docker管理工具之證書的製作與證書的加密
阿新 • • 發佈:2018-12-26
1.證書的製作
##下載registry映象
lftp 172.25.254.251:/pub/docs/docker> get registry.tar
##匯入映象
[root@foundation52 kiosk]# docker load -i registry.tar
##
[root@foundation52 kiosk]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
4064 [root@foundation52 docker]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f6c961c0fcad registry "/tmp/docker/certs..." 3 minutes ago Created unruffled_feynman
becdda0248cb registry:2 "/entrypoint.sh /e..." 15 minutes ago Up 15 minutes 0.0.0.0:5000->5000/tcp thirsty_bhaskara
##刪除5000埠
[root@foundation52 docker]# docker rm -f f6
f6
[root@foundation52 docker]# docker rm -f be
be
##新增解析
[root@foundation52 ~]# vim /etc/hosts
######################
新增: 172.25.254.52 westos.org
[root@foundation52 ~]# ping westos.org
PING westos.org172.25.52.250 (172.25.52.250) 56(84) bytes of data.
64 bytes from westos.org172.25.52.250 (172.25.52.250): icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from westos.org172.25.52.250 (172.25.52.250): icmp_seq=2 ttl=64 time=0.082 ms
^Z
[1]+ Stopped ping westos.org
[root@foundation52 ~]# cd /tmp/docker/
[root@foundation52 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
...........................++
............................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
[root@foundation52 docker]# mkdir certs
[root@foundation52 docker]# cd certs/
[root@foundation52 certs]# ll
total 8
-rw-r--r-- 1 root root 2098 Aug 22 16:39 domain.crt
-rw-r--r-- 1 root root 3272 Aug 22 16:39 domain.key
[root@foundation52 certs]# cd ..
[root@foundation52 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v `pwd`/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> -p 443:443 \
> registry:2
d5e1dec99b8d950538f8a04f63bb3219015d1d08daa94e7287cbd60274901a21
[root@foundation52 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d5e1dec99b8d registry:2 "/entrypoint.sh /e..." 11 seconds ago Up 10 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@foundation52 docker]# netstat -antlp |grep :443
tcp6 0 0 :::443 :::* LISTEN 13765/docker-proxy
[root@foundation52 docker]# cd /opt/registry/
[root@foundation52 registry]# ls
[root@foundation52 registry]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
RETURN all -- 192.168.122.0/24 224.0.0.0/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:443
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.17.0.2:443
[root@foundation52 registry]# cd /etc/docker
[root@foundation52 docker]# ls
daemon.json key.json
[root@foundation52 docker]# mkdir certs.d
[root@foundation52 docker]# cd certs.d/
[root@foundation52 certs.d]# mkdir westos.org
[root@foundation52 certs.d]# cd westos.org
[root@foundation52 westos.org]# cp /tmp/docker/certs/domain.crt ./ca.crt
[root@foundation52 westos.org]# ls
ca.crt
[root@foundation52 westos.org]# docker tag nginx westos.org/rhel7
[root@foundation52 westos.org]# docker push westos.org/rhel7
The push refers to a repository [westos.org/rhel7]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 9482.證書的加密
[root@foundation52 kiosk]# cd /tmp/docker/
[root@foundation52 docker]# mkdir auth
[root@foundation52 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@foundation52 docker]# docker volume ls
DRIVER VOLUME NAME
local 017f3f8d7cae7b732ef372eef90c4d3a6f65701e581a5704e837f9bed51af355
local 27ec2bb38d509f1aada158c0051ab50acd2dc40880a0763296d79f6a2065b74e
.............
[root@foundation52 docker]# docker volume rm `docker volume ls -q`
017f3f8d7cae7b732ef372eef90c4d3a6f65701e581a5704e837f9bed51af355
27ec2bb38d509f1aada158c0051ab50acd2dc40880a0763296d79f6a2065b74e
.............
