Docker使用IDEA一键部署

bridge
2022-01-27 / 0 评论 / 0 点赞 / 1,215 阅读 / 7,125 字 / 正在检测是否收录...
温馨提示:
本文最后更新于 2022-01-27,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

环境:IntelliJ IDEA 2018.1.6 x64、CentOS 7

一、无CA认证方式

注意:无ca认证不安全,推荐仅自己可见的时候使用

1、修改服务器配置,开放Docker的远程连接访问

[root@localhost ~]# vim /usr/lib/systemd/system/docker.service 
  • 将ExecStart属性value值改为
/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

2、重启docker

[root@localhost ~]# systemctl daemon-reload 
[root@localhost ~]# systemctl restart docker

3、开放防火墙2375端口

firewall-cmd --add-port=2375/tcp

4、随便写个接口,等会进行测试

5、idea安装docker integration插件

  • 插件安装完成重启idea后可以看到底部多了个docker标志

5、接下来给项目打成jar包

6、然后编写DockerFile

  • 我这里找了个相对比较小的jdk,是在官方镜像库找到的
  • 也可以在国内的镜像库里找,如:FROM hub.c.163.com/library/java:8-jre
FROM 99taxis/mini-java8

ADD target/*.jar idea-docker-deploy.jar

EXPOSE 8765

ENTRYPOINT ["java", "-jar", "idea-docker-deploy.jar"]

项目右键新建一个没有后缀的File

7、接下来配置idea一键部署

  • 选中第一个

  • 如图进行填写

8、运行容器

  • 可以看到相应的日志

9、访问接口

成功

  • 也可以在服务器上打命令查看
[root@localhost ~]# docker images
REPOSITORY                                             TAG                 IMAGE ID            CREATED             SIZE
idea-docker-deploy                                     latest              0b9861752b28        11 minutes ago      210MB
registry.cn-hangzhou.aliyuncs.com/zhaoyoung/mycentos   1.1                 de8fc9f45769        26 hours ago        455MB
mycentos                                               1.1                 de8fc9f45769        26 hours ago        455MB
zhaoyoungtomcat9                                       latest              124517434916        45 hours ago        751MB
myip_son                                               latest              6c9507aea358        3 days ago          398MB
myip_father                                            latest              2c22e721607a        3 days ago          299MB
myip2                                                  latest              dcbb4656e640        3 days ago          299MB
myip                                                   latest              9e3c14f76b1d        3 days ago          299MB
mycentos                                               1.0                 c2d4f6acb9af        4 days ago          455MB
zhaoyoung/nodocstomcat                                 1.0                 84498728984a        6 days ago          463MB
centos                                                 latest              75835a67d134        7 days ago          200MB
redis                                                  3.2                 a17eb18b1c62        2 weeks ago         76MB
tomcat                                                 latest              41a54fe1f79d        4 weeks ago         463MB
hello-world                                            latest              4ab4c602aa5e        5 weeks ago         1.84kB
mysql                                                  5.6                 1f47fade220d        6 weeks ago         256MB
99taxis/mini-java8                                     latest              45f8a8f0a77a        16 months ago       194MB
[root@localhost ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
3f9cc9e975bb        0b9861752b28        "java -jar idea-dock…"   11 minutes ago      Up 11 minutes       0.0.0.0:8765->8765/tcp   idea-docker-deploy

二、有CA认证方式

注意:前面提到的配置是允许所有人都可以访问的,因为docker默认是root权限的,你把2375端口暴露在外面,意味着别人随时都可以提取到你服务器的root权限,是很容易被黑客黑的,因此,docker官方推荐使用加密的tcp连接,以Https的方式与客户端建立连接

1、创建ca文件夹,存放CA私钥和公钥

[root@localhost ~]# mkdir -p /usr/local/ca
[root@localhost ~]# cd /usr/local/ca/

2、创建密码

  • 需要连续输入两次相同的密码
[root@localhost ca]# openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
...................++
..........................................................................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

