Skip to content

Instantly share code, notes, and snippets.

@zigarn zigarn/01-docker-tls.sh
Last active Apr 29, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Generate Docker certificates for training on TLS
Raw
01-docker-tls.sh
# Configuration
export PUBLIC_DNS=<public hostname>
export PUBLIC_IP=<public host IP>
export PRIVATE_IP=<private host IP>
mkdir docker-ca
chmod 0700 docker-ca/
cd docker-ca/
# CA key
openssl genrsa -aes256 -out ca-key.pem 2048
# CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# Server key
openssl genrsa -out server-key.pem 2048
# Server CSR on DNS name
openssl req -subj "/CN=={PUBLIC_DNS}" -new -key server-key.pem -out server.csr
# Alts on IPs
echo "subjectAltName = IP:${public_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf
# Server certificate
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
# Client key
openssl genrsa -out client-key.pem 2048
# Client CSR
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# clientAuth
echo extendedKeyUsage = clientAuth > extfile.cnf
# Client certificate
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf
# Securing
chmod -v 0400 *-key.pem
chmod -v 0444 ca.pem *-cert.pem
# Moving
sudo mkdir -p /etc/docker
sudo chown root:docker /etc/docker
sudo chmod 700 /etc/docker
sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker
Raw
02-configure-docker-systemd-socket.sh
# Configuring Docker to use TLS **WITH** systemd socket
# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file
echo '{
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}' | sudo tee /etc/docker/daemon.json
# Configuring systemd socket to listen on TCP
# https://github.com/docker/docker/issues/25471#issuecomment-238076313
sudo mkdir -p /etc/systemd/system/docker.socket.d
echo '[Socket]
ListenStream= # If you want to disable default unix socket
ListenStream=0.0.0.0:2376' | sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf
sudo systemctl daemon-reload
sudo service docker restart
Raw
03-configure-docker-NO-systemd-socket.sh
# Configuring Docker to use TLS **WITHOUT** systemd socket
# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file
echo '{
"hosts": [
"unix:///var/run/docker.sock",
"tcp://0.0.0.0:2376"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}' | sudo tee /etc/docker/daemon.json
# Disable systemd docker host configuration
sudo mkdir -p /etc/systemd/system/docker.service.d
echo '[Service]
ExecStart=
ExecStart=/usr/bin/dockerd' | sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf
sudo systemctl daemon-reload
sudo service docker restart
Raw
04-tls-local-test.sh
docker \
--host tcp://localhost:3276 \
--tlsverify \
--tlscacert=~/docker-ca/ca.pem \
--tlscert=~/docker-ca/client-cert.pem \
--tlskey=~/docker-ca/client-key.pem \
container ls
# Simplification
export DOCKER_HOST=tcp://localhost:2376
export DOCKER_TLS_VERIFY=1
mkdir -p ~/.docker
cp ~/docker-ca/ca.pem ~/.docker/
cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem
cp ~/docker-ca/client-key.pem ~/.docker/key.pem
docker container ls
Raw
05-tl-remote-test.sh
# On another node than master
export MASTER_PRIVATE_IP=10.X.Y.Z
export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376
export DOCKER_TLS_VERIFY=1
scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/
docker container ls
Raw
10-insecure-registry.sh
# On another node than the registry
export REGISTRY_PRIVATE_IP=10.X.Y.Z
# Configure unsecure registries
echo "{
\"insecure-registries\": [
\"${REGISTRY_PRIVATE_IP}:5000\"
]
}" | sudo tee /etc/docker/daemon.json
# Reload docker config
sudo service docker reload
# Pull from insecure registry
docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0
Raw
20-dockercoins-build-ship.sh
export DOCKERHUB_USERNAME=...
docker login --username ${DOCKERHUB_USERNAME}
# Build & publish
cd ~/orchestration-workshop/dockercoins/
for service in hasher rng worker webui; do
docker-compose build ${service}
docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
done
Raw
21-dockercoins-run.sh
# Create network
docker network create --driver overlay dockercoins
# Run
docker service create --network dockercoins --name redis redis
for service in hasher rng worker webui; do
docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
done
docker service update webui --publish-add 8080:80
@looztra

This comment has been minimized.

Sign in to view
Copy link

looztra commented Nov 7, 2017

  • Proposition: expliciter le shell avec un un shebang du genre #!/bin/env bash
  • Corriger le public_IP en minuscule dans le premier script
@looztra

This comment has been minimized.

Sign in to view
Copy link

looztra commented Nov 7, 2017
edited

Manque aussi un $ devant le {PUBLIC_DNS} à la ligne 18 du premier script
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.