[root@foundation52 docker]# docker volume ls
DRIVER VOLUME NAME
##
[root@foundation52 docker]# docker run --entrypoint htpasswd registry:2 -Bbn haha westos > auth/htpasswd
[root@foundation52 docker]# cat auth/htpasswd
haha:$2y$05$iAk4eCp8ntMaWIfSwxvqeej4VrsRrieI3yiAC.fJ7zznp81PVlaQu
## >>表示追加
[root@foundation52 docker]# docker run --entrypoint htpasswd registry:2 -Bbn admin admin >> auth/htpasswd
[root@foundation52 docker]# cat auth/htpasswd
haha:$2y$05$iAk4eCp8ntMaWIfSwxvqeej4VrsRrieI3yiAC.fJ7zznp81PVlaQu
admin:$2y$05$xuQmKgjMheEbpPr45AdSYO9TpxsPWy0VSs/UIBIYDZ.0Qy0ysQu/O
[root@foundation52 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@foundation52 docker]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cad9935c58b7 registry:2 "htpasswd -Bbn adm..." 24 seconds ago Exited (0) 22 seconds ago elated_davinci
a76411db42c5 registry:2 "htpasswd -Bbn hah..." 47 seconds ago Exited (0) 43 seconds ago youthful_keller
##更改使用者密碼 第一次必須加 -cm
[root@foundation52 docker]# htpasswd -cm htpaswd haha
New password:
Re-type new password:
Adding password for user haha
[root@foundation52 docker]# cat htpaswd
haha:$apr1$I0l6qswB$fW6C2EEzw28FbzS/oD6h80
##此後便可直接加 -m
[root@foundation52 docker]# htpasswd -m htpaswd admin
New password:
Re-type new password:
Adding password for user admin
[root@foundation52 docker]# cat htpaswd
haha:$apr1$I0l6qswB$fW6C2EEzw28FbzS/oD6h80
admin:$apr1$PRHSaDPG$e9j5Fn2n6OI/EhPf11KLI1
[root@foundation52 docker]# rm -f htpaswd
[root@foundation52 docker]# docker container prune
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Deleted Containers:
e5775c9bb2389069749f0248462aa04b3473a3f189c1472f9be7e7e1f7c4a271
500f2ce33b774f048dd7f144016f6d033b3e09865410ca5a56478daa3bdcdc08
Total reclaimed space: 0 B
[root@foundation52 docker]# docker run -d \
> --restart=always \
> -v `pwd`/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> -v `pwd`/auth:/auth -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -p 443:443 \
> registry:2
eb27ad6bf246581518ddeb463b22a958352f867c320f29131532d8305873110e
[root@foundation52 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
99ee302d848c registry:2 "/entrypoint.sh /e..." 11 seconds ago Up 9 seconds 0.0.0.0:443->443/tcp, 5000/tcp flamboyant_boyd
##使用者登陸
[root@foundation52 docker]# docker login -u haha -p westos westos.org
Login Succeeded
[root@foundation52 docker]# ping westos.org
PING westos.org (172.25.254.52) 56(84) bytes of data.
64 bytes from westos.org (172.25.254.52): icmp_seq=1 ttl=64 time=0.039 ms
^Z
[1]+ Stopped ping westos.org
##因為做了證書加密 所以只有使用者登陸了之後才能push
[root@foundation52 docker]# docker push westos.org/rhel7
The push refers to a repository [westos.org/rhel7]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
[root@foundation52 docker]# cd
[root@foundation52 ~]# cd .docker/
[root@foundation52 .docker]# ls
config.json
[root@foundation52 .docker]# cat config.json
{
"auths": {
"westos.org": {
"auth": "aGFoYTp3ZXN0b3M="
}
}
}
[root@foundation52 .docker]# netstat -antlp | grep :443
tcp6 0 0 :::443 :::* LISTEN 4964/docker-proxy
[root@foundation52 .docker]# cat config.json
{
"auths": {
"westos.org": {
"auth": "aGFoYTp3ZXN0b3M="
}
}
[root@foundation52 .docker]# cd
[root@foundation52 ~]# rm -rf .docker/
##將nginx映象標示為westos.org/nginx 即為更改映象名稱
[root@foundation52 ~]# docker tag nginx westos.org/nginx
##上傳映象
[root@foundation52 ~]# docker push westos.org/nginx
The push refers to a repository [westos.org/nginx]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948