Ssl Docker Swarm with TLS:Compose使用Docker\u CERT\u路径的行为异常
我有两台机器(Ubuntu服务器16.04)运行Docker Swarm集群。在每台机器上运行:Ssl Docker Swarm with TLS:Compose使用Docker\u CERT\u路径的行为异常,ssl,docker,docker-compose,docker-swarm,Ssl,Docker,Docker Compose,Docker Swarm,我有两台机器(Ubuntu服务器16.04)运行Docker Swarm集群。在每台机器上运行: Docker 1.11.2 领事0.6.4 Docker Swarm管理器和节点Swarm/1.2.3 Docker Compose 1.7.1 一切都是用TLS加密的 我按照上的说明在我的主目录中添加了一个.bash\u配置文件: export DOCKER_HOST=tcp://10.0.0.38:4000 export DOCKER_CERT_PATH=/usr/local/share/c
- Docker 1.11.2
- 领事0.6.4
- Docker Swarm管理器和节点Swarm/1.2.3
- Docker Compose 1.7.1
.bash\u配置文件
:
export DOCKER_HOST=tcp://10.0.0.38:4000
export DOCKER_CERT_PATH=/usr/local/share/ca-certificates
export DOCKER_TLS_VERIFY=1
在source.bash_profile
之后,docker ps
命令运行时不会出现问题:
manager@master:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9a609e5f2688 gliderlabs/registrator "/bin/registrator -in" 17 hours ago Up 57 minutes slave1/master_registrator_1
228a225e8659 registry:2 "/bin/registry serve " 18 hours ago Up 46 minutes 10.0.0.38:5000->5000/tcp master/master_registry_1
但是当我尝试docker compose ps
时,它抛出以下错误:
manager@master:~$ docker-compose ps
ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Swarm Manager抱怨ca缺失:
http:10.0.0.38:52104的TLS握手错误:远程错误:未知
证书颁发机构
但当我将证书定义为参数时,一切似乎都正常(尽管有一些警告):
我没有定义ca.pem,但是如果没有参数,compose似乎无法找到正确的证书
以下是包含证书的目录:
manager@master:~$ ls -l /usr/local/share/ca-certificates
total 12
-rw-rw-r-- 1 master master 1180 Jul 13 09:19 ca.pem
-rw-rw-r-- 1 master master 1107 Jul 13 10:08 cert.pem
-rw-rw-r-- 1 master master 1675 Jul 13 10:07 key.pem
我错过了什么?证书似乎很好,因为它们与docker本身一起工作,docker由参数组成
确切版本:
码头工人
Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 22:00:43 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 22:00:43 2016
OS/Arch: linux/amd64
蜂拥
谱写
docker-compose version 1.7.1, build 0a9ab35
docker-py version: 1.8.1
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
更新
经过一些研究(),似乎env varsCURL\u CA\u BUNDLE
和REQUESTS\u CA\u BUNDLE
会影响docker compose命令。因此,我尝试通过curl直接访问Docker Swarm Manager,而不使用env vars设置:
curl --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem https://10.0.0.38:4000/networks
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
但是在将这些行添加到我的.bash\u配置文件和source.bash\u配置文件之后:
export CURL_CA_BUNDLE=/usr/local/share/ca-certificates/ca.pem
export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/ca.pem
请求工作:
curl --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem https://10.0.0.38:4000/networks
[{"Name":"slave1/bridge","Id"...
遗憾的是,docker compose
上的错误仍然存在(即使有参数):
export CURL_CA_BUNDLE=/usr/local/share/ca-certificates/ca.pem
export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/ca.pem
curl --cert $DOCKER_CERT_PATH/cert.pem --key $DOCKER_CERT_PATH/key.pem https://10.0.0.38:4000/networks
[{"Name":"slave1/bridge","Id"...
manager@master:~$ docker-compose --tlscert /usr/local/share/ca-certificates/cert.pem --tlskey /usr/local/share/ca-certificates/key.pem ps
ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)