Detailed graphic tutorial on how to enable remote secure access with Docker

1. Edit the docker.service file

vi /usr/lib/systemd/system/docker.service

Find the [Service] node, modify the ExecStart property, and add -H tcp://0.0.0.0:2375

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375

This is equivalent to opening port 2375 to the outside world. Of course, you can also change it to other ports according to your own situation.

2. Reload Docker configuration to take effect

systemctl daemon-reload
systemctl restart docker

We test it by accessing 2375 through the browser. The format is: http://ip:2375/version

If you cannot access it, you can try to open the firewall port 2375. The specific commands are as follows:

firewall-cmd --zone=public --add-port=2375/tcp --permanent
firewall-cmd --reload

If you still cannot access it, if the machine you are using is a cloud server, such as Alibaba Cloud, Tencent Cloud, etc., you need to check whether port 2375 is open in the server security group rules. If not, add the port configuration.

In this way, we can directly connect to the test in the Docker plug-in in Idea:

3. Configure Docker secure access

The above two steps should not be used in production environment! It is fine to use it in the development environment. If you directly expose Docker to the outside world like this, it is very dangerous, just like you open Redis to the outside world 6379 without setting a password.

Basically, many articles on the Internet are like the above two steps, the naked steps... Think about it, think about it carefully, if not you, who will be the one to be hacked?

In fact, the official document has already provided an encryption method based on CA certificates. For details, click here.

1. Create CA private key and CA public key

First create a ca folder to store the private key and public key

mkdir -p /usr/local/ca
cd /usr/local/ca

Then on the Docker daemon's host , generate the CA private and public keys:

openssl genrsa -aes256 -out ca-key.pem 4096

After executing the above instructions, we will be asked to enter a password before proceeding to the next step. Here I set the password to: niceyoo

2. Complete CA certificate information

Execute the following command:

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Then enter in order: access password, country, province, city, organization name, unit name, any name, email address, etc. To save time, I use niceyoo instead of organization, unit, etc.

niceyoo cn beijing beijing niceyoo niceyoo niceyoo [email protected]

At this point, the CA certificate has been created. With the CA, you can create a server key and certificate signing request (CSR), making sure the "Common Name" matches the hostname you use when connecting to Docker.

3. Generate server-key.pem

openssl genrsa -out server-key.pem 4096

4. Sign the public key with CA

Since TLS connections can be established via both IP addresses and DNS names, you need to specify the IP address when creating the certificate. For example, to allow connections using 10.211.55.4 :

openssl req -subj "/CN=10.211.55.4" -sha256 -new -key server-key.pem -out server.csr

If you are using a URL (for example: www.sscai.club), just replace it:

openssl req -subj "/CN=www.sscai.club" -sha256 -new -key server-key.pem -out server.csr

Note: The IP or domain name mentioned here refers to the address that will be used for external purposes in the future.

5. Matching whitelist

The significance of configuring the whitelist is to allow which IP addresses can remotely connect to Docker. There are two ways to do this, but you can just execute step 2 of 5.2:

5.1. Allow the specified IP to connect to the docker in the server. Multiple IPs are separated by commas.

If your external docker address is an IP address, the command is as follows:

echo subjectAltName = DNS:$HOST,IP:XX.XX.XX.XX,IP:XX.XX.XX.XX >> extfile.cnf

When using, replace $HOST with your own IP address or URL, depending on whether the Docker link you expose to the outside world is an IP address or a URL.

# Docker on the server 10.211.55.4 only allows clients with IP address 221.217.177.151 to connect echo subjectAltName = DNS:10.211.55.4,IP:221.217.177.151 >> extfile.cnf

# Docker on the www.sscai.club server only allows clients with IP addresses 221.217.177.151 and 127.0.0.1 to connect echo subjectAltName = DNS:www.sscai.club,IP:221.217.177.151,IP:127.0.0.1 >> extfile.cnf

5.2. Configure 0.0.0.0 to allow all IPs to connect (but only those with permanent certificates can connect successfully)

echo subjectAltName = DNS:10.211.55.4,IP:0.0.0.0 >> extfile.cnf

6. Execute commands

Set the extended usage property of the Docker daemon key to be used for server authentication only:

echo extendedKeyUsage = serverAuth >> extfile.cnf

7. Generate signature integer

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

After execution, you need to enter the password set above

8. Generate client key.pem

openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr

9. Make the key suitable for client authentication

Create an extension configuration file:

echo extendedKeyUsage = clientAuth >> extfile.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf

10. Generate signature integer

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf

Generate cert.pem, you need to enter the previously set password again: niceyoo

11. Delete unnecessary files, two integer signature requests

After generating cert.pem and server-cert.pem you can safely delete both the certificate signing request and the extended configuration file:

rm -v client.csr server.csr extfile.cnf extfile-client.cnf

12. Modifiable permissions

To protect your key from accidental corruption, remove its write permissions. To make them read-only for you, change the file mode as follows:

chmod -v 0400 ca-key.pem key.pem server-key.pem

The certificate can be made publicly readable, removing write permissions to prevent accidental corruption:

chmod -v 0444 ca.pem server-cert.pem cert.pem

13. Collect server certificates

cp server-*.pem /etc/docker/
cp ca.pem /etc/docker/

14. Modify Docker configuration

Make the Docker daemon only accept connections from clients that present a certificate trusted by the CA

vim /lib/systemd/system/docker.service

Replace the ExecStart property value:

ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/usr/local/ca/ca.pem --tlscert=/usr/local/ca/server-cert.pem --tlskey=/usr/local/ca/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

15. Reload daemon and restart docker

systemctl daemon-reload

systemctl restart docker

Let's verify it in the docker module in IDEA and take a look at the previous connection:

Obviously, it is impossible to connect. At this time, we need to get the certificate created by the docker host and use the certificate to connect:

Pull these four certificate files to a local folder. This folder will be used to specify in idea. It should be noted that the link in TCP needs to be changed to Https format. The specific content is shown in the figure below:

Summarize

This concludes this article about the detailed graphic tutorial on how to enable remote secure access with Docker. For more information about Docker remote access, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!