Generate Docker certificates for training on TLS
# Configuration | |
export PUBLIC_DNS=<public hostname> | |
export PUBLIC_IP=<public host IP> | |
export PRIVATE_IP=<private host IP> | |
mkdir docker-ca | |
chmod 0700 docker-ca/ | |
cd docker-ca/ | |
# CA key | |
openssl genrsa -aes256 -out ca-key.pem 2048 | |
# CA certificate | |
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
# Server key | |
openssl genrsa -out server-key.pem 2048 | |
# Server CSR on DNS name | |
openssl req -subj "/CN==${PUBLIC_DNS}" -new -key server-key.pem -out server.csr | |
# Alts on IPs | |
echo "subjectAltName = IP:${PUBLIC_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf | |
# Server certificate | |
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
# Client key | |
openssl genrsa -out client-key.pem 2048 | |
# Client CSR | |
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr | |
# clientAuth | |
echo extendedKeyUsage = clientAuth > extfile.cnf | |
# Client certificate | |
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf | |
# Securing | |
chmod -v 0400 *-key.pem | |
chmod -v 0444 ca.pem *-cert.pem | |
# Moving | |
sudo mkdir -p /etc/docker | |
sudo chown root:docker /etc/docker | |
sudo chmod 700 /etc/docker | |
sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker |
# Configuring Docker to use TLS **WITH** systemd socket | |
# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file | |
echo '{ | |
"tls": true, | |
"tlscacert": "/etc/docker/ca.pem", | |
"tlscert": "/etc/docker/server-cert.pem", | |
"tlskey": "/etc/docker/server-key.pem", | |
"tlsverify": true | |
}' | sudo tee /etc/docker/daemon.json | |
# Configuring systemd socket to listen on TCP | |
# https://github.com/docker/docker/issues/25471#issuecomment-238076313 | |
sudo mkdir -p /etc/systemd/system/docker.socket.d | |
echo '[Socket] | |
ListenStream= # If you want to disable default unix socket | |
ListenStream=0.0.0.0:2376' | sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf | |
sudo systemctl daemon-reload | |
sudo service docker restart |
# Configuring Docker to use TLS **WITHOUT** systemd socket | |
# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file | |
echo '{ | |
"hosts": [ | |
"unix:///var/run/docker.sock", | |
"tcp://0.0.0.0:2376" | |
], | |
"tls": true, | |
"tlscacert": "/etc/docker/ca.pem", | |
"tlscert": "/etc/docker/server-cert.pem", | |
"tlskey": "/etc/docker/server-key.pem", | |
"tlsverify": true | |
}' | sudo tee /etc/docker/daemon.json | |
# Disable systemd docker host configuration | |
sudo mkdir -p /etc/systemd/system/docker.service.d | |
echo '[Service] | |
ExecStart= | |
ExecStart=/usr/bin/dockerd' | sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf | |
sudo systemctl daemon-reload | |
sudo service docker restart |
docker \ | |
--host tcp://localhost:3276 \ | |
--tlsverify \ | |
--tlscacert=~/docker-ca/ca.pem \ | |
--tlscert=~/docker-ca/client-cert.pem \ | |
--tlskey=~/docker-ca/client-key.pem \ | |
container ls | |
# Simplification | |
export DOCKER_HOST=tcp://localhost:2376 | |
export DOCKER_TLS_VERIFY=1 | |
mkdir -p ~/.docker | |
cp ~/docker-ca/ca.pem ~/.docker/ | |
cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem | |
cp ~/docker-ca/client-key.pem ~/.docker/key.pem | |
docker container ls |
# On another node than master | |
export MASTER_PRIVATE_IP=10.X.Y.Z | |
export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376 | |
export DOCKER_TLS_VERIFY=1 | |
scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/ | |
docker container ls |
# On another node than the registry | |
export REGISTRY_PRIVATE_IP=10.X.Y.Z | |
# Configure unsecure registries | |
echo "{ | |
\"insecure-registries\": [ | |
\"${REGISTRY_PRIVATE_IP}:5000\" | |
] | |
}" | sudo tee /etc/docker/daemon.json | |
# Reload docker config | |
sudo service docker reload | |
# Pull from insecure registry | |
docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0 |
export DOCKERHUB_USERNAME=... | |
docker login --username ${DOCKERHUB_USERNAME} | |
# Build & publish | |
cd ~/orchestration-workshop/dockercoins/ | |
for service in hasher rng worker webui; do | |
docker-compose build ${service} | |
docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
done |
# Create network | |
docker network create --driver overlay dockercoins | |
# Run | |
docker service create --network dockercoins --name redis redis | |
for service in hasher rng worker webui; do | |
docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
done | |
docker service update webui --publish-add 8080:80 |
This comment has been minimized.
This comment has been minimized.
Manque aussi un |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.