3、依次输入密码、国家、省、市、组织名称等

[root@localhost ca]# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zj
Locality Name (eg, city) [Default City]:hz
Organization Name (eg, company) [Default Company Ltd]:qdsg
Organizational Unit Name (eg, section) []:qdsg
Common Name (eg, your name or your server's hostname) []:qdsg
Email Address []:1@qq.com
[root@localhost ca]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........................++
................++
e is 65537 (0x10001)

4、生成server-key.pem

[root@localhost ca]# openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................++
.................................................++
e is 65537 (0x10001)

5、把下面的$Host换成你自己服务器外网的IP或者域名

openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

比如

openssl req -subj "/CN=192.168.1.106" -sha256 -new -key server-key.pem -out server.csr

openssl req -subj "/CN=www.baidu.com" -sha256 -new -key server-key.pem -out server.csr

6、配置白名单

也就是你接下来要允许那些ip可以连接到服务器的docker,因为已经是ssl连接,所以我推荐配置0.0.0.0,也就是所有ip都可以连接(但只有拥有证书的才可以连接成功),这样配置好之后公司其他人也可以使用。如果你不想这样,那你可以配置ip,用逗号分隔开。下面的$Host依旧是你服务器外网的IP或者域名,请自行替换。

注意!!!!这里我踩了坑

  • 如果你填写的是ip地址的话命令如下
echo subjectAltName = IP:$HOST,IP:0.0.0.0 >> extfile.cnf
  • 如果你填写的是域名的话命令如下
echo subjectAltName = DNS:$HOST,IP:0.0.0.0 >> extfile.cnf

7、执行命令,将Docker守护程序密钥的扩展使用属性设置为仅用于服务器身份验证

[root@localhost ca]# echo extendedKeyUsage = serverAuth >> extfile.cnf

8、执行命令,并输入之前设置的密码,生成签名证书

[root@localhost ca]# openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=192.168.1.106
Getting CA Private Key
Enter pass phrase for ca-key.pem:

9、生成客户端的key.pem,到时候把生成好的几个公钥私钥拷出去即可

[root@localhost ca]# openssl genrsa -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........................................................................................................................................................................................................................................................................................................................................................................++
......................................................................................................................................++
e is 65537 (0x10001)

10、执行命令

[root@localhost ca]# openssl req -subj '/CN=client' -new -key key.pem -out client.csr

11、执行命令,要使密钥适合客户端身份验证,请创建扩展配置文件

[root@localhost ca]# echo extendedKeyUsage = clientAuth >> extfile.cnf

12、生成cert.pem,需要输入前面设置的密码,生成签名证书

[root@localhost ca]# openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \-CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

13、删除不需要的文件,两个证书签名请求

[root@localhost ca]# rm -v client.csr server.csr
rm:是否删除普通文件 "client.csr"?y
已删除"client.csr"

14、修改权限,要保护您的密钥免受意外损坏,请删除其写入权限。要使它们只能被您读取,更改文件模式

[root@localhost ca]# chmod -v 0400 ca-key.pem key.pem server-key.pem
mode of "ca-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "server-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
  • 证书可以是对外可读的,删除写入权限以防止意外损坏
[root@localhost ca]# chmod -v 0444 ca.pem server-cert.pem cert.pem
mode of "ca.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of "server-cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of "cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)

15、归集服务器证书

[root@localhost ca]# cp server-*.pem  /etc/docker/
[root@localhost ca]# cp ca.pem /etc/docker/

16、修改Docker配置,使Docker守护程序仅接受来自提供CA信任的证书的客户端的连接

[root@localhost ca]# vim /lib/systemd/system/docker.service
  • 将 ExecStart=/usr/bin/dockerd 替换为:
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock

17、重新加载daemon并重启docker

[root@localhost ~]# sudo systemctl daemon-reload  && sudo systemctl restart docker

18、开放防火墙2375端口

firewall-cmd --add-port=2375/tcp

19、保存相关客户端的pem文件到本地

20、idea的配置

21、若出现以下错误,请查看前面的步骤是否遗漏或出错

0

评论区