도커(14) 도커 통신ㅋ(1)

자 6교시 도커 통신 알아봅니다.

바로 ㄱㄱ

★ ★ ★위 포스팅 내용은 네X버 Blog 아래 링크에도 

똑같이 미러링 되어 있습니다.예비 Blg ​★ ★ ★

https://blog.naver.com/iwseo7114

iwseo7114님의 블로그 : 네이버 블로그

 

 

######################################################################

5교시 도커 분석 시간입니다.

노래한곡 듣고시작하겠습니다요~

​

도커데몬

dockerd --help

[root@C3 ~]# dockerd --help

​

Usage: dockerd [OPTIONS]

​

A self-sufficient runtime for containers.

​

Options:

--add-runtime runtime Register an additional OCI compatible runtime (default [])

--allow-nondistributable-artifacts list Allow push of nondistributable artifacts to registry

--api-cors-header string Set CORS headers in the Engine API

--authorization-plugin list Authorization plugins to load

--bip string Specify network bridge IP

-b, --bridge string Attach containers to a network bridge

--cdi-spec-dir list CDI specification directories to use

--cgroup-parent string Set parent cgroup for all containers

--config-file string Daemon configuration file (default "/etc/docker/daemon.json")

--containerd string containerd grpc address

--containerd-namespace string Containerd namespace to use (default "moby")

--containerd-plugins-namespace string Containerd namespace to use for plugins (default "plugins.moby")

--cpu-rt-period int Limit the CPU real-time period in microseconds for the parent cgroup for all

containers (not supported with cgroups v2)

--cpu-rt-runtime int Limit the CPU real-time runtime in microseconds for the parent cgroup for

all containers (not supported with cgroups v2)

--cri-containerd start containerd with cri

--data-root string Root directory of persistent Docker state (default "/var/lib/docker")

-D, --debug Enable debug mode

--default-address-pool pool-options Default address pools for node specific local networks

--default-cgroupns-mode string Default mode for containers cgroup namespace ("host" | "private") (default

"host")

--default-gateway ip Container default gateway IPv4 address

--default-gateway-v6 ip Container default gateway IPv6 address

--default-ipc-mode string Default mode for containers ipc ("shareable" | "private") (default "private")

--default-network-opt mapmap Default network options (default map[])

--default-runtime string Default OCI runtime for containers (default "runc")

--default-shm-size bytes Default shm size for containers (default 64MiB)

--default-ulimit ulimit Default ulimits for containers (default [])

--dns ipSlice DNS server to use (default [])

--dns-opt list DNS options to use

--dns-search list DNS search domains to use

--exec-opt list Runtime execution options

--exec-root string Root directory for execution state files (default "/var/run/docker")

--experimental Enable experimental features

--fixed-cidr string IPv4 subnet for fixed IPs

--fixed-cidr-v6 string IPv6 subnet for fixed IPs

-G, --group string Group for the unix socket (default "docker")

--help Print usage

-H, --host list Daemon socket(s) to connect to

--host-gateway-ip ip IP address that the special 'host-gateway' string in --add-host resolves to.

Defaults to the IP address of the default bridge

--http-proxy string HTTP proxy URL to use for outgoing traffic

--https-proxy string HTTPS proxy URL to use for outgoing traffic

--icc Enable inter-container communication (default true)

--init Run an init in the container to forward signals and reap processes

--init-path string Path to the docker-init binary

--insecure-registry list Enable insecure registry communication

--ip ip Default IP when binding container ports (default 0.0.0.0)

--ip-forward Enable net.ipv4.ip_forward (default true)

--ip-masq Enable IP masquerading (default true)

--ip6tables Enable addition of ip6tables rules (experimental)

--iptables Enable addition of iptables rules (default true)

--ipv6 Enable IPv6 networking

--label list Set key=value labels to the daemon

--live-restore Enable live restore of docker when containers are still running

--log-driver string Default driver for container logs (default "json-file")

--log-format string Set the logging format ("text"|"json") (default "text")

-l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")

--log-opt map Default log driver options for containers (default map[])

--max-concurrent-downloads int Set the max concurrent downloads (default 3)

--max-concurrent-uploads int Set the max concurrent uploads (default 5)

--max-download-attempts int Set the max download attempts for each pull (default 5)

--metrics-addr string Set default address and port to serve the metrics api on

--mtu int Set the MTU for the default "bridge" network (default 1500)

--network-control-plane-mtu int Network Control plane MTU (default 1500)

--no-new-privileges Set no-new-privileges by default for new containers

--no-proxy string Comma-separated list of hosts or IP addresses for which the proxy is skipped

--node-generic-resource list Advertise user-defined resource

-p, --pidfile string Path to use for daemon PID file (default "/var/run/docker.pid")

--raw-logs Full timestamps without ANSI coloring

--registry-mirror list Preferred Docker registry mirror

--rootless Enable rootless mode; typically used with RootlessKit

--seccomp-profile string Path to seccomp profile. Set to "unconfined" to disable the default seccomp

profile (default "builtin")

--selinux-enabled Enable selinux support

--shutdown-timeout int Set the default shutdown timeout (default 15)

-s, --storage-driver string Storage driver to use

--storage-opt list Storage driver options

--swarm-default-advertise-addr string Set default address or interface for swarm advertised address

