Generate Docker certificates for training on TLS
|
# Configuration |
|
export PUBLIC_DNS=<public hostname> |
|
export PUBLIC_IP=<public host IP> |
|
export PRIVATE_IP=<private host IP> |
|
|
|
mkdir docker-ca |
|
chmod 0700 docker-ca/ |
|
cd docker-ca/ |
|
|
|
# CA key |
|
openssl genrsa -aes256 -out ca-key.pem 2048 |
|
# CA certificate |
|
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem |
|
|
|
# Server key |
|
openssl genrsa -out server-key.pem 2048 |
|
# Server CSR on DNS name |
|
openssl req -subj "/CN=={PUBLIC_DNS}" -new -key server-key.pem -out server.csr |
|
# Alts on IPs |
|
echo "subjectAltName = IP:${public_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf |
|
# Server certificate |
|
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf |
|
|
|
# Client key |
|
openssl genrsa -out client-key.pem 2048 |
|
# Client CSR |
|
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr |
|
# clientAuth |
|
echo extendedKeyUsage = clientAuth > extfile.cnf |
|
# Client certificate |
|
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf |
|
|
|
# Securing |
|
chmod -v 0400 *-key.pem |
|
chmod -v 0444 ca.pem *-cert.pem |
|
|
|
# Moving |
|
sudo mkdir -p /etc/docker |
|
sudo chown root:docker /etc/docker |
|
sudo chmod 700 /etc/docker |
|
sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker |
|
docker \ |
|
--host tcp://localhost:3276 \ |
|
--tlsverify \ |
|
--tlscacert=~/docker-ca/ca.pem \ |
|
--tlscert=~/docker-ca/client-cert.pem \ |
|
--tlskey=~/docker-ca/client-key.pem \ |
|
container ls |
|
|
|
# Simplification |
|
export DOCKER_HOST=tcp://localhost:2376 |
|
export DOCKER_TLS_VERIFY=1 |
|
mkdir -p ~/.docker |
|
cp ~/docker-ca/ca.pem ~/.docker/ |
|
cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem |
|
cp ~/docker-ca/client-key.pem ~/.docker/key.pem |
|
|
|
docker container ls |
|
# On another node than master |
|
export MASTER_PRIVATE_IP=10.X.Y.Z |
|
|
|
export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376 |
|
export DOCKER_TLS_VERIFY=1 |
|
scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/ |
|
|
|
docker container ls |
|
# On another node than the registry |
|
|
|
export REGISTRY_PRIVATE_IP=10.X.Y.Z |
|
|
|
# Configure unsecure registries |
|
echo "{ |
|
\"insecure-registries\": [ |
|
\"${REGISTRY_PRIVATE_IP}:5000\" |
|
] |
|
}" | sudo tee /etc/docker/daemon.json |
|
|
|
# Reload docker config |
|
sudo service docker reload |
|
|
|
# Pull from insecure registry |
|
docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0 |
|
export DOCKERHUB_USERNAME=... |
|
|
|
docker login --username ${DOCKERHUB_USERNAME} |
|
|
|
# Build & publish |
|
cd ~/orchestration-workshop/dockercoins/ |
|
for service in hasher rng worker webui; do |
|
docker-compose build ${service} |
|
docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 |
|
docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 |
|
done |
|
# Create network |
|
docker network create --driver overlay dockercoins |
|
|
|
# Run |
|
docker service create --network dockercoins --name redis redis |
|
for service in hasher rng worker webui; do |
|
docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 |
|
done |
|
|
|
docker service update webui --publish-add 8080:80 |
/01-docker-tls.sh
Last active 
This comment has been minimized.
looztra commentedNov 7, 2017