Menu

目录

配置TLS认证与开启远程访问

描述

iSulad采用C/S模式进行设计,在默认情况,iSulad守护进程lcrd只监听本地/var/run/lcrd.sock,因此只能在本地通过客户端lcrc执行相关命令操作容器。为了能使lcrc可以远程访问容器,lcrd守护进程需要通过tcp:ip的方式监听远程访问的端口。然而,仅通过简单配置tcp ip:port进行监听,这样会导致所有的ip都可以通过调用lcrc -H tcp://:port与lcrd通信,容易导致安全问题,因此推荐使用更加安全的方式TLS(Transport Layer Security - 安全传输层协议)进行远程访问。

生成TLS证书

#!/bin/bash
set -e
echo -n "Enter pass phrase:"
read password
echo -n "Enter public network ip:"
read publicip
echo -n "Enter host:"
read HOST

echo " => Using hostname: $publicip, You MUST connect to iSulad using this host!"

mkdir -p $HOME/.iSulad
cd $HOME/.iSulad
rm -rf $HOME/.iSulad/*

echo " => Generating CA key"
openssl genrsa -passout pass:$password -aes256 -out ca-key.pem 4096
echo " => Generating CA certificate"
openssl req -passin pass:$password -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=CN/ST=zhejiang/L=hangzhou/O=Huawei/OU=iSulad/CN=iSulad@huawei.com"
echo " => Generating server key"
openssl genrsa -passout pass:$password -out server-key.pem 4096
echo " => Generating server CSR"
openssl req -passin pass:$password -subj /CN=$HOST -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOST,IP:$publicip,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
echo " => Signing server CSR with CA"
openssl x509 -req -passin pass:$password -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
echo " => Generating client key"
openssl genrsa -passout pass:$password -out key.pem 4096
echo " => Generating client CSR"
openssl req -passin pass:$password -subj '/CN=client' -new -key key.pem -out client.csr
echo " => Creating extended key usage"
echo extendedKeyUsage = clientAuth > extfile-client.cnf
echo " => Signing client CSR with CA"
openssl x509 -req -passin pass:$password -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

接口

{
    "tls": true,
    "tls-verify": true,
    "tls-config": {
		"CAFile": "/root/.iSulad/ca.pem",
		"CertFile": "/root/.iSulad/server-cert.pem",
		"KeyFile":"/root/.iSulad/server-key.pem"
    }
}

限制

服务端支持的模式如下:

  • 模式1(验证客户端):tlsverify, tlscacert, tlscert, tlskey
  • 模式2(不验证客户端):tls, tlscert, tlskey

客户端支持的模式如下:

  • 模式1(使用客户端证书进行身份验证,并根据给定的CA验证服务器):tlsverify, tlscacert, tlscert, tlskey
  • 模式2(验证服务器):tlsverify, tlscacert

如果需要采用双向认证方式进行通讯,则服务端采用模式1,客户端采用模式1;

如果需要采用单向认证方式进行通讯,则服务端采用模式2,客户端采用模式2;

注意:
- 采用RPM安装方式时,服务端配置可通过/etc/isulad/daemon.json以及/etc/sysconfig/iSulad配置修改
- 相比非认证或者单向认证方式,双向认证具备更高的安全性,推荐使用双向认证的方式进行通讯

示例

服务端:

 lcrd -H=tcp://0.0.0.0:2376 --tlsverify --tlscacert ~/.iSulad/ca.pem --tlscert ~/.iSulad/server-cert.pem --tlskey ~/.iSulad/server-key.pem

客户端:

 lcrc version -H=tcp://$HOSTIP:2376 --tlsverify --tlscacert ~/.iSulad/ca.pem --tlscert ~/.iSulad/cert.pem --tlskey ~/.iSulad/key.pem