diff options
author | Cédric Ollivier <cedric.ollivier@orange.com> | 2017-11-09 06:05:06 +0100 |
---|---|---|
committer | Cédric Ollivier <cedric.ollivier@orange.com> | 2017-11-09 13:42:11 +0100 |
commit | 0705a7ed15f090b3be64f2995d1c9fff51edc2f1 (patch) | |
tree | 813d03b2a9a8ab18ee30348eaef7f606b4378bdd /docker/docker_remote_api/docs/TLS-intro.rst | |
parent | 112944292c7935e43d978312c633a3bbf16e0559 (diff) |
Remove the former Dockerfile
opnfv/functest had been split into multiple containers based on
Alpine (See Docker Slicing [1]) during Euphrates.
As ARM is being switching to them, we can safely remove the related
files.
[1] https://git.opnfv.org/functest/tree/docs/com/pres/dockerslicing/dockerslicing.md?h=stable/euphrates
Change-Id: I30294a94cc742ba80a7bc4f35db9330240385bb0
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
Diffstat (limited to 'docker/docker_remote_api/docs/TLS-intro.rst')
-rw-r--r-- | docker/docker_remote_api/docs/TLS-intro.rst | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/docker/docker_remote_api/docs/TLS-intro.rst b/docker/docker_remote_api/docs/TLS-intro.rst deleted file mode 100644 index 44fdd4ae..00000000 --- a/docker/docker_remote_api/docs/TLS-intro.rst +++ /dev/null @@ -1,107 +0,0 @@ -Encrypt the docker remote API via TLS for Ubuntu and CentOS - -[Introduction] -The Docker daemon can listen to Docker Remote API requests via three types of -Socket: unix, tcp and fd. By default, a unix domain socket (or IPC socket) is -created at /var/run/docker.sock, requiring either root permission, or docker -group membership. - -Port 2375 is conventionally used for un-encrypted communition with Docker daemon -remotely, where docker server can be accessed by any docker client via tcp socket -in local area network. You can listen to port 2375 on all network interfaces with --H tcp://0.0.0.0:2375, where 0.0.0.0 means any available IP address on host, and -tcp://0.0.0.0:2375 indicates that port 2375 is listened on any IP of daemon host. -If we want to make docker server open on the Internet via TCP port, and only trusted -clients have the right to access the docker server in a safe manner, port 2376 for -encrypted communication with the daemon should be listened. It can be achieved to -create certificate and distribute it to the trusted clients. - -Through creating self-signed certificate, and using --tlsverify command when running -Docker daemon, Docker daemon opens the TLS authentication. Thus only the clients -with related private key files can have access to the Docker daemon's server. As -long as the key files for encryption are secure between docker server and client, -the Docker daemon can keep secure. -In summary, -Firstly we should create docker server certificate and related key files, which -are distributed to the trusted clients. -Then the clients with related key files can access docker server. - -[Steps] -1.0. Create a CA, server and client keys with OpenSSL. - OpenSSL is used to generate certificate, and can be installed as follows. - apt-get install openssl openssl-devel - -1.1 First generate CA private and public keys. - openssl genrsa -aes256 -out ca-key.pem 4096 - openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem - - You are about to be asked to enter information that will be incorporated - into your certificate request, where the instance of $HOST should be replaced - with the DNS name of your Docker daemon's host, here the DNS name of my Docker - daemon is ly. - Common Name (e.g. server FQDN or YOUR name) []:$HOST - -1.2 Now we have a CA (ca-key.pem and ca.pem), you can create a server key and -certificate signing request. - openssl genrsa -out server-key.pem 4096 - openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr - -1.3 Sign the public key with our CA. - TLS connections can be made via IP address as well as DNS name, they need to be - specified when creating the certificate. - - echo subjectAltName = IP:172.16.10.121,IP:127.0.0.1 > extfile.cnf - openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ - -CAcreateserial -out server-cert.pem -extfile extfile.cnf - -1.4 For client authentication, create a client key and certificate signing request. - openssl genrsa -out key.pem 4096 - openssl req -subj '/CN=client' -new -key key.pem -out client.csr - -1.5 To make the key suitable for client authentication, create an extensions config file. - echo extendedKeyUsage = clientAuth > extfile.cnf - -1.6 Sign the public key and after generating cert.pem and server-cert.pem, two certificate - signing requests can be removed. - openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ - -CAcreateserial -out cert.pem -extfile extfile.cnf - -1.7 In order to protect your keys from accidental damage, you may change file modes to - be only readable. - chmod -v 0400 ca-key.pem key.pem server-key.pem - chmod -v 0444 ca.pem server-cert.pem cert.pem - -1.8 Build docker server - dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \ - -H=0.0.0.0:2376 - Then, it can be seen from the command 'netstat -ntlp' that port 2376 has been listened - and the Docker daemon only accept connections from clients providing a certificate - trusted by our CA. - -1.9 Distribute the keys to the client - scp /etc/docker/ca.pem wwl@172.16.10.121:/etc/docker - scp /etc/docker/cert.pem wwl@172.16.10.121:/etc/docker - scp /etc/docker/key.pem wwl@172.16.10.121:/etc/docker - Where, wwl and 172.16.10.121 is the username and IP of the client respectively. - And the password of the client is needed when you distribute the keys to the client. - -1.10 To access Docker daemon from the client via keys. - docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \ - -H=$HOST:2376 version - - Then we can operate docker in the Docker daemon from the client vis keys, for example: - 1) create container from the client - docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 run -d \ - -it --name w1 grafana/grafana - 2) list containers from the client - docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 pa -a - 3) stop/start containers from the client - docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 stop w1 - docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 start w1 - - - - - - - |