问题描述
如果未在Ubuntu上设置 DOCKER_TLS_VERIFY
, DOCKER_HOST
和 DOCKER_CERT_PATH
,我自己导出var的默认设置是什么(我是不使用Docker Machine)?
If DOCKER_TLS_VERIFY
, DOCKER_HOST
and DOCKER_CERT_PATH
are not set on Ubuntu, what are the defaults to export the vars by myself (I'm not using Docker Machine)?
ps aux | grep "docker daemon"
返回此:
root 1828 2.4 0.5 764036 44804 ? Ssl 21:32 0:01 /usr/bin/docker daemon --raw-logs
alexzei+ 6557 0.0 0.0 15948 2268 pts/15 S+ 21:33 0:00 grep --color=auto docker daemon
推荐答案
未设置默认值,并且docker cli默认使用/var/run/docker.sock和/或systemd.但是,从对ldg的评论开始,您有一个应用程序需要对其进行设置,这表明它希望您在主机上配置TLS以进行远程访问.以下是配置TLS密钥的步骤:
The default values are unset and the docker cli defaults to using /var/run/docker.sock and/or systemd. However, from your comment to ldg, you have an app that requires these to be set, which would indicate that it wants you to configure TLS on your host for remote access. Here are the steps to configure the TLS keys:
# work in a secure folder
mkdir docker-ca && chmod 700 docker-ca && cd docker-ca
# generate a key pair for the CA
openssl genrsa -aes256 -out ca-key.pem 2048
# setup CA certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
# make sure to set CN
服务器证书
# generate a new host key pair
openssl genrsa -out myserver-key.pem 2048
# generate certificate signing request (CSR)
openssl req -subj "/CN=myserver" -new -key myserver-key.pem -out myserver.csr
# setup extfile for ip's to allow
echo "subjectAltName = IP:$myserver_ip, IP:127.0.0.1" >extfile.cnf
# sign the key by the CA
openssl x509 -req -days 365 -in myserver.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out myserver-cert.pem -extfile extfile.cnf
# test server by updating service:
/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376 --tlsverify \
--tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/myserver-cert.pem \
--tlskey=/etc/docker/myserver-key.pem
您需要更新Docker的操作系统启动脚本以在其中包含以上内容( -H unix:/var/run/docker.sock
将代替-H fd://
(如果您没有systemd).
You'll need to update your OS startup script for Docker to have the above in it (-H unix:/var/run/docker.sock
would be used in place of -H fd://
if you don't have systemd).
在".docker"中,您可以添加:"ca.pem,key.pem,cert.pem",然后导出DOCKER_TLS_VERIFY = 1
In ".docker" you can add: "ca.pem, key.pem, cert.pem" and then export DOCKER_TLS_VERIFY=1
# create a client key pair
openssl genrsa -out client-key.pem 2048
# generate csr for client key
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
# configure request to support client
echo extendedKeyUsage = clientAuth >extfile.cnf
# sign the client key with the CA
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out client-cert.pem -extfile extfile.cnf
# test client with
docker --tlsverify \
--tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
-H=tcp://127.0.0.1:2376 info`
然后DOCKER_CERT_PATH将是包含您的证书的文件夹,例如/home/user/.docker.
Then DOCKER_CERT_PATH would be the folder with your certificates, e.g. /home/user/.docker.
这篇关于在Ubuntu上的DOCKER_TLS_VERIFY,DOCKER_HOST和DOCKER_CERT_PATH的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!