具有TLS的Docker Swarm:使用DOCKER_CERT_PATH,Composeperformanceexception
我有两台运行Docker Swarm集群的机器(Ubuntu Server 16.04)。 在每台机器上运行:
- Docker 1.11.2
- 领事0.6.4
- Docker Swarm Manager和Node swarm / 1.2.3
- Docker Compose 1.7.1
一切都使用TLSencryption。
我遵循https://docs.docker.com/swarm/configure-tls/#/step-9-configure-the-engine-cli-to-use-tls上的说明,并在我的主目录中添加了一个.bash_profile :
export DOCKER_HOST=tcp://10.0.0.38:4000 export DOCKER_CERT_PATH=/usr/local/share/ca-certificates export DOCKER_TLS_VERIFY=1
在source .bash_profile , docker ps命令运行时没有问题:
manager@master:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9a609e5f2688 gliderlabs/registrator "/bin/registrator -in" 17 hours ago Up 57 minutes slave1/master_registrator_1 228a225e8659 registry:2 "/bin/registry serve " 18 hours ago Up 46 minutes 10.0.0.38:5000->5000/tcp master/master_registry_1
但是当我尝试docker-compose ps会引发以下错误:
manager@master:~$ docker-compose ps ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Swarm Manager抱怨缺lessca:
http:来自10.0.0.38:52104的TLS握手错误:远程错误:未知的证书颁发机构
但是,当我将证书定义为参数时,似乎所有东西都可以工作(尽pipe有一些警告):
manager@master:~$ docker-compose --tlscert /usr/local/share/ca-certificates/cert.pem --tlskey /usr/local/share/ca-certificates/key.pem ps /tmp/_MEIgsthqj/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html /tmp/_MEIgsthqj/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html Name Command State Ports ------------------------------
我没有定义ca.pem,但似乎没有参数就无法find合适的证书。
这是包含证书的目录:
manager@master:~$ ls -l /usr/local/share/ca-certificates total 12 -rw-rw-r-- 1 master master 1180 Jul 13 09:19 ca.pem -rw-rw-r-- 1 master master 1107 Jul 13 10:08 cert.pem -rw-rw-r-- 1 master master 1675 Jul 13 10:07 key.pem
我错过了什么? 证书看起来很好,因为他们与docker本身和docker工作 – 构成的参数。
完全版本:
docker
Client: Version: 1.11.2 API version: 1.23 Go version: go1.5.4 Git commit: b9f10c9 Built: Wed Jun 1 22:00:43 2016 OS/Arch: linux/amd64 Server: Version: 1.11.2 API version: 1.23 Go version: go1.5.4 Git commit: b9f10c9 Built: Wed Jun 1 22:00:43 2016 OS/Arch: linux/amd64
一群
Server: Version: swarm/1.2.3 API version: 1.22 Go version: go1.5.4 Git commit: eaa53c7 Built: Fri May 27 17:25:03 UTC 2016 OS/Arch: linux/amd64
撰写
docker-compose version 1.7.1, build 0a9ab35 docker-py version: 1.8.1 CPython version: 2.7.9 OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
更新
经过一番研究( https://github.com/docker/compose/issues/3365 ),看起来环境variablesCURL_CA_BUNDLE和CURL_CA_BUNDLE影响CURL_CA_BUNDLE -compose命令。 所以我试图通过curl直接访问Docker Swarm Manager, 而没有设置env vars:
curl --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem https://10.0.0.38:4000/networks curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
但是在将这些行添加到.bash_profile和source .bash_profile :
export CURL_CA_BUNDLE=/usr/local/share/ca-certificates/ca.pem export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/ca.pem
请求工作:
curl --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem https://10.0.0.38:4000/networks [{"Name":"slave1/bridge","Id"...
令人遗憾的是, docker-compose上的错误仍然存在(即使有参数):
manager@master:~$ docker-compose --tlscert /usr/local/share/ca-certificates/cert.pem --tlskey /usr/local/share/ca-certificates/key.pem ps ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)