Docker

之前部署docker的时候都是没对docker的HTTP/socker接口进行加密。最近在线上部署的时候就得考虑这个。使用证书对docker进行加密主要参考官方的文档：1. https://docs.docker.com/v1.13/engine/security/https/2. https://github.com/docker/swarm/issues/341 docker engine配置TLS 主要注意做swarm cluster的时候 需要签发证书的时候subjectAltName里把本机的IP。生成证书的从网上找到的一个脚本做了修改,直接在里面把集群的IP都填进去，这样每个机器可以证书相同： #!/bin/bas h # This script will help you setup Docker for TLS authen tication. # Run it passing in the arguement for the FQDN of your docker server # For example: ./create-docker-tls.sh myhost.docker.com The script will also create a profile.d (if it exists) entry which configures your docker client to use TLS We will also overwrite /etc/sysconfig/docker (again, if it exists) to configure the daemon. A backup will be created at /etc/sysconfig/docker.unixTimestamp MIT License applies to this script. I don’t accept any responsibility for damage you may cause using it. set -e STR=2048 ...

直接把这个服务关闭了，测试了不影响带外登陆。 [email protected]: service.dead: - enable: False - provider: systemd

准备干净的vm模版，clone出4台。ip规划如下enp0s3 外网网卡，桥接模式，dhcpenp0s8 内网网卡，bridge到bridge0(192.168.1.1/24) 2. 打通centos-console 到其他几个服务区的信任登陆centos-console 192.168.1.10centos-test1 192.168.1.11centos-test2 192.168.1.12centos-test3 192.168.1.13 3. 在跳板机器创建consul容器，做服务发现docker run --restart=always -d -p 8500:8500 --name=consul progrium/consul -server -bootstrap 4. 创建swarm-masterdocker-machine create --driver generic --generic-ip-address 192.168.1.11 --generic-ssh-user root --engine-registry-mirror=https://wfsgsp6x.mirror.aliyuncs.com --engine-install-url=https://get.daocloud.io/docker/ --swarm --swarm-master --swarm-discovery="consul://192.168.1.10:8500" node-master 5. 创建nodedocker-machine create --driver generic --generic-ip-address 192.168.1.12 --generic-ssh-user root --engine-registry-mirror=https://wfsgsp6x.mirror.aliyuncs.com --engine-install-url=https://get.daocloud.io/docker/ --swarm --swarm-discovery="consul://192.168.1.10:8500" node-woker1docker-machine create --driver generic --generic-ip-address 192.168.1.13 --generic-ssh-user root --engine-registry-mirror=https://wfsgsp6x.mirror.aliyuncs.com --engine-install-url=https://get.daocloud.io/docker/ --swarm --swarm-discovery="consul://192.168.1.10:8500" node-woker2 6. 查看machine[root@centos-console cert]# docker-machine lsNAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORSnode-master - generic Running tcp://192.168.1.11:2376 node-master (master) v1.12.0node-woker1 - generic Running tcp://192.168.1.12:2376 node-master v1.12.0node-woker2 - generic Running tcp://192.168.1.13:2376 node-master v1.12.0 7. 登陆管理docker -H 192.168.1.11:3376 --tlsverify --tlscacert=/root/cert/ca.pem --tlscert=/root/cert/server.pem --tlskey=/root/cert/server-key.pem info enp0s3 外网网卡，桥接模式，dhcp ...