使用socat使用TLS / SSL的docker-desktop for Mac访问端口2376上的Mac的API

时间:2019-05-24 21:28:31

标签: docker ssl unix-socket socat docker-desktop

对于Mac OSX docker-desktop,内部xhyve / bhyve HyperKit VM(运行docker守护程序)的docker守护进程tcp端口未暴露给主机(我的Mac笔记本电脑)

首选项->守护程序->高级:

{
  "experimental" : false,
  "tlskey" : "/path/to/certs/docker-server-tls-key.pem",
  "tls" : true,
  "tlscert" : "/path/to/certs/docker-server-tls-cert.pem",
  "tlscacert" : "/path/to/certs/docker-ca-cert.pem",
  "debug" : true
}

https://github.com/docker/for-mac/issues/770之后,我成功地通过socast容器通过不安全的端口2375访问了docker API,如下所示:

UNSECURE_PORT=2375
docker run --name socat$UNSECURE_PORT --restart always -d \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -p 0.0.0.0:$UNSECURE_PORT:$UNSECURE_PORT \
    bobrik/socat \
        TCP-LISTEN:$UNSECURE_PORT,fork UNIX-CONNECT:/var/run/docker.sock

但是我必须通过安全的tls / ssl端口2376来访问API

我生成了自签名证书,并尝试根据自己的需要对上述内容进行调整,但是我做错了

有什么想法吗?

我最近的尝试是这样的:

SECURE_PORT=2376
CERTSDIR="/path/to/certs"
TLSCACERT="docker-ca-cert.pem"
TLSCERT="docker-server-tls-cert.pem"
TLSKEY="docker-server-tls-key.pem"
docker run --name socat$SECURE_PORT --restart always -d \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v $CERTSDIR:/certs \
    -p 0.0.0.0:$SECURE_PORT:$SECURE_PORT \
    bobrik/socat \
        openssl-listen:$SECURE_PORT,fork,reuseaddr,cert=/certs/$TLSCERT,cafile=/certs/$TLSCACERT,key=/certs/$TLSKEY UNIX-CONNECT:/var/run/docker.sock

$ cd /path/to/certs
$ docker --tls --tlscacert=docker-ca-cert.pem --tlscert=docker-server-tls-cert.pem --tlskey=docker-server-tls-key.pem   -H 0.0.0.0:2376 version
Client: Docker Engine - Community
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        6247962
 Built:             Sun Feb 10 04:12:39 2019
 OS/Arch:           darwin/amd64
 Experimental:      true
error during connect: Get https://0.0.0.0:2376/v1.39/version: remote error: tls: handshake failure

任何想法或其他要实现的东西将不胜感激!

编辑

好的,我的自签名证书似乎有问题

error during connect: Get https://0.0.0.0:2376/v1.39/version: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs

所以我使用以下命令生成了新的自签名证书:

CN=my.devecho subjectAltName = DNS:www.my.dev,DNS:*.my.dev,IP:127.0.0.1,IP:0.0.0.0 >> extfile.cnf

但是现在我得到了错误:

$ docker --tls --tlsverify --tlscacert=docker-ca-cert.pem --tlscert=docker-server-tls-cert.pem --tlskey=docker-server-tls-key.pem   -H 0.0.0.0:2376 version

error during connect: Get https://0.0.0.0:2376/v1.39/version: x509: certificate is not authorized to sign other certificates

0 个答案:

没有答案
相关问题
最新问题