官术网_书友最值得收藏!

Connecting remotely from the Docker client

Now that our Docker host is secure, it won't respond to requests from our Docker client yet. The Docker host will only respond to requests being made by clients verified by our CA.

The following steps will generate an identity for our Docker client:

  1. First, let's generate the private key of our Docker client in ~/.docker/key.pem:
client$ openssl genrsa -out ~/.docker/key.pem 4096

Generating RSA private key, 4096 bit long modulus

...................++
.........................................................++
e is 65537 (0x10001)
  1. Next, we make sure that this private key is restricted to us for viewing:
client$ chmod 600 ~/.docker/key.pem
  1. We now generate the CSR for client in a file called client.csr:
client$ openssl req -subj '/CN=client' -new \
-key ~/.docker/key.pem -out client.csr
  1. Now that our CSR is ready, we will now create an OpenSSL configuration to indicate that certificates will be used for client authentication. The OpenSSL command following creates this configuration in a file called ~/ca/client-ext.cnf:
extendedKeyUsage = clientAuth
  1. Finally, we are ready to issue the certificate for our Docker client. The following command writes our Docker client's certificate to ~/.docker/cert.pem:
 client$ openssl x509 -req -CA ca.pem 
-CAkey ca-key.pem -CAcreateserial

-extfile client-ext.cnf -in
~/client.csr -out ~/.docker/cert.pem
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem: ****
  1. To complete our client's TLS configuration, we will also deploy our CA's certificate in our ~/.docker directory file:
      client$ cp ca.pem ~/.docker/ca.pem
  1. Finally, we indicate to our Docker client that we will be connecting securely to our remote Docker host by exporting the following environment variables:
      client$ export DOCKER_HOST=tcp://dockerhost:2376
client$ export DOCKER_TLS_VERIFY=true

Congratulations! We now have a secure communication channel between our Docker client and Docker host. To verify the connection, we can run the following command and show information about our remote Docker host:

client$ docker info
主站蜘蛛池模板: 唐山市| 抚州市| 丽水市| 巴彦县| 门头沟区| 屯留县| 德令哈市| 吉木乃县| 阿鲁科尔沁旗| 商南县| 保德县| 沁源县| 唐河县| 永济市| 临泽县| 京山县| 浦江县| 托克逊县| 滦南县| 洪雅县| 长海县| 乌审旗| 随州市| 仁寿县| 清涧县| 平昌县| 清水县| 元阳县| 洛隆县| 临潭县| 巴东县| 绍兴市| 锡林浩特市| 庆城县| 塔城市| 威信县| 浏阳市| 商都县| 贵阳市| 新乡县| 高邮市|