-
-
Save y0an/a6ee29ba400d70b9986808ff1cb160c5 to your computer and use it in GitHub Desktop.
Generate Docker certificates for training on TLS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mkdir docker-ca | |
| chmod 0700 docker-ca/ | |
| cd docker-ca/ | |
| # CA key | |
| openssl genrsa -aes256 -out ca-key.pem 2048 | |
| # CA certificate | |
| openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
| # Server key | |
| openssl genrsa -out server-key.pem 2048 | |
| # Server CSR on DNS name | |
| openssl req -subj "/CN=<public hostname>" -new -key server-key.pem -out server.csr | |
| # Alts on IPs | |
| echo 'subjectAltName = IP:<public host IP>,IP:<private host IP>,IP:127.0.0.1' > extfile.cnf | |
| # Server certificate | |
| openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
| # Client key | |
| openssl genrsa -out client-key.pem 2048 | |
| # Client CSR | |
| openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr | |
| # clientAuth | |
| echo extendedKeyUsage = clientAuth > extfile.cnf | |
| # Client certificate | |
| openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf | |
| # Securing | |
| chmod -v 0400 *-key.pem | |
| chmod -v 0444 ca.pem *-cert.pem | |
| # Moving | |
| sudo mkdir -p /etc/docker | |
| sudo chown root:docker /etc/docker | |
| sudo chmod 700 /etc/docker | |
| sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuring Docker to use TLS **WITH** systemd socket | |
| # https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file | |
| echo '{ | |
| "tls": true, | |
| "tlscacert": "/etc/docker/ca.pem", | |
| "tlscert": "/etc/docker/server-cert.pem", | |
| "tlskey": "/etc/docker/server-key.pem", | |
| "tlsverify": true | |
| }' | sudo tee /etc/docker/daemon.json | |
| # Configuring systemd socket to listen on TCP | |
| # https://github.com/docker/docker/issues/25471#issuecomment-238076313 | |
| sudo mkdir -p /etc/systemd/system/docker.socket.d | |
| echo '[Socket] | |
| ListenStream= # If you want to disable default unix socket | |
| ListenStream=0.0.0.0:2376' | sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf | |
| sudo systemctl daemon-reload | |
| sudo service docker restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuring Docker to use TLS **WITHOUT** systemd socket | |
| # https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file | |
| echo '{ | |
| "hosts": [ | |
| "unix:///var/run/docker.sock", | |
| "tcp://0.0.0.0:2376" | |
| ], | |
| "tls": true, | |
| "tlscacert": "/etc/docker/ca.pem", | |
| "tlscert": "/etc/docker/server-cert.pem", | |
| "tlskey": "/etc/docker/server-key.pem", | |
| "tlsverify": true | |
| }' | sudo tee /etc/docker/daemon.json | |
| # Disable systemd docker host configuration | |
| sudo mkdir -p /etc/systemd/system/docker.service.d | |
| echo '[Service] | |
| ExecStart= | |
| ExecStart=/usr/bin/dockerd' | sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf | |
| sudo systemctl daemon-reload | |
| sudo service docker restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export DOCKERHUB_USERNAME=... | |
| # Build & publish | |
| cd ~/orchestration-workshop/dockercoins/ | |
| for service in hasher rng worker webui; do | |
| docker-compose build ${service} | |
| docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
| docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
| done | |
| # Run | |
| docker service create --network dockercoins --name redis redis | |
| for service in hasher rng worker webui; do | |
| docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment