connect to Docker Swarm cluster via remote api
因為當你安裝好 docker 的時候,預設是不會開始 remote api 服務的,只能本機連線,所以第一步必須開起遠端連線的功能,同時為了安全性,需要使用憑證。
- 建立 ca 憑證
$> openssl genrsa -aes256 -out ca-key.pem 4096
$> openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
- 建立 server 憑證
建立 server 憑證, 需要用 server 的 dns 和 server ip (記得把 $host 換成你的)
$> openssl genrsa -out server-key.pem 4096
$> openssl req -subj "/CN=$host" -sha256 -new -key server-key.pem -out server.csr
$> echo subjectAltName = DNS:$host,IP:192.168.0.1 >> extfile.cnf
$> echo extendedKeyUsage = serverAuth >> extfile.cnf
$> openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
$> rm -rf extfile.cnf
- 建立 client 憑證
$> openssl genrsa -out key.pem 4096
$> openssl req -subj '/CN=client' -new -key key.pem -out client.csr
$> echo extendedKeyUsage = clientAuth >> extfile.cnf
$> openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile.cnf
$> rm -v client.csr server.csr
- 把 server 憑證 copy 到 /etc/docker
cp {ca,server-key,server-cert}.pen /etc/docker
- 修改docker的配置文件
nano /etc/docker/daemon.json
改成
{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}
重啟 docker engine
systemctl restart docker
Reference:
https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl