Secure Configuration

Using TLS

auto-tls.sh

#!/bin/bash
# 
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------

# 以下是配置信息
# --[BEGIN]------------------------------

CODE=""
IP="Docker服务器ip"
PASSWORD="密钥密码"
COUNTRY="CN"
STATE="Sichuan"
CITY="Chengdu"
ORGANIZATION="公司"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="可不填"

# --[END]--

# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key-$CODE.pem" 4096

# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr

echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf


# Generate Client Certs.
rm -f extfile.cnf

openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf

rm -vf client.csr server.csr

chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"

# 打包客户端证书
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"

# 拷贝服务端证书
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/

Open Docker Remote API

vim  /lib/systemd/system/docker.service


# modify this line to your own configuration
ExecStart=/usr/bin/dockerd  -H unix://var/run/docker.sock -D -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/root/ca-dp.pem --tlscert=/root/server-cert-dp.pem --tlskey=/root/server-key-dp.pem

# restart docker
systemctl daemon-reload
systemctl restart  docker

# check tls status
curl -k https://{docker節點IP}:2376/info --cert ./cert.pem --key ./key.pem

远程连接docker daemon,Docker Remote API
Portainer 透過 TLS 認證

Using Firewall

Ubuntu可以用ufw简单设置特定端口只允许特定IP访问
Centos可以用firewall设置

Using Python-Docker SDK

install requirement

pip install docker

init client

import docker

tls_config = docker.tls.TLSConfig( 
  client_cert=('/path/to/cert/cert.pem', '/path/to/key/key.pem'),
  verify='/path/to/ca/ca.pem'
)
client = docker.DockerClient(base_url='https://{ip}:{port}', tls=tls_config)

# information
client.version()

run container

client.run()

Cooperate with Paramiko

一个模块,但是网上的坑贼多,自己踩了不少。。。

用Python中的Paramiko递归目录复制
使用python的paramiko模块实现ssh与scp功能

Monitor Docker by Portainer

一个Docker管理UI面板——Portainer,比较方便的管理容器。
但是习惯了命令行操作后,我基本上只用它来看容器内的log日志(小型服务),在大型集群服务中,还是用统一的更高级日志管理中心会更爽(如filebeat/rsyslog)

Tricks

  • Remote API用 -v 挂载时,需要注意:挂载的宿主机目录必须在远程服务器上存在,不然挂载会为空,啥都没有
  • 如果Docker忽然啥都挂载不上,请检查服务器可用空间

Materials

清理Docker占用的磁盘空间
linux根目录满了,怎样快速查看是哪个文件占用空间大