Skip to content

Instantly share code, notes, and snippets.

@zigarn

zigarn/01-docker-tls.sh

Last active Jan 30, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Generate Docker certificates for training on TLS
Raw
01-docker-tls.sh
# Configuration
export PUBLIC_DNS=<public hostname>
export PUBLIC_IP=<public host IP>
export PRIVATE_IP=<private host IP>
mkdir docker-ca
chmod 0700 docker-ca/
cd docker-ca/
# CA key
openssl genrsa -aes256 -out ca-key.pem 2048
# CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# Server key
openssl genrsa -out server-key.pem 2048
# Server CSR on DNS name
openssl req -subj "/CN==${PUBLIC_DNS}" -new -key server-key.pem -out server.csr
# Alts on IPs
echo "subjectAltName = IP:${PUBLIC_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf
# Server certificate
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
# Client key
openssl genrsa -out client-key.pem 2048
# Client CSR
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# clientAuth
echo extendedKeyUsage = clientAuth > extfile.cnf
# Client certificate
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf
# Securing
chmod -v 0400 *-key.pem
chmod -v 0444 ca.pem *-cert.pem
# Moving
sudo mkdir -p /etc/docker
sudo chown root:docker /etc/docker
sudo chmod 700 /etc/docker
sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker
Raw
02-configure-docker-systemd-socket.sh
# Configuring Docker to use TLS **WITH** systemd socket
# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file
echo '{
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}' | sudo tee /etc/docker/daemon.json
# Configuring systemd socket to listen on TCP
# https://github.com/docker/docker/issues/25471#issuecomment-238076313
sudo mkdir -p /etc/systemd/system/docker.socket.d
echo '[Socket]
ListenStream= # If you want to disable default unix socket
ListenStream=0.0.0.0:2376' | sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf
sudo systemctl daemon-reload
sudo service docker restart
Raw
03-configure-docker-NO-systemd-socket.sh
# Configuring Docker to use TLS **WITHOUT** systemd socket
# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file
echo '{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}' | sudo tee /etc/docker/daemon.json
# Disable systemd docker host configuration
sudo mkdir -p /etc/systemd/system/docker.service.d
echo '[Service]
ExecStart=
ExecStart=/usr/bin/dockerd' | sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf
sudo systemctl daemon-reload
sudo service docker restart
Raw
04-tls-local-test.sh
docker \
--host tcp://localhost:3276 \
--tlsverify \
--tlscacert=~/docker-ca/ca.pem \
--tlscert=~/docker-ca/client-cert.pem \
--tlskey=~/docker-ca/client-key.pem \
container ls
# Simplification
export DOCKER_HOST=tcp://localhost:2376
export DOCKER_TLS_VERIFY=1
mkdir -p ~/.docker
cp ~/docker-ca/ca.pem ~/.docker/
cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem
cp ~/docker-ca/client-key.pem ~/.docker/key.pem
docker container ls
Raw
05-tl-remote-test.sh
# On another node than master
export MASTER_PRIVATE_IP=10.X.Y.Z
export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376
export DOCKER_TLS_VERIFY=1
scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/
docker container ls
Raw
10-insecure-registry.sh
# On another node than the registry
export REGISTRY_PRIVATE_IP=10.X.Y.Z
# Configure unsecure registries
echo "{
\"insecure-registries\": [
\"${REGISTRY_PRIVATE_IP}:5000\"
]
}" | sudo tee /etc/docker/daemon.json
# Reload docker config
sudo service docker reload
# Pull from insecure registry
docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0
Raw
20-dockercoins-build-ship.sh
export DOCKERHUB_USERNAME=...
docker login --username ${DOCKERHUB_USERNAME}
# Build & publish
cd ~/orchestration-workshop/dockercoins/
for service in hasher rng worker webui; do
docker-compose build ${service}
docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
done
Raw
21-dockercoins-run.sh
# Create network
docker network create --driver overlay dockercoins
# Run
docker service create --network dockercoins --name redis redis
for service in hasher rng worker webui; do
docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
done
docker service update webui --publish-add 8080:80
@looztra

This comment has been minimized.

Sign in to view
Copy link

@looztra looztra commented Nov 7, 2017

  • Proposition: expliciter le shell avec un un shebang du genre #!/bin/env bash
  • Corriger le public_IP en minuscule dans le premier script
@looztra

This comment has been minimized.

Sign in to view
Copy link

@looztra looztra commented Nov 7, 2017
edited

Manque aussi un $ devant le {PUBLIC_DNS} à la ligne 18 du premier script
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment