属于Java的docker - centos7配置docker TCP的端口

在服务器上使用命令 cat /etc/redhat-release 查看服务器版本 简易安装docker

yum 原始安装docker

yum list installed | grep docker
yum -y install docker
docker ps
systemctl start docker
sudo curl -L https://github.com/docker/compose/releases/download/1.28.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose  version

修改docker 配置文件已开启端口

vi /usr/lib/systemd/system/docker.service

查找到ExecStart= 位置,修改参数:

ExecStart=/usr/bin/dockerd  -H tcp://0.0.0.0:1457 -H unix:///var/run/docker.sock

注: 文章采用1457端口

此次原文件内容:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer

[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
          $REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process

[Install]
WantedBy=multi-user.target

修改后文件参考

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service
Requires=docker-cleanup.timer

[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current -H tcp://0.0.0.0:1457 -H unix://var/run/docker.sock \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
	  $REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process

[Install]
WantedBy=multi-user.target

此时重新加载配置:

systemctl daemon-reload

重新启动docker :

systemctl restart docker

查询端口占用

netstat -an |grep 1457

远程客户端连接测试:

注: 客户端也需要安装docker

docker -H tcp://IP:1457 ps

下面是使用证书登陆连接服务端docker

1、确保服务已经安装了openssl

which openssl

2、寻找一个里面来存放我们的证书目前使用默认的docker 文件夹

ls /etc/docker

3、进入目录

cd /etc/docker

4、开始生产密钥文件 输入2次密码

openssl genrsa -des3 -out docker-key.pem

5、开始创建CA证书

openssl req -new -x509 -days 365 -key docker-key.pem -out docker-ca.pem

6、根据提示输入密码等相关信息

7、此时可以使用CA为docker 创建我们的证书以及密钥了

(1) 生成服务密钥

openssl genrsa -des3 -out server-key.pem

注:记住此时输入的密码

(2)使用服务密钥创建csr 文件

openssl req -new -key server-key.pem -out server.csr

注: Common Name (从DNS获取解析数据) 填写项 * 代表所以服务器都可以使用该证书

(3)对csr文件进行签名并生成服务器证书

openssl x509 -req -days 365 -in server.csr -CA docker-ca.pem -CAkey docker-key.pem -out server-cert.pem

注:此时需要输入docker-key.pem 生成时的密码

(4)如果不想在docker守护进程启动的时间输入一次密码

openssl rsa -in server-key.pem -out server-key.pem

(5) 参考网友权限设置对文件进行权限把控

chmod 0600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/docker-key.pem /etc/docker/docker-ca.pem

8、配置docker 配置证书参考无证书设置

ExecStart=/usr/bin/dockerd-current -H tcp://0.0.0.0:1457 --tlsverify --tlscacert=/etc/docker/docker-ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem

9、开始配置客户端证书与密钥

openssl genrsa -des3 -out client-key.pem

openssl req -new -key client-key.pem -out client.csr

10、添加一些扩展的客户端SSL认证属性

echo extendedKeyUsage = clientAuth > extfile.cnf

11、对客户端证书进行签名

openssl x509 -req -days 365 -in client.csr -CA docker-ca.pem -CAkey docker-key.pem -out client-cert.pem -extfile extfile.cnf

12、下载docker-ca.pem 、client-cert.pem 和client-key.pem

本地创建目录

mkdir ~/.docker

cp docker-ca.pem ~/.docker/ca.pem

cp client-key.pem ~/.docker/key.pem

cp client-cert.pem ~/.docker/cert.pem

chmod 0600 ~/.docker/key.pem ~/.docker/cert.pem

开始连接

docker -H=IP:1457 --tlsverify info ps