markdown Docker远程API,通过daemon.json进行客户端验证

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown Docker远程API,通过daemon.json进行客户端验证相关的知识,希望对你有一定的参考价值。

{
    "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
    "tls": true,
    "tlscacert": "/data/certs/ca.pem",
    "tlscert": "/data/certs/server-cert.pem",
    "tlskey": "/data/certs/server-key.pem",
    "tlsverify": true
}
# Enable Docker Remote API with TLS client verification  
Docker's Remote API can be secured via TLS and client certificate verification.  
First of all you need a few certificates and keys:  
+ CA certificate
+ Server certificate
+ Server key 
+ Client certificate
+ Client key 

## Create certificate files  
You can create these files as described in the official docs in [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).  
You can also use my [create-certs.sh](https://github.com/kekru/linux-utils/blob/master/cert-generate/create-certs.sh) script to create them.  
Download the script and run like this:  

1. Create a CA with the password `yourSecretPassword` and `900` days until it wil expire. The cert files will be in the directory `./certs`.
```bash
./create-certs.sh -m ca -pw yourSecretPassword -t certs -e 900
```
2. Create server certificate and key with the password of step 1 `yourSecretPassword`, with the servername `myserver.example.com` and `365` days until it wil expire. The cert files will be in the directory `./certs`.
```bash
./create-certs.sh -m server -h myserver.example.com -pw yourSecretPassword -t certs -e 365
```
3. Create client certificate and key with the password of step 1 `yourSecretPassword`, with the clientname `testClient` (the name is interesting if you want to use authorization plugins later) and `365` days until it wil expire. The cert files will be in the directory `./certs`.
```bash
./create-certs.sh -m client -h testClient -pw yourSecretPassword -t certs -e 365
```
Now you have a directory `./certs` with certificates and keys for CA, server and client.

# Enable Remote API with TLS
Make sure, you have a ca certificate and a server certificate with a server key.  
Open or create the file `/etc/docker/daemon.json`. This is the main configuration file for Docker.  
Take the content of the 2-daemon.json file of this gist and write it to /etc/docker/daemon.json. Edit the paths to your ca and server certificate files.

Restart your Docker engine with `sudo service docker restart`.  
The Docker Remote API is ready to use. You can run Docker commands from a remote device by using the ca.pem and the client certificate and key. Read [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for more information.

以上是关于markdown Docker远程API,通过daemon.json进行客户端验证的主要内容,如果未能解决你的问题,请参考以下文章

试图找到docker-compose远程API

Debian 下docker 开启远程api失败

『干货​』Go语言使用Docker Remote API ,举个栗子!

Docker远程API未授权访问导致的Docker逃逸

Docker远程API未授权访问导致的Docker逃逸

docker 远程rest api 访问配置