Implementation of one-click TLS encryption for docker remote api

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.
2. Encrypt TLS for Docker

Recently, the company's server was mined, and the cause was finally located at port 2375 of Docker.

Let's sort it out. At first, we found that there were several more images and running containers in docker for unknown reasons, and they were very CPU-intensive. In addition, no IP access rules were set for port 2375, which means that everyone can operate your docekr through your port 2375 and mount the host folder with the startup container. Because docker is started with root permissions, everyone can control your host as a root user through your port 2375.

Here are our response steps:

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

$ vi /usr/lib/systemd/system/docker.service

insert image description here

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

2. Encrypt TLS for Docker

#!/bin/bash
mkdir -p /root/tls/pem
DOMAIN_HOST=`ifconfig eth0 | grep "inet" | awk '{ print $2}' | sed -n '1p;1q'`
#DOMAIN_HOST=`hostname` #Choose the best domain name plan HOST=$DOMAIN_HOST
# Custom information PASSWORD="yourPassword"
COUNTRY=CN
PROVINCE=gd
CITY=gz
ORGANIZATION=dounine
GROUP=dg
NAME=lake
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
# Custom information#====================================================================================================================
#This form is to issue a certificate to yourself. You can be a CA organization or you can hand it over to a third party organization to issue it. #Generate the root certificate RSA private key, and use password as the private key password (ID card)
openssl genrsa -passout pass:$PASSWORD -aes256 -out /root/tls/pem/ca-key.pem 4096
# 2. Generate a self-signed root certificate (business license) using the root certificate RSA private key
openssl req -new -x509 -days 365 -passin pass:$PASSWORD -key /root/tls/pem/ca-key.pem -sha256 -subj $SUBJ -out /root/tls/pem/ca.pem
#============================================================================================
#Issue a certificate to the server# 1. The server generates its own private key openssl genrsa -out /root/tls/pem/server-key.pem 4096
# 2. The server generates a certificate (which contains the public key and server information)
openssl req -new -sha256 -key /root/tls/pem/server-key.pem -out /root/tls/pem/server.csr -subj "/CN=$DOMAIN_HOST"
# 3. How to connect to me? You can set multiple IP addresses and separate them with commas echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf
# 4. The authority stamps the certificate to make it effective openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/server.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/server-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
#Issue a certificate to the client openssl genrsa -out /root/tls/pem/client-key.pem 4096
openssl req -subj '/CN=client' -new -key /root/tls/pem/client-key.pem -out /root/tls/pem/client.csr
echo extendedKeyUsage = clientAuth > /tmp/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/client.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/client-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
# Clean up the file rm -rf /root/tls/pem/ca-key.pem
rm -rf /root/tls/pem/{server,client}.csr
rm -rf /root/tls/pem/ca.srl
# Final file# ca.pem == CA certificate# client-cert.pem == Client certificate# client-key.pem == Client private key# server-cert.pem == Server certificate# server-key.pem == Server private key

Notice:

When DOMAIN_HOST is set to the domain name, echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf The $DOMAIN_HOST in this code should be replaced with the public IP address of your server.
echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > IP:0.0.0.0 in /tmp/extfile.cnf means that all IPs can be accessed by carrying certificates. Although all are set here, the public IP of your server should not be omitted. That is, IP:$yourip,IP:0.0.0.0, not IP:0.0.0.0

Give the file execute permissions:

$ chmod +x tls.sh

After executing the shell script, ca.pem, client-cert.pem, client-key.pem, server-cert.pem, and server-key.pem are generated in the /root/tls/pem directory.

Then modify the docker configuration:

$ vim /usr/lib/systemd/system/docker.service

Add to:

		--tlsverify \
        --tlscacert=/root/tls/pem/ca.pem \
        --tlscert=/root/tls/pem/server-cert.pem \
        --tlskey=/root/tls/pem/server-key.pem \

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

Now connect using the docker remote api:

No certification:

$ docker -H tcp://192.168.0.150:2376 version

An error message will be displayed indicating that the authentication is not successful.

Carry authentication method:

docker --tlsverify --tlscacert=/root/tls/pem/ca.pem --tlscert=/root/tls/pem/client-cert.pem --tlskey=/root/tls/pem/client-key.pem -H tcp://192.168.0.150:2376 version

This is the end of this article about the implementation of one-click TLS encryption of docker remote api. For more related content about one-click TLS encryption of docker remote api, please search previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
How to enable TLS and CA authentication in Docker
Docker deploys mysql remote connection to solve 2003 problems
Docker enables secure TLS remote connection access

<<: The most comprehensive explanation of the locking mechanism in MySQL

>>: CSS sprites technology integrates multiple backgrounds into one PNG image CSS positioning

Vue implements multiple selections in the bottom pop-up window

Implementation of one-click TLS encryption for docker remote api

Table of contents

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

2. Encrypt TLS for Docker

Vue implements multiple selections in the bottom pop-up window

How to use wangEditor in vue and how to get focus by echoing data

Solution to the problem that the virtual machine Ubuntu 16.04 cannot connect to the Internet

The process of deploying and running countly-server in docker in win10

HTML simple web form creation example introduction

Example code for implementing concurrent request control in JavaScript/TypeScript

Integration practice of Vue+Element background management framework

In-depth understanding of Vue-cli4 routing configuration

How to manage multiple projects on CentOS SVN server

Mysql accidental deletion of data solution and kill statement principle

Recommend

How to permanently change the host name in Linux

Vue3 implements CSS infinite seamless scrolling effect

CentOS configures local yum source/Alibaba Cloud yum source/163yuan source and configures the priority of yum source

What is flex and a detailed tutorial on flex layout syntax

Mysql sets boolean type operations

Limit input type (multiple methods)

A brief discussion on the problem of forgotten mysql password and login error

Complete example of Vue encapsulating the global toast component

Detailed explanation of ssh password-free login configuration method (pictures and commands)

Examples of preview functions for various types of files in vue3

Process parsing of reserved word instructions in Dockerfile

Mysql: The user specified as a definer ('xxx@'%') does not exist solution

Docker core and specific use of installation

Multiple ways to insert SVG into HTML pages

HTML+CSS+JavaScript to make a girlfriend version of scratch card (you will learn it once you see it)