Last active
June 8, 2019 21:39
-
-
Save alekc/2313610587d703ceb077e735e6e4033d to your computer and use it in GitHub Desktop.
create secure tls docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash/ | |
| apt-get update && apt-get install -y \ | |
| apt-transport-https \ | |
| ca-certificates \ | |
| curl \ | |
| sudo \ | |
| gnupg2 \ | |
| software-properties-common | |
| curl -fsSL get.docker.com | sh | |
| echo "Installing docker-compose" | |
| curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose | |
| chmod +x /usr/local/bin/docker-compose | |
| #echo "Installing firehol and NetData" | |
| #apt-get install -y zlib1g-dev uuid-dev libmnl-dev gcc make git autoconf autogen automake pkg-config traceroute ipset curl nodejs zip unzip jq ulogd autoconf-archive | |
| #wget https://raw.githubusercontent.com/firehol/netdata-demo-site/master/install-all-firehol.sh | |
| #chmod +x install-all-firehol.sh | |
| #./install-all-firehol.sh | |
| DOCKER_SSL_PATH=/etc/docker/ssl | |
| CERT_PATH=~/.docker | |
| mkdir -p $DOCKER_SSL_PATH | |
| mkdir -p $CERT_PATH | |
| docker run --rm -v $DOCKER_SSL_PATH:/server \ | |
| -v $CERT_PATH:/certs \ | |
| -e CA_SUBJECT="xxxxxxxxxxxxxxxxxxx" \ | |
| -e CA_EXPIRE="1825" \ | |
| -e SSL_EXPIRE="365" \ | |
| -e SSL_SUBJECT="dns.xxxxxxxxx.com" \ | |
| -e SSL_DNS="dns.xxxxxxxxx.com" \ | |
| -e SSL_KEY=/server/key.pem \ | |
| -e SSL_CERT=/server/cert.pem \ | |
| -e SSL_IP=127.0.0.1,xxx.yyy.zzz.xxx \ | |
| -e SILENT="true" \ | |
| superseb/omgwtfssl | |
| cp $CERT_PATH/ca.pem $DOCKER_SSL_PATH/ca.pem | |
| mkdir /etc/systemd/system/docker.service.d/ | |
| cat <<EOT >> /etc/systemd/system/docker.service.d/custom.conf | |
| [Service] | |
| ExecStart= | |
| ExecStart=/usr/bin/dockerd -H unix:// -H tcp://0.0.0.0:2376 | |
| EOT | |
| systemctl daemon-reload | |
| cat <<EOT >> /etc/docker/daemon.json | |
| { | |
| "tlsverify": true, | |
| "tlscacert": "${DOCKER_SSL_PATH}/ca.pem", | |
| "tlscert" : "${DOCKER_SSL_PATH}/cert.pem", | |
| "tlskey" : "${DOCKER_SSL_PATH}/key.pem", | |
| "dns" : ["8.8.8.8","8.8.4.4"], | |
| "ipv6" : false | |
| } | |
| EOT | |
| systemctl restart docker | |
| docker -H tcp://127.0.0.1:2376 info | |
| export DOCKER_HOST=tcp://127.0.0.1:2376 | |
| export DOCKER_TLS_VERIFY=1 | |
| export DOCKER_CERT_PATH=~/.docker | |
| docker info |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment