Docker下載與安裝
下載安裝包
國內網路連線docker映象還是比較慢的,這裡推薦直接下載docker映象,Ubuntu映象下載路徑為:https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/ ,可以下載合適的版本,我下載的檔案列表如下:
-
containerd.io_1.4.6-1_amd64.deb
-
docker-ce_20.10.73-0ubuntu-xenial_amd64.deb
-
docker-ce-cli_20.10.73-0ubuntu-xenial_amd64.deb
安裝
dpkg -i [packagename]
注意:docker-ce_20.10.7~3-0~ubuntu-xenial_amd64.deb這個包需要最後安裝
hello-world
# docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
啟動並加入開機啟動
systemctl start docker && systemctl enable docker
驗證安裝
[root@172 software]# docker version
Client: Docker Engine - Community
Version: 20.10.7
API version: 1.41
Go version: go1.13.15
Git commit: f0df350
Built: Wed Jun 2 11:58:10 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.7
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: b0f5bc3
Built: Wed Jun 2 11:56:35 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.6
GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d
runc:
Version: 1.0.0-rc95
GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
docker-init:
Version: 0.19.0
GitCommit: de40ad0
配置SSL證書
生成證書有效期10年的證書
在伺服器中新建一個目錄,並切換到該目錄下
mkdir /etc/docker && cd /etc/docker
建立根證書RSA私鑰
openssl genrsa -aes256 -out ca-key.pem 4096
備註:此處需要兩次輸入密碼,請務必記住該密碼,在後面步驟會用到
建立CA證書
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
備註:該步驟以上一步生成的金鑰建立證書,也就是自簽證書,也可從第三方CA機構簽發
建立服務端私鑰
openssl genrsa -out server-key.pem 4096
建立服務端簽名請求證書檔案
openssl req -subj "/CN=172.31.128.152" -sha256 -new -key server-key.pem -out server.csr
備註:其中的IP地址為自己伺服器IP地址
建立extfile.cnf的配置檔案
echo subjectAltName = IP:172.31.128.152,IP:0.0.0.0 >> extfile.cnf \
echo extendedKeyUsage = serverAuth >> extfile.cnf
備註:其中IP地址改為自己伺服器IP地址
建立簽名生效的服務端證書檔案
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out server-cert.pem -extfile extfile.cnf
建立客戶端私鑰
openssl genrsa -out key.pem 4096
建立客戶端簽名請求證書檔案
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
extfile.cnf檔案中增加配置
echo extendedKeyUsage = clientAuth >> extfile.cnf
建立簽名生效的客戶端證書檔案
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out cert.pem -extfile extfile.cnf
刪除無用檔案
rm -v client.csr server.csr
為證書檔案授權
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
檢視證書有效期
openssl x509 -in ca.pem -noout -dates
notBefore=Jun 5 03:23:23 2021 GMT
notAfter=Jun 3 03:23:23 2031 GMT
配置Docker支援TLS連線
編輯docker.service配置檔案
vim /lib/systemd/system/docker.service
找到ExecStart=開頭的一行程式碼,將其替換為如下內容
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/etc/docker/cert/ca.pem --tlscert=/etc/docker/cert/server-cert.pem --tlskey=/etc/docker/cert/server-key.pem --containerd=/run/containerd/containerd.sock
備註:此處設定docker遠端埠為2375,可根據需要修改
重新整理配置,重啟Docker
systemctl daemon-reload && systemctl restart docker
重啟後檢視服務狀態
systemctl status docker
ca.pem cert.pem key.pem 這三個是我們客戶端呼叫所需的證書檔案
參考連結
Docker啟用TLS進行安全配置:https://www.cnblogs.com/xiaoqi/p/docker-tls.html