本文最后更新于 952 天前,其中的信息可能已经有所发展或是发生改变。
Docker远程调用
自签CA证书
- 下载cfssl
yum -y install wget
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo- 生成CA根证书
mkdir -p /home/TLS/docker
#CA根证书配置项
cat > /home/TLS/ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
# 生成CA证书,得到ca-key.pem(私钥,妥善保管)、ca.pem(公钥)、ca.csr三个文件
cfssl gencert -initca /home/TLS/ca-csr.json | cfssljson -bare /home/TLS/ca- 设置CA配置选项
cat > /home/TLS/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h" #默认的证书有效时间
},
"profiles": {
"server": { #服务器证书
"expiry": "87600h", #证书有效时间
"usages": [
"signing", #表示该证书可用于签名其它证书
"key encipherment",
"server auth" #服务器证书:客户端对服务器进行验证
]
},
"client": { #客户端证书
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"client auth" #客户端证书:服务器对客户端进行认证
]
},
"peer": { #对等证书
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF- 给docker颁发server证书
cat > /home/TLS/docker/docker-csr.json << EOF
{
"CN": "docker",
"hosts": [ #允许访问IP
"192.168.153.50",
"192.168.153.51",
"192.168.153.52",
"192.168.153.53"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
#签发server对等证书
cfssl gencert -ca=/home/TLS/ca.pem -ca-key=/home/TLS/ca-key.pem -config=/home/TLS/ca-config.json -profile=peer /home/TLS/docker/docker-csr.json | cfssljson -bare /home/TLS/docker/docker
#将证书复制到/etc/docker/tls目录下
mkdir /etc/docker/tls
cp /home/TLS/ca.pem /home/TLS/docker/{docker.pem,docker-key.pem} /etc/docker/tls/配置SSH加密
- 配置Docker守护进程
vi /etc/docker/daemon.json
{
"hosts":[
"unix:///var/run/docker.sock", #unix系统一种进程间通讯方式,Docker Client调用本地Engine就是使用这种方式。
"tcp://0.0.0.0:2376" #DockerSSL安全访问地址,默认端口2376
],
"tlsverify":true, #开启TLS验证
"tlscacert":"/etc/docker/tls/ca.pem", #CA证书
"tlscert":"/etc/docker/tls/docker.pem", #server公钥
"tlskey":"/etc/docker/tls/docker-key.pem" #server私钥
}- 修改Docker启动参数
vi /lib/systemd/system/docker.service
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock #这是systemd提供的一种为了服务并行启动设计的socket,缺省值为fd:// 对这个技术感兴趣的小伙伴可以进一步了解一下
# ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock #在命令行设置的参数,不能在daemon.json中进行设置。嗯,就是这样。c
systemctl daemon-reload
systemctl restart docker- 验证
docker --tlsverify --tlscacert=/home/TLS/ca.pem --tlscert=/home/TLS/docker/docker.pem --tlskey=/home/TLS/docker/docker-key.pem -H tcp://192.168.153.50:2376 versionCD持续交付
- Jenkins安装Docker插件,Manage Jenkins -> Manage Plugins -> Available -> Docker -> Install without restart
- 安装Docker Client,Manage Jenkins -> Global Tool Configuration -> Docker(Add Docker) -> Install automatically -> Add Installer(Download from docker.com) -> Save
- 添加Docker Cloud,Manage Jenkins -> Manage nodes and clouds -> Configure Clouds -> Add a new cloud(docker) -> Docker Host URI(tcp://192.168.153.50:2376) -> Server credentials(Add) -> X.509 Client Certificate(Client Key:docker-key.pem,Client Certificate:docker.pem,Server CA Certificate:ca.pem) -> Add