Docker Note
Updated
•3 min read1.安装docker
ubuntu18 ip
apt-get install docker.io
2.docker基础命令
docker info
docker images
docker ps
保存容器
docker commit <CONTAINER ID> name
开启容器
docker run -d -it --privileged -p 8888:8888 -p 8001:8001 name
进入容器
docker exec -it <CONTAINER ID> bash
查看开放端口情况
netstat -ntpl
设置服务自启,两种方式
1.编辑.bashr文件
vi /root/.bashrc
比如:
/etc/init.d/bt start
/etc/init.d/httpd start
/etc/init.d/php-fpm-73 start
2.systemctl enable <server_name>
停止所有容器
docker stop $(docker ps -aq)
保存镜像
docker save -o rocketmq.tar rocketmq ##-o:指定保存的镜像的名字;rocketmq.tar:保存到本地的镜像名称;rocketmq:镜像名字,通过"docker images"查看
加载镜像
docker load -i xxxx.tar
删除镜像
docker rmi -f image_id ##-f:表示强制删除镜像;image_id:镜像id
3.docker远程访问配置
3.1 开启远程访问
docker
vim /lib/systemd/system/docker.service 找到 [Service] 节点,修改 ExecStart 属性,增加
-H tcp://0.0.0.0:2375重启服务
systemctl daemon-reload systemctl restart docker访问
http://ip:2375/version验证
3.2 配置安全认证
3.2.1 创建CA私钥和CA公钥
在Docker守护进程的机器上,创建CA私钥和公钥
cd /root
openssl rand -writerand .rnd
openssl genrsa -aes256 -out ca-key.pem 4096
xxx
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
xxx cn sd jn jn VM-12-15-ubuntu VM-12-15-ubuntu gxx@126.com
生成ca-key.pem、ca.pem文件
3.2.2 生成服务器密钥和证书签名请求
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=175.24.178.93" -sha256 -new -key server-key.pem -out server.csr
配置白名单
echo subjectAltName = IP:175.24.178.93,IP:0.0.0.0 >> extfile.cnf
执行命令,将Docker守护程序密钥的扩展使用属性设置为仅用于服务器身份验证
echo extendedKeyUsage = serverAuth >> extfile.cnf
执行命令,生成签名证书
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out server-cert.pem -extfile extfile.cnf
3.2.3 生成客户端密钥和证书
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=125.122.124.36' -new -key key.pem -out client.csr
openssl req -subj '/CN=115.195.175.69' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
echo extendedKeyUsage = clientAuth >> extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
3.2.4 修改相关文件的权限
3.2.5 重新配置并重启服务
注:一定要设置2376端口,不然
vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/usr/local/dockerca/ca.pem --tlscert=/usr/local/dockerca/server-cert.pem --tlskey=/usr/local/dockerca/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
systemctl daemon-reload
systemctl restart docker
3.2.6 验证docker连接
详情参考
https://www.cnblogs.com/niceyoo/p/13270224.html
ip /usr/local/ca
密码是 xxx
AU
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:175.24.178.93,IP:0.0.0.0 >> extfile.cnf
openssl req -subj "/CN=175.24.178.93" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:175.24.178.93,IP:127.0.0.1 >> extfile.cnf
openssl req -subj '/CN=115.195.175.69' -new -key key.pem -out client.csr
4. python访问Docker Remote API
手册
https://docker-py.readthedocs.io/en/stable/index.html
中文
https://blog.csdn.net/a203778513/article/details/88707356
import docker
import requests
import random
# 加上这行代码即可,关闭安全请求警告
requests.packages.urllib3.disable_warnings()
tls_config = docker.tls.TLSConfig(ca_cert="./cert/ca.pem",
client_cert=("./cert/cert.pem", './cert/key.pem'))
client = docker.DockerClient(base_url='https://175.24.178.93:2376', tls=tls_config)
client.containers.run('tp_rce:latest', command='/bin/bash',
detach=True, tty=True,stdin_open=True, cpuset_cpus='0,1', cpu_shares=2,
cpu_period=10000, mem_limit='512m',
oom_kill_disable=True,privileged=True,
ports={
'8001/tcp': x
})
