记快乐符号:
    在服务器上使用命令 cat /etc/redhat-release 查看服务器版本 简易安装docker
    yum 原始安装docker 

    1. yum list installed | grep docker
    2. yum -y install docker
    3. docker ps
    4. systemctl start docker
    5. sudo curl -L https://github.com/docker/compose/releases/download/1.28.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
    6. sudo chmod +x /usr/local/bin/docker-compose
    7. docker-compose  version

    修改docker 配置文件已开启端口

    1. vi /usr/lib/systemd/system/docker.service

    查找到ExecStart= 位置,修改参数:

    1. ExecStart=/usr/bin/dockerd  -H tcp://0.0.0.0:1457 -H unix:///var/run/docker.sock

    注: 文章采用1457端口

    此次原文件内容:

    1. [Unit]
    2. Description=Docker Application Container Engine
    3. Documentation=http://docs.docker.com
    4. After=network.target
    5. Wants=docker-storage-setup.service
    6. Requires=docker-cleanup.timer
    8. [Service]
    9. Type=notify
    10. NotifyAccess=main
    11. EnvironmentFile=-/run/containers/registries.conf
    12. EnvironmentFile=-/etc/sysconfig/docker
    13. EnvironmentFile=-/etc/sysconfig/docker-storage
    14. EnvironmentFile=-/etc/sysconfig/docker-network
    15. Environment=GOTRACEBACK=crash
    16. Environment=DOCKER_HTTP_HOST_COMPAT=1
    17. Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
    18. ExecStart=/usr/bin/dockerd-current \
    19.           --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
    20.           --default-runtime=docker-runc \
    21.           --exec-opt native.cgroupdriver=systemd \
    22.           --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
    23.           --init-path=/usr/libexec/docker/docker-init-current \
    24.           --seccomp-profile=/etc/docker/seccomp.json \
    25.           $OPTIONS \
    26.           $DOCKER_STORAGE_OPTIONS \
    27.           $DOCKER_NETWORK_OPTIONS \
    28.           $ADD_REGISTRY \
    29.           $BLOCK_REGISTRY \
    30.           $INSECURE_REGISTRY \
    31.           $REGISTRIES
    32. ExecReload=/bin/kill -s HUP $MAINPID
    33. LimitNOFILE=1048576
    34. LimitNPROC=1048576
    35. LimitCORE=infinity
    36. TimeoutStartSec=0
    37. Restart=on-abnormal
    38. KillMode=process
    40. [Install]
    41. WantedBy=multi-user.target

    修改后文件参考

    1. [Unit]
    2. Description=Docker Application Container Engine
    3. Documentation=http://docs.docker.com
    4. After=network.target
    5. Wants=docker-storage-setup.service
    6. Requires=docker-cleanup.timer
    8. [Service]
    9. Type=notify
    10. NotifyAccess=main
    11. EnvironmentFile=-/run/containers/registries.conf
    12. EnvironmentFile=-/etc/sysconfig/docker
    13. EnvironmentFile=-/etc/sysconfig/docker-storage
    14. EnvironmentFile=-/etc/sysconfig/docker-network
    15. Environment=GOTRACEBACK=crash
    16. Environment=DOCKER_HTTP_HOST_COMPAT=1
    17. Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
    18. ExecStart=/usr/bin/dockerd-current -H tcp://0.0.0.0:1457 -H unix://var/run/docker.sock \
    19.           --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
    20.           --default-runtime=docker-runc \
    21.           --exec-opt native.cgroupdriver=systemd \
    22.           --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
    23.           --init-path=/usr/libexec/docker/docker-init-current \
    24.           --seccomp-profile=/etc/docker/seccomp.json \
    25.           $OPTIONS \
    26.           $DOCKER_STORAGE_OPTIONS \
    27.           $DOCKER_NETWORK_OPTIONS \
    28.           $ADD_REGISTRY \
    29.           $BLOCK_REGISTRY \
    30.           $INSECURE_REGISTRY \
    31.       $REGISTRIES
    32. ExecReload=/bin/kill -s HUP $MAINPID
    33. LimitNOFILE=1048576
    34. LimitNPROC=1048576
    35. LimitCORE=infinity
    36. TimeoutStartSec=0
    37. Restart=on-abnormal
    38. KillMode=process
    40. [Install]
    41. WantedBy=multi-user.target

    此时重新加载配置:

    1. systemctl daemon-reload

    重新启动docker :

    1. systemctl restart docker

    查询端口占用

    1. netstat -an |grep 1457

    远程客户端连接测试:
    注: 客户端也需要安装docker

    1. docker -H tcp://IP:1457 ps

    下面是使用证书登陆连接服务端docker
    1、确保服务已经安装了openssl

    1. which openssl

    2、寻找一个里面来存放我们的证书目前使用默认的docker 文件夹

    1. ls /etc/docker

    3、进入目录

    1. cd /etc/docker

    4、开始生产密钥文件 输入2次密码

    1. openssl genrsa -des3 -out docker-key.pem

    5、开始创建CA证书

    1. openssl req -new -x509 -days 365 -key docker-key.pem -out docker-ca.pem

    6、根据提示输入密码等相关信息
    7、此时可以使用CA为docker 创建我们的证书以及密钥了
    (1) 生成服务密钥

    1. openssl genrsa -des3 -out server-key.pem

    注:记住此时输入的密码
    (2)使用服务密钥创建csr 文件

    1. openssl req -new -key server-key.pem -out server.csr

    注: Common Name (从DNS获取解析数据) 填写项 * 代表所以服务器都可以使用该证书
    (3)对csr文件进行签名并生成服务器证书

    1. openssl x509 -req -days 365 -in server.csr -CA docker-ca.pem -CAkey docker-key.pem -out server-cert.pem

    注:此时需要输入docker-key.pem 生成时的密码
    (4)如果不想在docker守护进程启动的时间输入一次密码

    1. openssl rsa -in server-key.pem -out server-key.pem

    (5) 参考网友权限设置对文件进行权限把控

    1. chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/docker-key.pem /etc/docker/docker-ca.pem

    8、配置docker 配置证书参考无证书设置

    1. ExecStart=/usr/bin/dockerd-current -H tcp://0.0.0.0:1457 --tlsverify --tlscacert=/etc/docker/docker-ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem

    9、开始配置客户端证书与密钥

    1. openssl genrsa -des3 -out client-key.pem
    1. openssl req -new -key client-key.pem -out client.csr

    10、添加一些扩展的客户端SSL认证属性

    1. echo extendedKeyUsage = clientAuth > extfile.cnf

    11、对客户端证书进行签名

    1. openssl x509 -req -days 365 -in client.csr -CA docker-ca.pem -CAkey docker-key.pem -out client-cert.pem -extfile extfile.cnf

    12、下载docker-ca.pem 、client-cert.pem 和client-key.pem
    本地创建目录

    1. mkdir ~/.docker
    1. cp docker-ca.pem ~/.docker/ca.pem
    1. cp client-key.pem ~/.docker/key.pem
    1. cp client-cert.pem ~/.docker/cert.pem
    1. chmod 0600 ~/.docker/key.pem ~/.docker/cert.pem

    开始连接

    1. docker -H=IP:1457 --tlsverify info ps