如何在docker-machine中为机器设置TLS证书 [英] How to set TLS Certificates for a machine in docker-machine

问题描述

我想做什么:

我将dockerd在一台机器上运行，并且TLS验证设置为true.我想将此主机添加为 docker-machine

中的计算机

我所做的事情:

我使用以下命令启动dockerd:

  $ sudo dockerd -D --tls = true --tlscert = cert.pem --tlskey = key.pem -H tcp://172.19.48.247:2376 

在第二台计算机上，我获得了以下变量:

  export DOCKER_HOST = tcp://172.19.48.247:2376导出DOCKER_TLS_VERIFY = 1导出DOCKER_CERT_PATH =/path/to/ssl 

并成功运行docker命令:

  $ docker run busybox回声你好你好 

然后我添加了该主机docker-machine:

  docker-machine create --driver none --url = tcp://172.19.48.247:2376 dockerhost 

我要去哪里了

我现在收到 x509:证书由未知授权机构签名错误.

  $ docker-machine ls名称活动的驱动程序状态URL SWARM DOCKER错误未知dockerhost-无正在运行tcp://172.19.48.247:2376未知无法查询docker版本:获取https://172.19.48.247:2376/v1.15/version:x509:证书由未知授权机构签名 

我尝试使用 docker-machine config ，但这不起作用:

  $ docker-machine config dockerhost --tlsverify --tlscacert = ca.pem --tlscert = cert.pem --tlskey = key.pem -H tcp://172.19.48.247:2376使用方法不正确.用法:docker-machine config [OPTIONS] [arg ...]打印机器的连接配置描述:参数是机器名称.选项:--swarm显示Swarm配置而不是Docker守护程序提供但未定义的标志:-tlsverify 

解决方案

默认情况下，无驱动程序将配置为使用在〜/.docker/machine 中找到的TLS证书.这不一定是必需的，因为如果远程Docker主机的证书不是在该位置获得的ca.pem签名的，则将遇到错误.

我在此处找到了解决方法的引用经过测试，它肯定可以正常工作.这是我遵循的步骤:

  docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker 

这将创建以下目录:

 <代码>〜/.docker/machine/machines/remotedocker 

该目录内有一个名为 config.json 的文件.编辑该文件，然后将".docker/machine/certs"的每个实例更改为".docker/machine/machines/remotedocker"

通常，当您远程访问Docker时，只需要访问 ca.pem ， cert.pem 和 key.pem 文件.据我所知， none 驱动程序可能不会使用 config.json 中引用的其他文件，因为 regenerate-certs 没有由 none 实施.

您将需要复制ca.pem和key.pem文件

此时，您应该能够运行 docker-machine config remotedocker 或 eval"$(docker-machine env remotedocker)" 并使用远程守护程序成功.

What I want to do:

I have dockerd running on one machine with TLS verify set to true. I would like to add this host as a machine in docker-machine

What I have done:

I used the following command to start dockerd:

$ sudo dockerd -D --tls=true --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376

On a second machine I sourced the following variables:

export DOCKER_HOST=tcp://172.19.48.247:2376                                                                                 
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/ssl

and ran docker command succesfully:

$ docker run busybox echo hello
hello

Then I added this host docker-machine:

docker-machine create --driver none --url=tcp://172.19.48.247:2376 dockerhost

Where I am going wrong:

I am getting a x509: certificate signed by unknown authority error now.

$ docker-machine ls
NAME        ACTIVE   DRIVER       STATE     URL                        SWARM   DOCKER    ERRORS                                     Unknown   
dockerhost   -        none         Running   tcp://172.19.48.247:2376           Unknown   Unable to query docker version: Get https://172.19.48.247:2376/v1.15/version: x509: certificate signed by unknown authority

I tried using the docker-machine config but that doesnt work:

$ docker-machine config dockerhost --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
Incorrect Usage.

Usage: docker-machine config [OPTIONS] [arg...]

Print the connection config for machine

Description:
   Argument is a machine name.

Options:

   --swarm  Display the Swarm config instead of the Docker daemon
flag provided but not defined: -tlsverify

解决方案

By default, the none driver will be configured to use the TLS certs found at ~/.docker/machine. This isn't necessarily what is needed, because you'll run into the error you've run into if your remote Docker host has a certificate signed by something other than the ca.pem that you've got at that location.

I've found a reference to a workaround here that I tested and it definitely seems to work. Here are the steps I followed:

docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker

This creates the following directory:

~/.docker/machine/machines/remotedocker

Inside that directory is a file called config.json. Edit that file, and change every instance of ".docker/machine/certs" to ".docker/machine/machines/remotedocker"

Normally, when you access Docker remotely, it only needs to have access to the ca.pem, cert.pem and key.pem files. As far as I can tell, the other files referenced in config.json will likely not get used by the none driver because regenerate-certs is not implemented by none.

You will need to copy in the ca.pem and key.pem files

At this point, you should be able to run docker-machine config remotedocker, or eval "$(docker-machine env remotedocker)" and use your remote daemon successfully.

这篇关于如何在docker-machine中为机器设置TLS证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！