Implementation of one-click TLS encryption for docker remote api

Implementation of one-click TLS encryption for docker remote api

Recently, the company's server was mined, and the cause was finally located at port 2375 of Docker.

Let's sort it out. At first, we found that there were several more images and running containers in docker for unknown reasons, and they were very CPU-intensive. In addition, no IP access rules were set for port 2375, which means that everyone can operate your docekr through your port 2375 and mount the host folder with the startup container. Because docker is started with root permissions, everyone can control your host as a root user through your port 2375.

Here are our response steps:

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

$ vi /usr/lib/systemd/system/docker.service

insert image description here

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

2. Encrypt TLS for Docker

#!/bin/bash
mkdir -p /root/tls/pem
DOMAIN_HOST=`ifconfig eth0 | grep "inet" | awk '{ print $2}' | sed -n '1p;1q'`
#DOMAIN_HOST=`hostname` #Choose the best domain name plan HOST=$DOMAIN_HOST
# Custom information PASSWORD="yourPassword"
COUNTRY=CN
PROVINCE=gd
CITY=gz
ORGANIZATION=dounine
GROUP=dg
NAME=lake
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
# Custom information#====================================================================================================================
#This form is to issue a certificate to yourself. You can be a CA organization or you can hand it over to a third party organization to issue it. #Generate the root certificate RSA private key, and use password as the private key password (ID card)
openssl genrsa -passout pass:$PASSWORD -aes256 -out /root/tls/pem/ca-key.pem 4096
# 2. Generate a self-signed root certificate (business license) using the root certificate RSA private key
openssl req -new -x509 -days 365 -passin pass:$PASSWORD -key /root/tls/pem/ca-key.pem -sha256 -subj $SUBJ -out /root/tls/pem/ca.pem
#============================================================================================
#Issue a certificate to the server# 1. The server generates its own private key openssl genrsa -out /root/tls/pem/server-key.pem 4096
# 2. The server generates a certificate (which contains the public key and server information)
openssl req -new -sha256 -key /root/tls/pem/server-key.pem -out /root/tls/pem/server.csr -subj "/CN=$DOMAIN_HOST"
# 3. How to connect to me? You can set multiple IP addresses and separate them with commas echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf
# 4. The authority stamps the certificate to make it effective openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/server.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/server-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
#Issue a certificate to the client openssl genrsa -out /root/tls/pem/client-key.pem 4096
openssl req -subj '/CN=client' -new -key /root/tls/pem/client-key.pem -out /root/tls/pem/client.csr
echo extendedKeyUsage = clientAuth > /tmp/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/client.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/client-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
# Clean up the file rm -rf /root/tls/pem/ca-key.pem
rm -rf /root/tls/pem/{server,client}.csr
rm -rf /root/tls/pem/ca.srl
# Final file# ca.pem == CA certificate# client-cert.pem == Client certificate# client-key.pem == Client private key# server-cert.pem == Server certificate# server-key.pem == Server private key

Notice:

  • When DOMAIN_HOST is set to the domain name, echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf The $DOMAIN_HOST in this code should be replaced with the public IP address of your server.
  • echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > IP:0.0.0.0 in /tmp/extfile.cnf means that all IPs can be accessed by carrying certificates. Although all are set here, the public IP of your server should not be omitted. That is, IP:$yourip,IP:0.0.0.0, not IP:0.0.0.0

Give the file execute permissions:

$ chmod +x tls.sh

After executing the shell script, ca.pem, client-cert.pem, client-key.pem, server-cert.pem, and server-key.pem are generated in the /root/tls/pem directory.

Then modify the docker configuration:

$ vim /usr/lib/systemd/system/docker.service

Add to:

		--tlsverify \
        --tlscacert=/root/tls/pem/ca.pem \
        --tlscert=/root/tls/pem/server-cert.pem \
        --tlskey=/root/tls/pem/server-key.pem \


Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

Now connect using the docker remote api:

No certification:

$ docker -H tcp://192.168.0.150:2376 version

An error message will be displayed indicating that the authentication is not successful.

Carry authentication method:

docker --tlsverify --tlscacert=/root/tls/pem/ca.pem --tlscert=/root/tls/pem/client-cert.pem --tlskey=/root/tls/pem/client-key.pem -H tcp://192.168.0.150:2376 version

This is the end of this article about the implementation of one-click TLS encryption of docker remote api. For more related content about one-click TLS encryption of docker remote api, please search previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • Detailed example of remotely connecting to Docker using TLS encrypted communication
  • How to enable TLS and CA authentication in Docker
  • Docker deploys mysql remote connection to solve 2003 problems
  • Docker enables secure TLS remote connection access

<<:  The most comprehensive explanation of the locking mechanism in MySQL

>>:  CSS sprites technology integrates multiple backgrounds into one PNG image CSS positioning

Recommend

Simply understand the differences in the principles of common SQL delete statements

This article mainly introduces the differences be...

Detailed explanation of the differences and usages of Linux system shutdown commands

What are the shutdown commands for Linux systems?...

A brief discussion on macrotasks and microtasks in js

Table of contents 1. About JavaScript 2. JavaScri...

How to configure MGR single master and multiple slaves in MySQL 8.0.15

1. Introduction MySQL Group Replication (MGR for ...

Detailed tutorial on distributed operation of jmeter in docker environment

1. Build the basic image of jmeter The Dockerfile...

A Brief Analysis of MySQL Connections and Collections

Join query A join query refers to a matching quer...

The way to represent colors in HTML is by using 6-digit hexadecimal codes, RGB or keywords.

There are three ways to represent colors in HTML, ...

About the correct way to convert time in js when importing excel

Table of contents 1. Basics 2. Problem Descriptio...

Detailed graphic instructions for downloading and installing the unzipped version of MySQL 5.7.18 and starting the MySQL service

Because the distribution package of MySQL Communi...

MySQL 5.7.20 installation and configuration method graphic tutorial under Windows

Install MySQL under Windows for your reference. T...

Detailed troubleshooting of docker.service startup errors

Execute the following command to report an error ...

Use of Linux cal command

1. Command Introduction The cal (calendar) comman...

Website Building Tutorial for Beginners: Learn to Build a Website in Ten Days

The 10-day tutorial uses the most understandable ...

Calendar effect based on jQuery

This article example shares the specific code of ...

Design: A willful designer

<br />Years of professional art design educa...