Implementation of one-click TLS encryption for docker remote api

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.
2. Encrypt TLS for Docker

Recently, the company's server was mined, and the cause was finally located at port 2375 of Docker.

Let's sort it out. At first, we found that there were several more images and running containers in docker for unknown reasons, and they were very CPU-intensive. In addition, no IP access rules were set for port 2375, which means that everyone can operate your docekr through your port 2375 and mount the host folder with the startup container. Because docker is started with root permissions, everyone can control your host as a root user through your port 2375.

Here are our response steps:

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

$ vi /usr/lib/systemd/system/docker.service

insert image description here

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

2. Encrypt TLS for Docker

#!/bin/bash
mkdir -p /root/tls/pem
DOMAIN_HOST=`ifconfig eth0 | grep "inet" | awk '{ print $2}' | sed -n '1p;1q'`
#DOMAIN_HOST=`hostname` #Choose the best domain name plan HOST=$DOMAIN_HOST
# Custom information PASSWORD="yourPassword"
COUNTRY=CN
PROVINCE=gd
CITY=gz
ORGANIZATION=dounine
GROUP=dg
NAME=lake
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"
# Custom information#====================================================================================================================
#This form is to issue a certificate to yourself. You can be a CA organization or you can hand it over to a third party organization to issue it. #Generate the root certificate RSA private key, and use password as the private key password (ID card)
openssl genrsa -passout pass:$PASSWORD -aes256 -out /root/tls/pem/ca-key.pem 4096
# 2. Generate a self-signed root certificate (business license) using the root certificate RSA private key
openssl req -new -x509 -days 365 -passin pass:$PASSWORD -key /root/tls/pem/ca-key.pem -sha256 -subj $SUBJ -out /root/tls/pem/ca.pem
#============================================================================================
#Issue a certificate to the server# 1. The server generates its own private key openssl genrsa -out /root/tls/pem/server-key.pem 4096
# 2. The server generates a certificate (which contains the public key and server information)
openssl req -new -sha256 -key /root/tls/pem/server-key.pem -out /root/tls/pem/server.csr -subj "/CN=$DOMAIN_HOST"
# 3. How to connect to me? You can set multiple IP addresses and separate them with commas echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf
# 4. The authority stamps the certificate to make it effective openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/server.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/server-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
#Issue a certificate to the client openssl genrsa -out /root/tls/pem/client-key.pem 4096
openssl req -subj '/CN=client' -new -key /root/tls/pem/client-key.pem -out /root/tls/pem/client.csr
echo extendedKeyUsage = clientAuth > /tmp/extfile.cnf
openssl x509 -passin pass:$PASSWORD -req -days 365 -sha256 -in /root/tls/pem/client.csr -CA /root/tls/pem/ca.pem -CAkey /root/tls/pem/ca-key.pem -CAcreateserial -out /root/tls/pem/client-cert.pem -extfile /tmp/extfile.cnf
#============================================================================================
# Clean up the file rm -rf /root/tls/pem/ca-key.pem
rm -rf /root/tls/pem/{server,client}.csr
rm -rf /root/tls/pem/ca.srl
# Final file# ca.pem == CA certificate# client-cert.pem == Client certificate# client-key.pem == Client private key# server-cert.pem == Server certificate# server-key.pem == Server private key

Notice:

When DOMAIN_HOST is set to the domain name, echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > /tmp/extfile.cnf The $DOMAIN_HOST in this code should be replaced with the public IP address of your server.
echo subjectAltName=IP:$DOMAIN_HOST,IP:0.0.0.0 > IP:0.0.0.0 in /tmp/extfile.cnf means that all IPs can be accessed by carrying certificates. Although all are set here, the public IP of your server should not be omitted. That is, IP:$yourip,IP:0.0.0.0, not IP:0.0.0.0

Give the file execute permissions:

$ chmod +x tls.sh

After executing the shell script, ca.pem, client-cert.pem, client-key.pem, server-cert.pem, and server-key.pem are generated in the /root/tls/pem directory.

Then modify the docker configuration:

$ vim /usr/lib/systemd/system/docker.service

Add to:

		--tlsverify \
        --tlscacert=/root/tls/pem/ca.pem \
        --tlscert=/root/tls/pem/server-cert.pem \
        --tlskey=/root/tls/pem/server-key.pem \

Restart Docker:

$ systemctl daemon-reload
$ systemctl restart docker

Now connect using the docker remote api:

No certification:

$ docker -H tcp://192.168.0.150:2376 version

An error message will be displayed indicating that the authentication is not successful.

Carry authentication method:

docker --tlsverify --tlscacert=/root/tls/pem/ca.pem --tlscert=/root/tls/pem/client-cert.pem --tlskey=/root/tls/pem/client-key.pem -H tcp://192.168.0.150:2376 version

This is the end of this article about the implementation of one-click TLS encryption of docker remote api. For more related content about one-click TLS encryption of docker remote api, please search previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

Detailed example of remotely connecting to Docker using TLS encrypted communication
How to enable TLS and CA authentication in Docker
Docker deploys mysql remote connection to solve 2003 problems
Docker enables secure TLS remote connection access

<<: The most comprehensive explanation of the locking mechanism in MySQL

>>: CSS sprites technology integrates multiple backgrounds into one PNG image CSS positioning

About VUE's compilation scope and slot scope slot issues

Implementation of one-click TLS encryption for docker remote api

Table of contents

1. Change the 2375 port of Docker to another port. This is only a stopgap measure.

2. Encrypt TLS for Docker

About VUE's compilation scope and slot scope slot issues

A brief understanding of the difference between MySQL union all and union

React+Antd implements an example of adding, deleting and modifying tables

Detailed explanation of MySQL Truncate usage

Detailed explanation of CSS background and border tag examples

HTML table markup tutorial (15): table title

A brief analysis of the difference between ref and toRef in Vue3

JavaScript implements asynchronous submission of form data

How to use Vue3 mixin

After docker run, the status is always Exited

Recommend

MySQL query method with multiple conditions

Usage and description of HTML tag tbody

Docker nginx implements one host to deploy multiple sites

js implements a simple method of encapsulating jQuery and a detailed explanation of chain operations

HTML basic syntax is convenient for those who are just starting to learn HTML

Tomcat multi-instance deployment and configuration principles

Solutions for high traffic websites

Vue uses el-table to dynamically merge columns and rows

Sharing of web color contrast and harmony techniques

How does MySQL ensure data integrity?

Detailed explanation of the whole process and steps of installing clion on Ubuntu16.04

Example explanation of MySQL foreign key constraints

CSS border adds four corners implementation code

Let's talk about my understanding and application of React Context

Vue project implements left swipe delete function (complete code)