Generate Docker certificates for training on TLS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuration | |
| export PUBLIC_DNS=<public hostname> | |
| export PUBLIC_IP=<public host IP> | |
| export PRIVATE_IP=<private host IP> | |
| mkdir docker-ca | |
| chmod 0700 docker-ca/ | |
| cd docker-ca/ | |
| # CA key | |
| openssl genrsa -aes256 -out ca-key.pem 2048 | |
| # CA certificate | |
| openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
| # Server key | |
| openssl genrsa -out server-key.pem 2048 | |
| # Server CSR on DNS name | |
| openssl req -subj "/CN==${PUBLIC_DNS}" -new -key server-key.pem -out server.csr | |
| # Alts on IPs | |
| echo "subjectAltName = IP:${PUBLIC_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf | |
| # Server certificate | |
| openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
| # Client key | |
| openssl genrsa -out client-key.pem 2048 | |
| # Client CSR | |
| openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr | |
| # clientAuth | |
| echo extendedKeyUsage = clientAuth > extfile.cnf | |
| # Client certificate | |
| openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf | |
| # Securing | |
| chmod -v 0400 *-key.pem | |
| chmod -v 0444 ca.pem *-cert.pem | |
| # Moving | |
| sudo mkdir -p /etc/docker | |
| sudo chown root:docker /etc/docker | |
| sudo chmod 700 /etc/docker | |
| sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuring Docker to use TLS **WITH** systemd socket | |
| # https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file | |
| echo '{ | |
| "tls": true, | |
| "tlscacert": "/etc/docker/ca.pem", | |
| "tlscert": "/etc/docker/server-cert.pem", | |
| "tlskey": "/etc/docker/server-key.pem", | |
| "tlsverify": true | |
| }' | sudo tee /etc/docker/daemon.json | |
| # Configuring systemd socket to listen on TCP | |
| # https://github.com/docker/docker/issues/25471#issuecomment-238076313 | |
| sudo mkdir -p /etc/systemd/system/docker.socket.d | |
| echo '[Socket] | |
| ListenStream= # If you want to disable default unix socket | |
| ListenStream=0.0.0.0:2376' | sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf | |
| sudo systemctl daemon-reload | |
| sudo service docker restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuring Docker to use TLS **WITHOUT** systemd socket | |
| # https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file | |
| echo '{ | |
| "hosts": [ | |
| "unix:///var/run/docker.sock", | |
| "tcp://0.0.0.0:2376" | |
| ], | |
| "tls": true, | |
| "tlscacert": "/etc/docker/ca.pem", | |
| "tlscert": "/etc/docker/server-cert.pem", | |
| "tlskey": "/etc/docker/server-key.pem", | |
| "tlsverify": true | |
| }' | sudo tee /etc/docker/daemon.json | |
| # Disable systemd docker host configuration | |
| sudo mkdir -p /etc/systemd/system/docker.service.d | |
| echo '[Service] | |
| ExecStart= | |
| ExecStart=/usr/bin/dockerd' | sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf | |
| sudo systemctl daemon-reload | |
| sudo service docker restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| docker \ | |
| --host tcp://localhost:3276 \ | |
| --tlsverify \ | |
| --tlscacert=~/docker-ca/ca.pem \ | |
| --tlscert=~/docker-ca/client-cert.pem \ | |
| --tlskey=~/docker-ca/client-key.pem \ | |
| container ls | |
| # Simplification | |
| export DOCKER_HOST=tcp://localhost:2376 | |
| export DOCKER_TLS_VERIFY=1 | |
| mkdir -p ~/.docker | |
| cp ~/docker-ca/ca.pem ~/.docker/ | |
| cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem | |
| cp ~/docker-ca/client-key.pem ~/.docker/key.pem | |
| docker container ls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # On another node than master | |
| export MASTER_PRIVATE_IP=10.X.Y.Z | |
| export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376 | |
| export DOCKER_TLS_VERIFY=1 | |
| scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/ | |
| docker container ls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # On another node than the registry | |
| export REGISTRY_PRIVATE_IP=10.X.Y.Z | |
| # Configure unsecure registries | |
| echo "{ | |
| \"insecure-registries\": [ | |
| \"${REGISTRY_PRIVATE_IP}:5000\" | |
| ] | |
| }" | sudo tee /etc/docker/daemon.json | |
| # Reload docker config | |
| sudo service docker reload | |
| # Pull from insecure registry | |
| docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export DOCKERHUB_USERNAME=... | |
| docker login --username ${DOCKERHUB_USERNAME} | |
| # Build & publish | |
| cd ~/orchestration-workshop/dockercoins/ | |
| for service in hasher rng worker webui; do | |
| docker-compose build ${service} | |
| docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
| docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create network | |
| docker network create --driver overlay dockercoins | |
| # Run | |
| docker service create --network dockercoins --name redis redis | |
| for service in hasher rng worker webui; do | |
| docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0 | |
| done | |
| docker service update webui --publish-add 8080:80 |
looztra
commented
Nov 7, 2017
- Proposition: expliciter le shell avec un un shebang du genre #!/bin/env bash
- Corriger le public_IP en minuscule dans le premier script
Manque aussi un $ devant le {PUBLIC_DNS} à la ligne 18 du premier script
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment