Wrote first docker-tcp script version
continuous-integration/drone the build was successful
Details
continuous-integration/drone the build was successful
Details
parent
fac578b878
commit
2cb6d2686c
GPG Key ID:
B580B976584B5F30
|
|
@ -79,8 +79,8 @@ with the machine's public IP.
|
|||
This file can now be used to generate the actual signed certificate:
|
||||
|
||||
```shell
|
||||
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey \
|
||||
ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
|
||||
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem \
|
||||
-CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
|
||||
```
|
||||
|
||||
Here, we can once again change the days argument to the value we want. After
|
||||
|
|
@ -151,7 +151,7 @@ encrypted connection. Let's test it by adding it to Portainer!
|
|||
|
||||
Thankfully this is the easy part. In Portainer, add a new endpoint and choose
|
||||
the "Docker" type. Pick a name for your endpoint, fill in the endpoint URL
|
||||
including the port number (Docker's default port number is `2375`) and enable
|
||||
including the port number (Docker's default port number is `2376`) and enable
|
||||
the "TLS" switch. We choose "TLS with server and client verification", as this
|
||||
is the safest. The files to upload are `ca.pem` for the TLS CA certificate,
|
||||
`cert.pem` for the TLS certificate and `key.pem` for the TLS key. If all goes
|
||||
|
|
|
|||
|
|
@ -10,9 +10,21 @@ days=365
|
|||
|
||||
# Displays how to use the program
|
||||
function usage() {
|
||||
echo "This script generates OpenSSL certificate pairs which can be used to expose a Docker API."
|
||||
echo
|
||||
echo "Usage: $0 [-h] [-d DAYS] HOST IP"
|
||||
cat << EOF
|
||||
This script generates OpenSSL certificate pairs which can be used to expose a
|
||||
Docker API.
|
||||
|
||||
Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]
|
||||
|
||||
HOST hostname of the machine to expose
|
||||
IP public IP of the machine to expose
|
||||
CERTDIR directory where the certificates will reside on the machine. If
|
||||
specified, a startup_options.conf file is created for you, which
|
||||
can then be copied over to the host.
|
||||
|
||||
-h show this message
|
||||
-d how many days the certificate will be valid; defaults to 365
|
||||
EOF
|
||||
exit 1
|
||||
}
|
||||
|
||||
|
|
@ -25,19 +37,99 @@ while getopts ':hd:' c; do
|
|||
done
|
||||
shift $((OPTIND - 1))
|
||||
|
||||
host="$1"
|
||||
ip="$2"
|
||||
certdir="$3"
|
||||
|
||||
# Check for correct amount of arguments
|
||||
[ $# -eq 2 ] || usage
|
||||
[ $# -lt 2 ] && [ $# -gt 3 ] && usage
|
||||
|
||||
|
||||
# =====SERVER-SIDE=====
|
||||
# Generate CA key
|
||||
openssl genrsa -aes256 -out ca-key.pem 4096
|
||||
openssl req -new -x509 -days "$DAYS" -key ca-key.pem -sha256 -out ca.pem
|
||||
openssl genrsa \
|
||||
-aes256 \
|
||||
-out ca-key.pem \
|
||||
4096
|
||||
openssl req \
|
||||
-new \
|
||||
-x509 \
|
||||
-days "$days" \
|
||||
-key ca-key.pem \
|
||||
-sha256 \
|
||||
-out ca.pem
|
||||
|
||||
# Generate server key
|
||||
openssl genrsa -out server-key.pem 4096
|
||||
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
|
||||
openssl genrsa \
|
||||
-out server-key.pem \
|
||||
4096
|
||||
openssl req \
|
||||
-subj "/CN=$host" \
|
||||
-sha256 \
|
||||
-new \
|
||||
-key server-key.pem \
|
||||
-out server.csr
|
||||
|
||||
# Create extfile.cnf
|
||||
|
||||
echo subjectAltName = "DNS:$HOST,IP:$IP,IP:127.0.0.1" > extfile.cnf
|
||||
echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
|
||||
echo extendedKeyUsage = serverAuth >> extfile.cnf
|
||||
|
||||
# Generate server-side certificate
|
||||
openssl x509 \
|
||||
-req \
|
||||
-days 365 \
|
||||
-sha256 \
|
||||
-in server.csr \
|
||||
-CA ca.pem \
|
||||
-CAkey ca-key.pem \
|
||||
-CAcreateserial \
|
||||
-out server-cert.pem \
|
||||
-extfile extfile.cnf
|
||||
|
||||
|
||||
# =====CLIENT-SIDE=====
|
||||
# Generate key & csr
|
||||
openssl genrsa \
|
||||
-out key.pem \
|
||||
4096
|
||||
openssl req \
|
||||
-subj '/CN=client' \
|
||||
-new \
|
||||
-key key.pem \
|
||||
-out client.csr
|
||||
|
||||
# Create extfile-client.cnf
|
||||
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
||||
|
||||
# Generate certificate
|
||||
openssl x509 \
|
||||
-req \
|
||||
-days 365 \
|
||||
-sha256 \
|
||||
-in client.csr \
|
||||
-CA ca.pem \
|
||||
-CAkey ca-key.pem \
|
||||
-CAcreateserial \
|
||||
-out cert.pem \
|
||||
-extfile extfile-client.cnf
|
||||
|
||||
# Create startup_options.conf
|
||||
if [ -n "$certdir" ]; then
|
||||
cat > startup_options.conf << EOF
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
|
||||
EOF
|
||||
|
||||
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
|
||||
echo "'startup_options.conf' should be placed in '/etc/systemd/docker.service.d/startup_options.conf'."
|
||||
|
||||
else
|
||||
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
|
||||
echo "Create a 'startup_options.conf' file as specified."
|
||||
|
||||
fi
|
||||
|
||||
echo "Now, you can restart the Docker daemon using:"
|
||||
echo " systemctl daemon-reload"
|
||||
echo " systemctl restart docker.service"
|
||||
|
|
|
|||
Reference in New Issue