--tls Use TLS; implied by --tlsverify

--tlscacert string Trust certs signed only by this CA (default "/root/.docker/ca.pem")

--tlscert string Path to TLS certificate file (default "/root/.docker/cert.pem")

--tlskey string Path to TLS key file (default "/root/.docker/key.pem")

--tlsverify Use TLS and verify the remote

--userland-proxy Use userland proxy for loopback traffic (default true)

--userland-proxy-path string Path to the userland proxy binary (default "/usr/bin/docker-proxy")

--userns-remap string User/Group setting for user namespaces

--validate Validate daemon configuration and exit

-v, --version Print version information and quit

[root@C3 ~]#

​

dockerd -H tcp://0.0.0.0:2375 --insecure-registrty=10.0.0.24:5000 --tls=false

Direct exec 이다

​

-H 도커 데몬제어

​

dockerd == dockerd -H unix:///var/run/docker.sock

즉 docker api 형식은 restful 형식이다.

이말은url이겠죠??

root@VPN-FW:~# curl 10.0.0.24:2375/version --silent | python -m json.tool

내용을 받아 파이썬을통해 json으로 변환해 보겠다...

.

.

.

.

"Version": "1.6.33",

"Details": {

"GitCommit": "d2d58213f83a351ca8f528a95fbd145f5654e957"

}

},

{

"Name": "runc",

"Version": "1.1.12",

"Details": {

"GitCommit": "v1.1.12-0-g51d5e94"

}

},

{

"Name": "docker-init",

"Version": "0.19.0",

"Details": {

"GitCommit": "de40ad0"

}

}

],

"Version": "26.1.4",

"ApiVersion": "1.45",

"MinAPIVersion": "1.24",

"GitCommit": "de5c9cf",

"GoVersion": "go1.21.11",

"Os": "linux",

"Arch": "amd64",

"KernelVersion": "3.10.0-327.36.1.el7.x86_64",

"BuildTime": "2024-06-05T11:31:02.000000000+00:00"

}

​

API의 편의서 및 생산성 장점..이점..등등

​

사설 내부망에서 쓰면 적용 안해도되요 내부니깐 굳이 내부에서 누가

정보를 탈취하거나 할일이 없지.근데

외부면 이야기가 달라짐..

​

한번 tls만들어 보죠 그리고 끝내죠 ㅋㅋ너무 많이하면 머리터짐.

[root@C3 keys]# echo subjectAltName = IP:$HOST,IP:127.0.0.1 > extfile.cnf

[root@C3 keys]# cat extfile.cnf

subjectAltName = IP:10.0.0.24,IP:127.0.0.1

[root@C3 keys]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

Signature ok

subject=/CN=10.0.0.24

Getting CA Private Key

Enter pass phrase for ca-key.pem:

140053474670480:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters

Enter pass phrase for ca-key.pem:

[root@C3 keys]#

[root@C3 keys]# openssl req subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

unknown option subj

req [options] <infile >outfile

where options are

-inform arg input format - DER or PEM

-outform arg output format - DER or PEM

-in arg input file

-out arg output file

-text text form of request

root@VPN-FW:/tmp# docker version

Client: Docker Engine - Community

Version: 27.4.1

API version: 1.47

Go version: go1.22.10

Git commit: b9d17ea

Built: Tue Dec 17 15:45:53 2024

OS/Arch: linux/arm

Context: default

Error response from daemon: Client sent an HTTP request to an HTTPS server.

​

​

이렇게해서

서버 및 클라이언트 tls 구축을 해봤습니다.

root@VPN-FW:/dockerTLS# docker -H 10.0.0.24:2375 \

> --tlscacert=/dockerTLS/ca.pem \

> --tlscert=/dockerTLS/cert.pem \

> --tlskey=/dockerTLS/key.pem \

> --tlsverify version

Client: Docker Engine - Community

Version: 27.4.1

API version: 1.45 (downgraded from 1.47)

Go version: go1.22.10

Git commit: b9d17ea

Built: Tue Dec 17 15:45:53 2024

OS/Arch: linux/arm

Context: default

​

Server: Docker Engine - Community

Engine:

Version: 26.1.4

API version: 1.45 (minimum version 1.24)

Go version: go1.21.11

Git commit: de5c9cf

Built: Wed Jun 5 11:31:02 2024

OS/Arch: linux/amd64

Experimental: false

containerd:

Version: 1.6.33

GitCommit: d2d58213f83a351ca8f528a95fbd145f5654e957

runc:

Version: 1.1.12

GitCommit: v1.1.12-0-g51d5e94

docker-init:

Version: 0.19.0

GitCommit: de40ad0

root@VPN-FW:/dockerTLS#

​

For more help on how to use Docker, head to https://docs.docker.com/go/guides/

root@VPN-FW:/dockerTLS# docker -H 10.0.0.24:2375 version

Client: Docker Engine - Community

Version: 27.4.1

API version: 1.47

Go version: go1.22.10

Git commit: b9d17ea

Built: Tue Dec 17 15:45:53 2024

OS/Arch: linux/arm

Context: default

Error response from daemon: Client sent an HTTP request to an HTTPS server.

root@VPN-FW:/dockerTLS#

​

​

무튼 오늘 tls 적용법을 알아봤다..

다음시간에 또 이어서 하시고 빨리 주무세요 ㅋ

무튼 수고했어요

######################################################################

a