如何在docker-machine中为机器设置TLS证书 [英] How to set TLS Certificates for a machine in docker-machine
问题描述
我想做什么:
我将dockerd在一台机器上运行,并且TLS验证设置为true.我想将此主机添加为 docker-machine
我所做的事情:
我使用以下命令启动dockerd:
$ sudo dockerd -D --tls = true --tlscert = cert.pem --tlskey = key.pem -H tcp://172.19.48.247:2376
在第二台计算机上,我获得了以下变量:
export DOCKER_HOST = tcp://172.19.48.247:2376导出DOCKER_TLS_VERIFY = 1导出DOCKER_CERT_PATH =/path/to/ssl
并成功运行docker命令:
$ docker run busybox回声你好你好
然后我添加了该主机docker-machine:
docker-machine create --driver none --url = tcp://172.19.48.247:2376 dockerhost
我要去哪里了
我现在收到 x509:证书由未知授权机构签名
错误.
$ docker-machine ls名称活动的驱动程序状态URL SWARM DOCKER错误未知dockerhost-无正在运行tcp://172.19.48.247:2376未知无法查询docker版本:获取https://172.19.48.247:2376/v1.15/version:x509:证书由未知授权机构签名
我尝试使用 docker-machine config
,但这不起作用:
$ docker-machine config dockerhost --tlsverify --tlscacert = ca.pem --tlscert = cert.pem --tlskey = key.pem -H tcp://172.19.48.247:2376使用方法不正确.用法:docker-machine config [OPTIONS] [arg ...]打印机器的连接配置描述:参数是机器名称.选项:--swarm显示Swarm配置而不是Docker守护程序提供但未定义的标志:-tlsverify
默认情况下,无驱动程序将配置为使用在〜/.docker/machine
中找到的TLS证书.这不一定是必需的,因为如果远程Docker主机的证书不是在该位置获得的ca.pem签名的,则将遇到错误.>
我在此处找到了解决方法的引用经过测试,它肯定可以正常工作.这是我遵循的步骤:
docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker
这将创建以下目录:
<代码>〜/.docker/machine/machines/remotedocker
该目录内有一个名为 config.json
的文件.编辑该文件,然后将".docker/machine/certs"的每个实例更改为".docker/machine/machines/remotedocker"
通常,当您远程访问Docker时,只需要访问 ca.pem
, cert.pem
和 key.pem
文件.据我所知, none
驱动程序可能不会使用 config.json
中引用的其他文件,因为 regenerate-certs
没有由 none
实施.
您将需要复制ca.pem和key.pem文件
此时,您应该能够运行 docker-machine config remotedocker
或 eval"$(docker-machine env remotedocker)"
并使用远程守护程序成功.
What I want to do:
I have dockerd running on one machine with TLS verify set to true. I would like to add this host as a machine in docker-machine
What I have done:
I used the following command to start dockerd:
$ sudo dockerd -D --tls=true --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
On a second machine I sourced the following variables:
export DOCKER_HOST=tcp://172.19.48.247:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/ssl
and ran docker command succesfully:
$ docker run busybox echo hello
hello
Then I added this host docker-machine:
docker-machine create --driver none --url=tcp://172.19.48.247:2376 dockerhost
Where I am going wrong:
I am getting a x509: certificate signed by unknown authority
error now.
$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS Unknown
dockerhost - none Running tcp://172.19.48.247:2376 Unknown Unable to query docker version: Get https://172.19.48.247:2376/v1.15/version: x509: certificate signed by unknown authority
I tried using the docker-machine config
but that doesnt work:
$ docker-machine config dockerhost --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
Incorrect Usage.
Usage: docker-machine config [OPTIONS] [arg...]
Print the connection config for machine
Description:
Argument is a machine name.
Options:
--swarm Display the Swarm config instead of the Docker daemon
flag provided but not defined: -tlsverify
By default, the none driver will be configured to use the TLS certs found at ~/.docker/machine
. This isn't necessarily what is needed, because you'll run into the error you've run into if your remote Docker host has a certificate signed by something other than the ca.pem that you've got at that location.
I've found a reference to a workaround here that I tested and it definitely seems to work. Here are the steps I followed:
docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker
This creates the following directory:
~/.docker/machine/machines/remotedocker
Inside that directory is a file called config.json
. Edit that file, and change every instance of ".docker/machine/certs" to ".docker/machine/machines/remotedocker"
Normally, when you access Docker remotely, it only needs to have access to the ca.pem
, cert.pem
and key.pem
files. As far as I can tell, the other files referenced in config.json
will likely not get used by the none
driver because regenerate-certs
is not implemented by none
.
You will need to copy in the ca.pem and key.pem files
At this point, you should be able to run docker-machine config remotedocker
, or eval "$(docker-machine env remotedocker)"
and use your remote daemon successfully.
这篇关于如何在docker-machine中为机器设置TLS证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!