Here also wrote the same article.
Execute the following command to install Docker on Ubuntu I try to do everything with one copy and paste so as not to bother me
sudo apt -y install apt-transport-https ca-certificates software-properties-common && \
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - && \
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" && \
sudo apt install -y docker-ce
Automatically start when the OS starts, and start on the spot
sudo systemctl enable docker
sudo systemctl start docker
By default you need root privileges to connect to Docker
sudo docker ps
After executing the following command, you can use it by logging in again.
sudo echo usermod -aG docker `logname`
Confirmation
docker ps
From here it will be a troublesome part I need to create an oleore certificate and distribute it to the server and client, but it takes a lot of time and effort to do this. It's too annoying, so I created a script that skips all input in the middle so that it ends with one command
Check here for the command description https://github.com/SoraKumo001/docker-tls
Create a certificate to connect remotely
curl -s https://raw.githubusercontent.com/SoraKumo001/docker-tls/master/docker-tls.sh | \
sudo bash
If you want to set the host name correctly when connecting, specify the domain name and IP as follows.
curl -s https://raw.githubusercontent.com/SoraKumo001/docker-tls/master/docker-tls.sh | \
sudo bash -s DNS:host.example.com,IP:10.1.1.1
--Private key /etc/docker/certs/private-key.pem
--File for Docker daemon /etc/docker/certs/ca.pem /etc/docker/certs/server-key.pem /etc/docker/certs/server-cert.pem
--File for client ~/.docker/ca.pem ~/.docker/cert.pem ~/.docker/key.pem
For remote connection in Windows or Mac environment, copy the client file to the .docker folder in the user directory.
The certificate auto-generation script is designed to reuse private keys So if you reissue the certificate, you don't have to redistribute the client's certificate. Also, if you create a certificate with the existing private key copied to the same location on another server, you can connect to multiple servers with the same client file.
If you need a complete remake, please erase the private key manually
--File rewriting Rewrite ** ExecStart ** in ** / lib / systemd / system / docker.service ** as follows This setting will accept TCP connections via tls By the way, if the external public server is set to accept TCP connections without using tls, it may become a Bitcoin manufacturing factory before you know it, so please be careful.
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem -H tcp://0.0.0.0 -H fd:// --containerd=/run/containerd/containerd.sock
--When it is troublesome to edit manually Rewriting is completed by pasting the following command
sudo sed -i "s/^ExecStart=.*/ExecStart=\/usr\/bin\/dockerd \
--tlsverify --tlscacert=\/etc\/docker\/certs\/ca.pem \
--tlscert=\/etc\/docker\/certs\/server-cert.pem \
--tlskey=\/etc\/docker\/certs\/server-key.pem \
-H tcp:\/\/0.0.0.0 -H fd:\/\/ \
--containerd=\/run\/containerd\/containerd.sock/" \
/lib/systemd/system/docker.service
sudo systemctl daemon-reload && sudo systemctl restart docker
In the service settings so far, tls connection is required when connecting by addressing using -H. Therefore, you cannot connect unless you specify --tls. If you set --tlsverify, the domain name will be verified when connecting.
docker --tls -H localhost ps
docker --tlsverify -H localhost ps
Docker commands have the ability to pipe Docker images, so you can transfer images remotely without going through Docker Hub by doing the following:
docker save image name(Multiple can be specified) | docker --tls -H server name load
Useful for transferring locally created images or CI / CD builds This makes it easy to deploy small ones
Please note that you cannot connect unless it matches the host name specified when creating the certificate.
docker-compose --tlsverify -H host name:2375 or less Normal command
Once you have issued the certificate, you will be able to easily operate Docker remotely. After that, if you send a container and move it, you will be able to do almost anything However, be careful of mistakes such as putting a certificate in a public repository and publishing it. Publishing creates regret
Recommended Posts