Skip to content

Latest commit

 

History

History
95 lines (65 loc) · 2.17 KB

README.md

File metadata and controls

95 lines (65 loc) · 2.17 KB

Automatically generate Docker TLS certificate script

中文 | English

Automatically generate Docker TLS certificate to make docker cross-platform connection more secure!

How to use

1. Edit the script, changes need to be configured

Open the auto-tls.sh file using vi/vim, Example:

# configure IP *(Required):
ip="127.0.0.1"

# configure password *(Required):
password="any"

# configure filename *(Required):
filename="tls"

# default
days=1000

2. Configure docker file

The script will automatically generate two tar archives:

  • tls-server.tar.gz
  • tls-client.tar.gz

Configure docker TLS two ways:

1). Modify the daemon.json file

$ cd /etc/docker/
$ vi daemon.json

  {
	"tlsverify": true,
	"tlscacert": "/etc/cert path", 			// ca-xxx.pem
	"tlscert": "/etc/cert path",   			// server-cert-xxx.pem
	"tlskey": "/etc/cert path",		        // server-key-xxx.pem
	"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
  }  
$ systemctl daemon-reload
$ systemctl restart docker

TIPS: If an error occurs during restart, modify the file:

Modify the docker.service file, which is located at /usr/lib/systemd/system/docker.service

# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# modify:
ExecStart=/usr/bin/dockerd

2). Modify docker.service

$ vi /usr/lib/systemd/system/docker.service
# Add modification code:

  ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/<cert path> --tlscert=/etc/<cert path> --tlskey=/etc/<cert path> -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

$ systemctl daemon-reload

$ systemctl restart docker

3. Connection method

Copy tls-client.tar.gz to another server, unzip it, and connect with a certificate

$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://ip:2375 ps