记快乐符号:
在服务器上使用命令 cat /etc/redhat-release 查看服务器版本 简易安装docker
yum 原始安装docker
yum list installed | grep docker
yum -y install docker
docker ps
systemctl start docker
sudo curl -L https://github.com/docker/compose/releases/download/1.28.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose version
修改docker 配置文件已开启端口
vi /usr/lib/systemd/system/docker.service
查找到ExecStart= 位置,修改参数:
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:1457 -H unix:///var/run/docker.sock
注: 文章采用1457端口
此次原文件内容:
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer
[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
--init-path=/usr/libexec/docker/docker-init-current \
--seccomp-profile=/etc/docker/seccomp.json \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY \
$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process
[Install]
WantedBy=multi-user.target
修改后文件参考
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer
[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current -H tcp://0.0.0.0:1457 -H unix://var/run/docker.sock \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
--init-path=/usr/libexec/docker/docker-init-current \
--seccomp-profile=/etc/docker/seccomp.json \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY \
$REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process
[Install]
WantedBy=multi-user.target
此时重新加载配置:
systemctl daemon-reload
重新启动docker :
systemctl restart docker
查询端口占用
netstat -an |grep 1457
远程客户端连接测试:
注: 客户端也需要安装docker
docker -H tcp://IP:1457 ps
下面是使用证书登陆连接服务端docker
1、确保服务已经安装了openssl
which openssl
2、寻找一个里面来存放我们的证书目前使用默认的docker 文件夹
ls /etc/docker
3、进入目录
cd /etc/docker
4、开始生产密钥文件 输入2次密码
openssl genrsa -des3 -out docker-key.pem
5、开始创建CA证书
openssl req -new -x509 -days 365 -key docker-key.pem -out docker-ca.pem
6、根据提示输入密码等相关信息
7、此时可以使用CA为docker 创建我们的证书以及密钥了
(1) 生成服务密钥
openssl genrsa -des3 -out server-key.pem
注:记住此时输入的密码
(2)使用服务密钥创建csr 文件
openssl req -new -key server-key.pem -out server.csr
注: Common Name (从DNS获取解析数据) 填写项 * 代表所以服务器都可以使用该证书
(3)对csr文件进行签名并生成服务器证书
openssl x509 -req -days 365 -in server.csr -CA docker-ca.pem -CAkey docker-key.pem -out server-cert.pem
注:此时需要输入docker-key.pem 生成时的密码
(4)如果不想在docker守护进程启动的时间输入一次密码
openssl rsa -in server-key.pem -out server-key.pem
(5) 参考网友权限设置对文件进行权限把控
chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/docker-key.pem /etc/docker/docker-ca.pem
8、配置docker 配置证书参考无证书设置
ExecStart=/usr/bin/dockerd-current -H tcp://0.0.0.0:1457 --tlsverify --tlscacert=/etc/docker/docker-ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem
9、开始配置客户端证书与密钥
openssl genrsa -des3 -out client-key.pem
openssl req -new -key client-key.pem -out client.csr
10、添加一些扩展的客户端SSL认证属性
echo extendedKeyUsage = clientAuth > extfile.cnf
11、对客户端证书进行签名
openssl x509 -req -days 365 -in client.csr -CA docker-ca.pem -CAkey docker-key.pem -out client-cert.pem -extfile extfile.cnf
12、下载docker-ca.pem 、client-cert.pem 和client-key.pem
本地创建目录
mkdir ~/.docker
cp docker-ca.pem ~/.docker/ca.pem
cp client-key.pem ~/.docker/key.pem
cp client-cert.pem ~/.docker/cert.pem
chmod 0600 ~/.docker/key.pem ~/.docker/cert.pem
开始连接
docker -H=IP:1457 --tlsverify info ps