Docker Engine -> User guide -> Secure Engine -> Protect the Docker daemon socket

Protect the Docker daemon socket

默认的，Docker的运行通过non-networked Unix socket.当然也可以通过HTTP socket进行通信。

如果你需要一种安全的网络方式，你可以开启TLS通过指定tlsverify标识并指明Docker的证书位置通过tlscacert标识去信任一个CA证书。

在daemon的模式下，将只会允许拥有CA签名的证书的认证客户端去链接。在client模式下，将通过这个CA签名的证书连接到服务器。

警告：使用TLS并管理CA是高级部分。请在生产环境使用之前熟悉OpenSSL，x509 ，和TLS。

警告：这里的TLS命令在Linux下只会生成一个证书的工作集，Mac OS X的一些版本的OpenSSL与Docker需要的证书不兼容。

Create a CA, server and client key with OpenSSL

注意：替换下命例子中的$HOST和DNS名为你的Docker daemon的主机。

首先生成CA的私钥和公钥:

# ------------------生成CA私钥 ca-key.pem-----------------
$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................++
........++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

# ------------------生成CA公钥 ca.pem-----------------------
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) []:Sales
#Common Name 在这里 ！！！！！！！！！
Common Name (e.g. server FQDN or YOUR name) []:$HOST
Email Address []:Sven@home.org.au

现在我们已经有了一个CA，可以创建一个server key和certifivate signing request(CSR).确保“Common Name”与你要连接的Docker的hostname匹配:

注意：替换下命例子中的$HOST和DNS名为你的Docker daemon的主机。

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....................................................................++
.................................................................................................++
e is 65537 (0x10001)
$ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

接下来，我们可以...

[TODO]保护Docker daemon的socket

[TODO]保护Docker daemon的socket

Protect the Docker daemon socket

Create a CA, server and client key with OpenSSL

相关阅读更多精彩内容

友情链接更多精彩内容