在`/etc/docker/daemon.json`文件中添加SSL配置

{
    "tls": true,
    "tlscacert": "/etc/docker/certs.d/ca.pem",
    "tlscert": "/etc/docker/certs.d/server-cert.pem",
    "tlskey": "/etc/docker/certs.d/server-key.pem",
    "tlsverify": true,
    "data-root": "/containers",
    "registry-mirrors": [
        "https://registry.docker-cn.com", 
        "https://docker.mirrors.ustc.edu.cn", 
        "https://hub-mirror.c.163.com", 
        "https://mirror.baidubce.com", 
        "https://ccr.ccs.tencentyun.com"
    ],
    "log-driver":"json-file",
    "log-opts":{
        "max-size": "500m",
      	"max-file": "1"
    }
}

在`/etc/docker/certs.d/`目录下添加执行一下脚本

#!/bin/bash

cd /etc/docker/certs.d

root_path=${0%/*}
echo $root_path

#####################################################################################
# 获取宿主机IP
function getHostIp() {
  local_host_ip=`ip -4 addr | grep -Po "inet \K[\d.]+" | awk '{print $1}' | sed -n '2, 2p'`
  local_docker_ip=`ip -4 addr show docker0 | grep -Po "inet \K[\d.]+"`
  echo "获取宿主机Docker虚拟网卡IP：$local_docker_ip\n宿主机IP：$local_host_ip"
}

getHostIp

read -p "自动获取的宿主机IP是否正确？(y/n)" sure

if [[ "$sure" = "n" ]] || [[ "$sure" = "N" ]]; then
    read -p "输入宿主机IP：" local_host_ip
    echo "你输入的IP是：$local_host_ip"
fi

function genCerts() {
    # 生成ca的私钥
    openssl genrsa -aes256 -passout pass:123456 -out ca-key.pem 4096
    # 生成CA证书
    openssl req -new -x509 -passin pass:123456 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
    # 创建服务端私钥
    openssl genrsa -out server-key.pem 4096
    # 生成服务端证书签名请求
    openssl req -passin pass:123456 -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
    # 生成签名过的服务端证书
    echo subjectAltName = DNS:*,IP:$local_host_ip,IP:127.0.0.1 >> extfile.cnf
    echo extendedKeyUsage = serverAuth >> extfile.cnf
    openssl x509 -req -passin pass:123456 -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem  -CAcreateserial -out server-cert.pem -extfile extfile.cnf
    # 生成客户端私钥
    openssl genrsa -out key.pem 4096
    # 生成客户端证书签名请求
    openssl req -passin pass:123456 -subj '/CN=client' -new -key key.pem -out client.csr
    # 生成名为extfile.cnf的配置文件
    echo extendedKeyUsage = clientAuth > extfile-client.cnf
    # 生成客户端证书
    openssl x509 -req -passin pass:123456 -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
    # 删除非必要文件
    rm -f client.csr server.csr extfile.cnf extfile-client.cnf
    # 修改文件权限
    chmod 0400 ca-key.pem server-key.pem key.pem
    chmod 0444 ca.pem server-cert.pem cert.pem
}

genCerts

systemctl daemon-reload
systemctl restart docker

下载认证文件

ca.pem、cert.pem、key.pem

修改`/usr/lib/systemd/system/docker.service`文件

添加端口暴露

ExecStart=/usr/bin/dockerd --graph /data/docker -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock -H fd:// --containerd=/run/containerd/containerd.sock

为DockerAPI接口添加SSL安全证书

在/etc/docker/daemon.json文件中添加SSL配置

在/etc/docker/certs.d/目录下添加执行一下脚本

下载认证文件

修改/usr/lib/systemd/system/docker.service文件

在`/etc/docker/daemon.json`文件中添加SSL配置

在`/etc/docker/certs.d/`目录下添加执行一下脚本

修改`/usr/lib/systemd/system/docker.service`文件