TheWe1Docker
使用总结
如何文件拷贝?
从主机拷贝到容器内
shell
docker cp ./ik 05cbbcbebcc2:/usr/share/elasticsearch/pluginsdocker cp ./ik 05cbbcbebcc2:/usr/share/elasticsearch/plugins从容器内拷贝文件到主机上
shell
docker cp 05cbbcbebcc2:/usr/share/elasticsearch/config/elasticsearch.yml ./config/elasticsearch.ymldocker cp 05cbbcbebcc2:/usr/share/elasticsearch/config/elasticsearch.yml ./config/elasticsearch.yml如何手动创建网络?
shell
docker network create -d bridge mynetworkdocker network create -d bridge mynetworkDocker访问加密
制作证书及秘钥
使用OpenSSL制作CA机构证书、服务端证书和客户端证书,以下操作均在安装Docker的Linux服务器上进行。
- 首先创建一个目录用于存储生成的证书和秘钥;
bash
mkdir /home/docker-ca && cd /home/docker-camkdir /home/docker-ca && cd /home/docker-ca- 创建CA证书私钥,期间需要输入两次用户名和密码,生成文件为
ca-key.pem;123456
bash
openssl genrsa -aes256 -out ca-key.pem 4096openssl genrsa -aes256 -out ca-key.pem 4096- 根据私钥创建CA证书,期间需要输入上一步设置的私钥密码,生成文件为
ca.pem;
bash
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pemopenssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem- 创建服务端私钥,生成文件为
server-key.pem;
bash
openssl genrsa -out server-key.pem 4096openssl genrsa -out server-key.pem 4096- 创建服务端证书签名请求文件,用于CA证书给服务端证书签名,生成文件
server.csr;
bash
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csropenssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr- 创建CA证书签名好的服务端证书,期间需要输入CA证书私钥密码,生成文件为
server-cert.pem;
bash
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pemopenssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem- 创建客户端私钥,生成文件为
key.pem;
bash
openssl genrsa -out key.pem 4096openssl genrsa -out key.pem 4096- 创建客户端证书签名请求文件,用于CA证书给客户证书签名,生成文件
client.csr;
bash
openssl req -subj "/CN=client" -new -key key.pem -out client.csropenssl req -subj "/CN=client" -new -key key.pem -out client.csr- 为了让秘钥适合客户端认证,创建一个扩展配置文件
extfile-client.cnf;
bash
echo extendedKeyUsage = clientAuth > extfile-client.cnfecho extendedKeyUsage = clientAuth > extfile-client.cnf- 创建CA证书签名好的客户端证书,期间需要输入CA证书私钥密码,生成文件为
cert.pem;
bash
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnfopenssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf- 删除创建过程中多余的文件;
bash
rm -rf ca.srl server.csr client.csr extfile-client.cnfrm -rf ca.srl server.csr client.csr extfile-client.cnf- 最终生成文件如下,有了它们我们就可以进行基于TLS的安全访问了。
ca.pem CA证书
ca-key.pem CA证书私钥
server-cert.pem 服务端证书
server-key.pem 服务端证书私钥
cert.pem 客户端证书
key.pem 客户端证书私钥ca.pem CA证书
ca-key.pem CA证书私钥
server-cert.pem 服务端证书
server-key.pem 服务端证书私钥
cert.pem 客户端证书
key.pem 客户端证书私钥配置Docker支持TLS
- 用vim编辑器修改docker.service文件;
bash
vi /usr/lib/systemd/system/docker.servicevi /usr/lib/systemd/system/docker.service- 修改以
ExecStart开头的配置,开启TLS认证,并配置好CA证书、服务端证书和服务端私钥,增加内容如下:
bash
-H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/home/docker-ca/ca.pem --tlscert=/home/docker-ca/server-cert.pem --tlskey=/home/docker-ca/server-key.pem-H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/home/docker-ca/ca.pem --tlscert=/home/docker-ca/server-cert.pem --tlskey=/home/docker-ca/server-key.pem- 重启Docker服务,这样我们的Docker服务就支持使用TLS进行远程访问了!
bash
systemctl daemon-reload && systemctl restart dockersystemctl daemon-reload && systemctl restart docker客户端访问
TLS不再支持
http了,需要改用https,修改<dockerHost>配置为https;需要添加对应的客户端证书才能访问;
将如下文件复制到指定目录,这里复制到了
E:\Docker\env\docker-ca;该目录配置在插件的
<dockerCertPath>节点下,最终插件配置如下;xml<plugin> <groupId>com.spotify</groupId> <artifactId>docker-maven-plugin</artifactId> <version>1.2.2</version> <executions> <execution> <id>build-image</id> <phase>package</phase> <goals> <goal>build</goal> </goals> </execution> </executions> <configuration> <imageName>cola/${project.artifactId}:${project.version}</imageName> <dockerHost>https://81.68.218.181:2375</dockerHost> <baseImage>java:8</baseImage> <entryPoint>["java", "-jar","/${project.build.finalName}.jar"] </entryPoint> <dockerCertPath>E:\Docker\env\docker-ca</dockerCertPath> <resources> <resource> <targetPath>/</targetPath> <directory>${project.build.directory}</directory> <include>${project.build.finalName}.jar</include> </resource> </resources> </configuration> </plugin><plugin> <groupId>com.spotify</groupId> <artifactId>docker-maven-plugin</artifactId> <version>1.2.2</version> <executions> <execution> <id>build-image</id> <phase>package</phase> <goals> <goal>build</goal> </goals> </execution> </executions> <configuration> <imageName>cola/${project.artifactId}:${project.version}</imageName> <dockerHost>https://81.68.218.181:2375</dockerHost> <baseImage>java:8</baseImage> <entryPoint>["java", "-jar","/${project.build.finalName}.jar"] </entryPoint> <dockerCertPath>E:\Docker\env\docker-ca</dockerCertPath> <resources> <resource> <targetPath>/</targetPath> <directory>${project.build.directory}</directory> <include>${project.build.finalName}.jar</include> </resource> </resources> </configuration> </plugin>