以安全的方式使用Docker的远程API [英] use docker's remote API in a secure manner

问题描述

我正在尝试找到一种安全的方式来使用docker远程API的有效方法.我有一个在远程主机上运行的docker守护进程，以及在另一台机器上的docker客户端.我需要我的解决方案不依赖于客户端/服务器操作系统，以便与具有Docker客户端/守护程序等的任何计算机相关.

I am trying to find an effective way to use the docker remote API in a secure way. I have a docker daemon running in a remote host, and a docker client on a different machine. I need my solution to not be client/server OS dependent, so that it would be relevant to any machine with a docker client/daemon etc.

到目前为止，我发现做这种事情的唯一方法是在带有openssl的Linux机器上创建证书，然后手动将证书复制到客户端/服务器，如本例所示:

So far, the only way I found to do such a thing is to create certs on a Linux machine with openssl and copy the certs to the client/server manually, as in this example:

https://docs.docker.com/engine/security/https/

，然后在两侧将docker配置为使用证书进行加密和身份验证.

and then configure docker on both sides to use the certificates for encryption and authentication.

我认为这种方法比较笨拙，因为有时将文件复制并放在要使用远程API的每台计算机上都是一个问题.

This method is rather clunky in my opinion, because some times it's a problem to copy files and put them on each machine I want to use remote API from.

我正在寻找更优雅的东西.

I am looking for something more elegant.

我发现的另一个解决方案是使用用于基本HTTP身份验证的代理，但是在这种方法中，流量未加密，因此也不是很安全.

Another solution I've found is using a proxy for basic HTTP authentication, but in this method the traffic is not encrypted and it is not really secure that way.

有人建议采用其他解决方案或改善上述方法之一的方法吗?

Does anyone have a suggestion for a different solution or for a way to improve one of the above?

推荐答案

根据您的评论，如果您不需要集群功能并且只需要单个主机支持，我建议您选择Ansible.Ansible只需要您可能已经可用的SSH访问.

Based on your comments, I would suggest you go with Ansible if you don't need the swarm functionality and require only single host support. Ansible only requires SSH access which you probably already have available.

使用Docker Compose中定义的现有服务非常容易，或者您可以仅在Ansible中调用Shell脚本.无需将Docker守护程序暴露给外部世界.

It's very easy to use an existing service that's defined in Docker Compose or you can just invoke your shell scripts in Ansible. No need to expose the Docker daemon to the external world.

一个非常简单的示例文件( playbook.yml )

A very simple example file (playbook.yml)

- hosts: all
  tasks:
  - name: setup container
    docker_container:
      name: helloworld
      image: hello-world

运行剧本ansible-playbook -i username@mysshhost.com，playbook.yml

Ansible提供了通过其模块系统与Docker交互所需的几乎所有功能:

Ansible provides pretty much all of the functionality you need to interact with Docker via its module system:

docker_service
    Use your existing Docker compose files to orchestrate containers on a single Docker daemon or on Swarm. Supports compose versions 1 and 2.
docker_container
    Manages the container lifecycle by providing the ability to create, update, stop, start and destroy a container.
docker_image
    Provides full control over images, including: build, pull, push, tag and remove.
docker_image_facts
    Inspects one or more images in the Docker host’s image cache, providing the information as facts for making decision or assertions in a playbook.
docker_login
    Authenticates with Docker Hub or any Docker registry and updates the Docker Engine config file, which in turn provides password-free pushing and pulling of images to and from the registry.
docker (dynamic inventory)
    Dynamically builds an inventory of all the available containers from a set of one or more Docker hosts.

这篇关于以安全的方式使用Docker的远程API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！