ca]#
将 Docker 守護程序密鑰的擴充使用屬性設定為僅用于伺服器身份驗證
echo extendedKeyUsage = serverAuth >> extfile.cnf
[root@administrator ca]# echo extendedKeyUsage = serverAuth >> extfile.cnf
[root@administrator ca]#
生成簽名證書,主要輸入設定的密碼
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
> -CAcreateserial -out server-cert.pem -extfile extfile.cnf
[root@administrator ca]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
> -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=x.x.x.x
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@administrator ca]#
[root@administrator ca]# ls
-CAcreateserial ca-key.pem ca.pem ca.srl extfile.cnf server-cert.pem server.csr server-key.pem
[root@administrator ca]#
生成用戶端密匙和證書簽名請求
生成後cert.pem,server-cert.pem您可以安全地删除兩個證書簽名請求和擴充配置檔案:
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
[root@administrator ca]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................++
...........................................................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@administrator ca]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr
[root@administrator ca]# ls
-CAcreateserial ca-key.pem ca.pem ca.srl client.csr extfile.cnf key.pem server-cert.pem server.csr server-key.pem
[root@administrator ca]#
使密鑰适合用戶端身份驗證,建立擴充配置檔案
echo extendedKeyUsage = clientAuth >> extfile.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf
[root@administrator ca]# echo extendedKeyUsage = clientAuth >> extfile.cnf
[root@administrator ca]# echo extendedKeyUsage = clientAuth > extfile-client.cnf
[root@administrator ca]# ls
-CAcreateserial ca-key.pem ca.pem ca.srl client.csr extfile-client.cnf extfile.cnf key.pem server-cert.pem server.csr server-key.pem
[root@administrator ca]#
生成簽名證書,生成cert.pem需要輸入設定的密碼
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
[root@administrator ca]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
[root@administrator ca]# ls
-CAcreateserial ca-key.pem ca.pem ca.srl cert.pem client.csr extfile-client.cnf extfile.cnf key.pem server-cert.pem server.csr server-key.pem
[root@administrator ca]#
生成cert.pem和server-cert之後。您可以安全地删除兩個證書簽名請求和擴充配置檔案
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
修改權限,保護密鑰意外損壞,删除寫入權限,使它們隻能被讀取
chmod -v 0400 ca-key.pem key.pem server-key.pem
證書是可以對外可讀的,删除寫入權限以防止意外損壞
chmod -v 0444 ca.pem server-cert.pem cert.pem
将證書放在主機目錄的指定位置,友善之後修改Docker的配置檔案
[root@administrator ca]# cp server-*.pem /usr/local/program/docker-ca/
[root@administrator ca]# cp ca.pem /usr/local/program/docker-ca/
修改Docker配置,使Docker守護程式僅接受來自提供CA信任的證書的用戶端的連接配接
vim /lib/systemd/system/docker.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
# 最初配置
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 如下配置
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify --tlscacert=/usr/local/program/docker-ca/ca.pem --tlscert=/usr/local/program/docker-ca/server-cert.pem --tlskey=/usr/local/program/docker-ca/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
systemctl daemon-reload
systemctl restart docker
IDEA操作Docker
注意使用https協定,非tcp協定,否則可能出現:Client sent an HTTP request to an HTTPS server