docker daemon mode & tls

2023-01-12  本文已影响0人  偷油考拉

daemon mode

tcp:// -> TCP 连接到 127.0.0.1 ,开启TLS时端口为2376,明文时端口为2375。
tcp://host:2375 -> TCP 连接到 host:2375
tcp://host:2375/path -> TCP 连接到 host:2375 ,并且 prepend path to all requests
unix://path/to/socket -> Unix socket ,socket路径是 path/to/socket

sudo dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock &

如下范例:

[root@harbor ~]# dockerd -H tcp:// 
INFO[2022-08-16T00:16:39.956170852+08:00] Starting up                                  
WARN[2022-08-16T00:16:39.960460670+08:00] Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network.  host="tcp://localhost:2375"
WARN[2022-08-16T00:16:39.960500100+08:00] Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there!  host="tcp://localhost:2375"
INFO[2022-08-16T00:16:40.966803061+08:00] parsed scheme: "unix"                         module=grpc
INFO[2022-08-16T00:16:40.966869034+08:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2022-08-16T00:16:40.966914957+08:00] ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}  module=grpc
INFO[2022-08-16T00:16:40.966947401+08:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2022-08-16T00:16:40.973137568+08:00] parsed scheme: "unix"                         module=grpc
INFO[2022-08-16T00:16:40.973175281+08:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2022-08-16T00:16:40.973201668+08:00] ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}  module=grpc
INFO[2022-08-16T00:16:40.973216361+08:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2022-08-16T00:16:40.991689843+08:00] [graphdriver] using prior storage driver: overlay2 
INFO[2022-08-16T00:16:41.202437009+08:00] Loading containers: start.                   
INFO[2022-08-16T00:16:41.230780696+08:00] Firewalld: docker zone already exists, returning 
INFO[2022-08-16T00:16:41.707660531+08:00] Firewalld: interface docker0 already part of docker zone, returning 
INFO[2022-08-16T00:16:41.760673912+08:00] Firewalld: interface docker0 already part of docker zone, returning 
INFO[2022-08-16T00:16:42.101350623+08:00] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address 
INFO[2022-08-16T00:16:42.233490138+08:00] Firewalld: interface docker0 already part of docker zone, returning 
INFO[2022-08-16T00:16:42.366557998+08:00] Loading containers: done.                    
INFO[2022-08-16T00:16:42.424528745+08:00] Docker daemon                                 commit=a89b842 graphdriver(s)=overlay2 version=20.10.17
INFO[2022-08-16T00:16:42.424644223+08:00] Daemon has completed initialization          
INFO[2022-08-16T00:16:42.455568279+08:00] API listen on 127.0.0.1:2375

客户端连接

[root@harbor system]# docker -H :2375 ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

daemon mode with TLS

启动deamon

 dockerd -H :2376 --tls --tlscert /data/tls/server-cert.pem --tlskey /data/tls/server-key.pem --tlscaert /data/tls/ca.pem

[root@harbor ~]# dockerd -H :2376 --tls --tlscert /data/tls/server-cert.pem --tlskey /data/tls/server-key.pem --tlscacert /data/tls/ca.pem 
INFO[2022-08-16T22:53:54.492328269+08:00] Starting up                                  
INFO[2022-08-16T22:53:54.499845381+08:00] parsed scheme: "unix"                         module=grpc
INFO[2022-08-16T22:53:54.499905168+08:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2022-08-16T22:53:54.499951288+08:00] ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}  module=grpc
INFO[2022-08-16T22:53:54.499980758+08:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2022-08-16T22:53:54.507336170+08:00] parsed scheme: "unix"                         module=grpc
INFO[2022-08-16T22:53:54.507391553+08:00] scheme "unix" not registered, fallback to default scheme  module=grpc
INFO[2022-08-16T22:53:54.507434300+08:00] ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}  module=grpc
INFO[2022-08-16T22:53:54.507455357+08:00] ClientConn switching balancer to "pick_first"  module=grpc
INFO[2022-08-16T22:53:54.529733679+08:00] [graphdriver] using prior storage driver: overlay2 
INFO[2022-08-16T22:53:54.537409042+08:00] Loading containers: start.                   
INFO[2022-08-16T22:53:54.567828680+08:00] Firewalld: docker zone already exists, returning 
INFO[2022-08-16T22:53:54.975933928+08:00] Firewalld: interface docker0 already part of docker zone, returning 
INFO[2022-08-16T22:53:55.016530813+08:00] Firewalld: interface docker0 already part of docker zone, returning 
INFO[2022-08-16T22:53:55.297333481+08:00] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address 
INFO[2022-08-16T22:53:55.439717695+08:00] Firewalld: interface docker0 already part of docker zone, returning 
INFO[2022-08-16T22:53:55.583709845+08:00] Loading containers: done.                    
INFO[2022-08-16T22:53:55.608869469+08:00] Docker daemon                                 commit=a89b842 graphdriver(s)=overlay2 version=20.10.17
INFO[2022-08-16T22:53:55.609086848+08:00] Daemon has completed initialization          
INFO[2022-08-16T22:53:55.639051690+08:00] API listen on 127.0.0.1:2376

客户端

[root@harbor ~]# docker -H :2376 --tls --tlscacert /data/tls/ca.pem --tlscert /data/tls/cert.pem --tlskey /data/tls/key.pem ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
上一篇下一篇

猜你喜欢

热点阅读