从多个开发机器管理远程码头机 [英] Managing remote docker machines from multiple development machines
问题描述
可以使用docker-machine命令从一个开发人员工作站创建的docker机器可以从另一个工作站进行管理。我不是在寻找一个解决涉及码头群的解决方案,而只是停靠码机。
Can the docker machines created from one developer workstation using docker-machine commands, be managed from another workstation. I am not looking for a solution involving docker swarm, but just docker machine.
从我对Docker-machine在远程环境(如AWS EC2)上创建机器的了解创建密钥和证书,然后将其用于基于TLS的通信到未来的机器。因此,在理论上如果我将这些密钥和证书复制到另一台开发机器上,我应该可以连接到那个远程的Docker机器。
From my understanding when docker-machine creates the machine on a remote environment like AWS EC2, it creates keys and certs which are then used for TLS based communication to the machine going forward. Therefore, in theory if I copy those keys and certs to another developer machine I should be able to connect to that remote docker machine.
但是,我想知道这是预期的方法来完成我正在寻找的工作。海事组织这将是Docker社区大多数可能面临的情况,因为多个团队成员将需要共享和管理同一个远程停靠机。
However, I would like to know if that is the expected method to accomplish what I am looking to do. IMO this will be a scenario most of the docker community might be facing since multiple team members will need to share and manage the same remote docker machine.
此事项中的任何指导将非常感激。
Any guidance in this matter would be really appreciated.
推荐答案
通过使用基于TLS的通信,docker正在使用双向SSL验证。换句话说,客户端不仅验证服务器,而且验证服务器。通过创建启用了TLS的码头机,您将成为您自己的证书颁发机构(CA),因此您负责管理SSL证书。 Docker机器在幕后执行此操作,但我相信您可以手动设置自签名CA并重新配置Docker以使用您设置的证书和密钥。因此,不是向所有开发人员工作站共享单个证书和密钥,而是为由CA私钥签名的每个开发人员颁发唯一的证书和私钥。每个人都必须共享的唯一的事情就是公开的CA证书。
By using TLS based communication, docker is utilizing two-way SSL verification. In other words, not only does the client verify the server but also the other way round. By creating a docker machine with TLS enabled, you are becoming your own Certificate Authority (CA), and thus you are responsible for managing the SSL certificates. Docker machine does this behind the scenes, but I believe you can manually setup self-signed CA and repoint Docker to use the certs and keys you setup. Thus, instead of sharing a single certificate and key to all developer workstations, issue a unique certificate and private key for every developer signed by the CA private key. The only thing that has to be shared by everyone is the CA certificate, which is public.
这样做的优点是,一旦开发人员离职,您可以撤销证书,尽管自签名证书很困难,并且允许可以查询的责任谁从日志中做了什么。
The advantage of this is, you can revoke a certificate say once a developer leaves, although this is difficult with self-signed certificates, and it allows accountability where you can check who did what from the logs.
这篇关于从多个开发机器管理远程码头机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
