---

設置允許遠程訪問Docker服務

使用場景

環境

系統：anolis7.9

修改Docker服務配置，配置安全證書

生成ca證書到/etc/docker目錄中，后續會要用到

#該步驟需要設置密碼，后面步驟會要用到，此處設置密碼為123456
openssl genrsa -aes256 -passout "pass:123456" -out /etc/docker/ca-key.pem 4096
#該步驟需要用到ca-key.pem生成時設置的密碼，并錄入國家、省、市、組織名稱、單位名稱等信息
openssl req -new -x509 -days 365 -key /etc/docker/ca-key.pem -sha256 -out /etc/docker/ca.pem -passin "pass:123456"  -subj "/C=cn/ST=STATE/L=CITY/O=ORGANIZATION/OU=ORGANIZATIONAL_UNIT/CN=COMMON_NAME/emailAddress=EMAIL@123.com"openssl genrsa -out /etc/docker/server-key.pem 4096
openssl req -subj "/CN=Docker服務器ip或者域名" -sha256 -new -key /etc/docker/server-key.pem -out /etc/docker/server.csr
echo "subjectAltName = IP:服務器ip,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
#該步驟需要用到ca-key.pem生成時設置的密碼
openssl x509 -req -days 365 -sha256 -in /etc/docker/server.csr -passin "pass:123456" -CA /etc/docker/ca.pem -CAkey /etc/docker/ca-key.pem -CAcreateserial -out /etc/docker/server-cert.pem -extfile extfile.cnf
#刪除extfile.cnf
rm -f extfile.cnf
# 創建客戶端私鑰
openssl genrsa -out key.pem 4096
# 創建客戶端簽名請求證書文件
openssl req -subj '/CN=client' -sha256 -new -key /etc/docker/key.pem -out /etc/docker/client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
# 創建簽名生效的客戶端證書文件
openssl x509 -req -days 365 -sha256 -in /etc/docker/client.csr -passin "pass:123456" -CA /etc/docker/ca.pem -CAkey /etc/docker/ca-key.pem -CAcreateserial -out /etc/docker/cert.pem -extfile extfile.cnf
#刪除extfile.cnf
rm -f extfile.cnf
#文件賦權【非必要操作，可以視情況執行】
chmod -v 0400 "ca-key.pem" "key.pem" "server-key.pem"
chmod -v 0444 "ca.pem" "server-cert.pem" "cert.pem"

修改Docker系統文件

vim /lib/systemd/system/docker.service

修改配置，開放2375端口供客戶端訪問，并配置證書
原配置如下

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.service registries.service
Wants=docker-storage-setup.service
Requires=rhel-push-plugin.service registries.service
Requires=docker-cleanup.timer[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \--default-runtime=docker-runc \--authorization-plugin=rhel-push-plugin \--exec-opt native.cgroupdriver=systemd \--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \--init-path=/usr/libexec/docker/docker-init-current \--seccomp-profile=/etc/docker/seccomp.json \$OPTIONS \$DOCKER_STORAGE_OPTIONS \$DOCKER_NETWORK_OPTIONS \$ADD_REGISTRY \$BLOCK_REGISTRY \$INSECURE_REGISTRY \$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process[Install]
WantedBy=multi-user.target

修改后如下

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.service registries.service
Wants=docker-storage-setup.service
Requires=rhel-push-plugin.service registries.service
Requires=docker-cleanup.timer[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \--tlsverify \--tlscacert=/etc/docker/ca.pem \--tlscert=/etc/docker/server-cert.pem \--tlskey=/etc/docker/server-key.pem \-H tcp://0.0.0.0:2375 \--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \--default-runtime=docker-runc \--authorization-plugin=rhel-push-plugin \--exec-opt native.cgroupdriver=systemd \--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \--init-path=/usr/libexec/docker/docker-init-current \--seccomp-profile=/etc/docker/seccomp.json \$OPTIONS \$DOCKER_STORAGE_OPTIONS \$DOCKER_NETWORK_OPTIONS \$ADD_REGISTRY \$BLOCK_REGISTRY \$INSECURE_REGISTRY \$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process[Install]
WantedBy=multi-user.target

然后保存文件，并重新加載Docker

systemctl daemon-reload
systemctl restart docker

此時，即可從其他服務器訪問Docker服務了。需要注意的是如果Docker服務器防火墻管控嚴格的話，可能需要額外開放一下2375端口的防火墻。

驗證

從/etc/docker目錄下下載ca.pem``````cert.pem``````key.pem三個證書文件，使用curl --cert /etc/docker/cert.pem --key /etc/docker/key.pem --cacert /etc/docker/ca.pem https://ip:2375/version 命令進行驗證

然后也可以通過瀏覽器直接訪問https://docker服務器的ip:2375/version查看Docker版本，來驗證當沒有證書時是否能正常訪問Docker服務。