Docker practice | Part 4: docker enables TLS encryption to solve the security vulnerabilities caused by exposing port 2375, and summarizes the lessons of being hacked by three virtual machines

I preface

There are surprises at the end of the article!! I hope it will help you~

In previous articles IDEA integrates Docker plug-in to realize one click automatic packaging and deployment of micro service projects Among them, 2375 port monitoring of the server is opened, but this practice has caused a security problem. In the comments of the previous article, there are also good children's shoes, but I am lucky and think it's OK to fight for time.

Want to know why exposing 2375 is unsafe? Let's take a look at the specific operation of the boss Portal.

At the time of writing this article, the three ECS that opened port 2375 were recruited. The root accounts of two Alibaba cloud servers were robbed. The super user root has become a puppet emperor, famous and powerless. Another ucloud server was mined and its memory was full. It means that the environment has to be reinstalled, and people who want to wash and sleep have a heart. Being a man really can't be reinstalled~

II Practical operation

1. Set host name

Edit / etc/hostname, server hostname a.youlai store

vi /etc/hostname

2. Generate TLS certificate

Create the certificate generation script createcert SH, place the / opt/sh directory

mkdir -p /opt/sh /opt/cert/docker
touch /opt/sh/createcert.sh
vim /opt/sh/createcert.sh

In createcret SH add content

#!/bin/bash
set -e
if [ -z $1 ];then
        echo "Please enter Docker Server host name"
        exit 0
fi
HOST=$1
mkdir -p /opt/cert/docker
cd /opt/cert/docker
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
# Configure the white list. It is recommended to configure 0.0.0.0. All IP connections are allowed, but only certificates can be successfully connected
echo subjectAltName = DNS:$HOST,IP:0.0.0.0 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

Execute createcert SH script, the generated certificate is placed in the / opt/cert/docker directory

# a.youlai.store is the host name of the server
sh /opt/sh/createcert.sh a.youlai.store

Enter relevant information according to the prompt. The password is the same, and other information can be left blank. After the script is specified, you can view the generated certificate in the / opt/cert/docker directory.

3. Configure Docker to enable TLS

vim /usr/lib/systemd/system/docker.service

Append after ExecStart property

--tlsverify --tlscacert=/opt/cert/docker/ca.pem  \
--tlscert=/opt/cert/docker/server-cert.pem \
--tlskey=/opt/cert/docker/server-key.pem \
-H tcp://0.0.0.0:2376 -H unix://var/run/docker.sock 

Restart after reloading docker configuration

systemctl daemon-reload 
systemctl restart docker

Check whether port 2376 is started

netstat -nltp | grep 2376

Local connection test whether Docker API is available

  • No certificate access test specified
curl https://a.youlai.store:2376/info 
  • Specify certificate access test
curl https://a.youlai.store:2376/info --cert /opt/cert/docker/cert.pem --key /opt/cert/docker/key.pem --cacert /opt/cert/docker/ca.pem

4. IDEA configuration

Download the secret key file required by the client from the server to the local

IDEA connection Docker configuration modification

pom.xml

<build>
    <plugins>
        <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
        </plugin>
        <plugin>
            <groupId>com.spotify</groupId>
            <artifactId>docker-maven-plugin</artifactId>
            <version>1.0.0</version>
            <executions>
                <!--implement mvn package,Namely execution mvn clean package docker:build-->
                <execution>
                    <id>build-image</id>
                    <phase>package</phase>
                    <goals>
                        <goal>build</goal>
                    </goals>
                </execution>
            </executions>

            <configuration>
                <!-- Image name -->
                <imageName>${project.artifactId}</imageName>
                <!-- Specify label -->
                <imageTags>
                    <imageTag>latest</imageTag>
                </imageTags>
                <!-- base image -->
                <baseImage>openjdk:8-jdk-alpine</baseImage>

                <!-- Switch to container working directory-->
                <workdir>/</workdir>

                <entryPoint>["java","-jar","${project.build.finalName}.jar"]</entryPoint>

                <!-- Specify remote Docker API address  -->
                <dockerHost>https://a.youlai.store:2376</dockerHost>
                <!-- appoint tls Directory of certificates -->
                <dockerCertPath>C:\certs\docker\a.youlai.store</dockerCertPath>

                <!-- copy jar Package to docker Container specified directory-->
                <resources>
                    <resource>
                        <targetPath>/</targetPath>
                        <!-- Used to specify the root directory to be copied, ${project.build.directory}express target catalogue -->
                        <directory>${project.build.directory}</directory>
                        <!-- Used to specify the files to be copied, ${project.build.finalName}.jar It's packed target Directory jar Package name -->
                        <include>${project.build.finalName}.jar</include>
                    </resource>
                </resources>
            </configuration>
        </plugin>
    </plugins>
</build>

Packaging test

You can see that the gateway application has been successfully deployed to the server. Please refer to for detailed steps Docker practice | Part 2: IDEA integrates docker plug-in to realize one click automatic packaging and deployment of micro service projects

III epilogue

In fact, there is nothing to say. If port 2375 of the Docker API of ECS is exposed, it is recommended to add TLS encryption authentication. Otherwise, the chance of being hacked is very high. I'm a living chestnut. As of 1:30 a.m., the environment of one machine left has not been restored. I'm tired~

If you have any questions, please leave a message below and reply as soon as you see it~

Main idea of the article: it's nothing if the server is hacked. The key point is to say the following, youlai-mall I sorted out a set of open source projects (micro service architecture + front and rear separation + wechat applet) after work. I hope to provide children's shoes with a good experience in open source projects. Those who are interested can "play" with me (wechat: haoxianrui)~

The following is a list of previous articles related to project development:

back-end

  1. Spring Cloud practice | Part 1: building Nacos services on Windows
  2. Spring Cloud practice | Part 2: Spring Cloud integrates Nacos to realize the registration center
  3. Spring Cloud practice | Part 3: Spring Cloud integrates Nacos to realize configuration center
  4. Spring Cloud practice | Part 4: Spring Cloud integrates Gateway to realize API Gateway
  5. Spring Cloud practice | Part 5: Spring Cloud integrates OpenFeign to realize the call between microservices
  6. Spring Cloud practice | Part 6: Spring Cloud Gateway+Spring Security OAuth2+JWT to realize unified authentication and authorization of microservices
  7. Spring Cloud actual combat | the seventh part: the scheme of realizing logout and invalidating JWT under the integrated unified authentication and authorization platform of Spring Cloud Gateway+Spring Security OAuth2
  8. Spring Cloud actual combat | Chapter 8: realizing JWT renewal without perceptual refresh in Spring Cloud +Spring Security OAuth2+ Vue front-end and back-end separation mode

Management front end

  1. Vue element admin actual combat | Part 1: remove the mock to access the background, and build a separate front and rear management platform for Youlai mall
  2. Vue element admin actual combat | Part 2: access the background with minimal changes to realize dynamic loading of menus according to permissions

Wechat applet

  1. [cloud app development center]

Tags: Docker

Posted by stuartc1 on Mon, 02 May 2022 14:51:09 +0300