DockerããŒã¢ã³ã®ãªã¢ãŒãã¢ã¯ã»ã¹ãèšå®ãã
ããã©ã«ãã§ã¯ãDockerããŒã¢ã³ã¯Unixãœã±ããã§ã®æ¥ç¶ããªãã¹ã³ããŠãããŒã«ã«ã¯ã©ã€ã¢ã³ãããã®ãªã¯ãšã¹ããåãä»ããŸããDockerãæ§æããŠãUnixãœã±ããã ãã§ãªããIPã¢ãã¬ã¹ãšããŒãã§ãªã¢ãŒãã¯ã©ã€ã¢ã³ãããã®ãªã¯ãšã¹ããåãä»ããããã«ããããšãã§ããŸãã
Dockerããªã¢ãŒãã¯ã©ã€ã¢ã³ãããã®æ¥ç¶ãåãå ¥ããããã«æ§æãããšããã¹ããžã®äžæ£ã¢ã¯ã»ã¹ããã®ä»ã®æ»æã«å¯ŸããŠè匱ã«ãªãå¯èœæ§ããããŸãã
Dockerããããã¯ãŒã¯ã«å ¬éããéã®ã»ãã¥ãªãã£äžã®åœ±é¿ãååã«ç解ããããšãéåžžã«éèŠã§ããæ¥ç¶ãä¿è·ããããã®å¯Ÿçãåãããªãå Žåããªã¢ãŒãã®érootãŠãŒã¶ãŒããã¹ãã®rootã¢ã¯ã»ã¹ãååŸããå¯èœæ§ããããŸãã
TLSãªãã§ã®ãªã¢ãŒãã¢ã¯ã»ã¹ã¯æšå¥šãããŸãããä»åŸã®ãªãªãŒã¹ã§ã¯ãæ瀺çãªãªããã€ã³ãå¿ èŠã«ãªãäºå®ã§ãã
ãã®æ¥ç¶ãä¿è·ããããã«TLS蚌ææžã䜿çšããæ¹æ³ã«ã€ããŠã¯ãDockerããŒã¢ã³ãœã±ãããä¿è·ããâãåç §ããŠãã ããã
ãªã¢ãŒãã¢ã¯ã»ã¹ãæå¹ã«ãã
ãªã¢ãŒãã¢ã¯ã»ã¹ãæå¹ã«ããã«ã¯ãdocker.service
systemdãŠããããã¡ã€ã«ã䜿çšããããdaemon.json
ãã¡ã€ã«ã䜿çšããŠæ§æã§ããŸããsystemdã䜿çšããŠããªããã£ã¹ããªãã¥ãŒã·ã§ã³ã®å Žåã¯ãdaemon.json
ãã¡ã€ã«ã䜿çšããŸãã
systemdãŠããããã¡ã€ã«ãšdaemon.json
ãã¡ã€ã«ã®äž¡æ¹ã䜿çšããŠæ¥ç¶ããªãã¹ã³ããããã«Dockerãæ§æãããšãDockerã®èµ·åã劚ãããã競åãçºçããŸãã
systemdãŠããããã¡ã€ã«ã§ãªã¢ãŒãã¢ã¯ã»ã¹ãæ§æãã
-
sudo systemctl edit docker.service
ã³ãã³ãã䜿çšããŠãdocker.service
ã®ãªãŒããŒã©ã€ããã¡ã€ã«ãããã¹ããšãã£ã¿ã§éããŸãã -
次ã®è¡ãè¿œå ãŸãã¯å€æŽããŸããå€ã¯èªèº«ã®ç°å¢ã«åãããŠçœ®ãæããŠãã ããã
[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375
-
ãã¡ã€ã«ãä¿åããŸãã
-
systemctl
ã®èšå®ããªããŒãããŸãã
$ sudo systemctl daemon-reload
- Dockerãåèµ·åããŸãã
$ sudo systemctl restart docker.service
- å€æŽãåæ ããããã確èªããŸãã
$ sudo netstat -lntp | grep dockerd
tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 3758/dockerd
daemon.json
ã§ãªã¢ãŒãã¢ã¯ã»ã¹ãæ§æãã
/etc/docker/daemon.json
ãã¡ã€ã«ã®hosts
é åãèšå®ããUnixãœã±ãããšIPã¢ãã¬ã¹ã«æ¥ç¶ããããã«ããŸãã
{
"hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"]
}
-
Dockerãåèµ·åããŸãã
-
å€æŽãåæ ããããã確èªããŸãã
$ sudo netstat -lntp | grep dockerd
tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 3758/dockerd
ãã¡ã€ã¢ãŠã©ãŒã«ãéããŠãªã¢ãŒãAPIãžã®ã¢ã¯ã»ã¹ãèš±å¯ãã
Docker Remote APIã«ä»ã®ãªã¢ãŒããã¹ãããã¢ã¯ã»ã¹ãããå Žåãåããã¹ãäžã§ãã¡ã€ã¢ãŠã©ãŒã«ãå®è¡ããŠããå Žåã¯ãDockerããŒããžã®çä¿¡æ¥ç¶ãèš±å¯ããããã«ãã¡ã€ã¢ãŠã©ãŒã«ãæ§æããå¿
èŠããããŸããTLSã§æå·åããããã©ã³ã¹ããŒãã䜿çšããŠããå Žåãããã©ã«ãã®ããŒãã¯2376
ããã以å€ã®å Žåã¯2375
ã§ãã
ãã䜿çšããã2ã€ã®ãã¡ã€ã¢ãŠã©ãŒã«ããŒã¢ã³ã¯æ¬¡ã®ãšããã§ãïŒ
- Uncomplicated Firewall (ufw)â ã¯ãUbuntuã·ã¹ãã ã§ãã䜿çšãããŸãã
- firewalldâ ã¯ãRPMããŒã¹ã®ã·ã¹ãã ã§ãã䜿çšãããŸãã
ãå©çšã®OSãšãã¡ã€ã¢ãŠã©ãŒã«ã®ããã¥ã¡ã³ããåç §ããŠãã ããã以äžã®æ å ±ã¯ãèšå®ãéå§ããããã®åèã«ãªããããããŸããããã®æé ã§äœ¿çšãããèšå®ã¯ç·©ããã§ãããã·ã¹ãã ãããå³å¯ã«ããã¯ããŠã³ããå¥ã®æ§æãæ€èšããããšããå§ãããŸãã
- ufwã§ã¯ãèšå®ã§
DEFAULT_FORWARD_POLICY="ACCEPT"
ãæå®ããŸãã - firewalldã§ã¯ã次ã®ãããªã«ãŒã«ãããªã·ãŒã«è¿œå ããŸãã1ã€ã¯çä¿¡ãªã¯ãšã¹ãçšããã1ã€ã¯éä¿¡ãªã¯ãšã¹ãçšã§ãã`
<direct>
[ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -i zt0 -j ACCEPT </rule> ]
[ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -o zt0 -j ACCEPT </rule> ]
</direct>
ã€ã³ã¿ãŒãã§ãŒã¹åãšãã§ãŒã³åãæ£ããããšã確èªããŠãã ããã
è¿œå æ å ±
ããŒã¢ã³ãžã®ãªã¢ãŒãã¢ã¯ã»ã¹ã®æ§æãªãã·ã§ã³ã«ã€ããŠè©³ããã¯ãdockerd CLIãªãã¡ã¬ã³ã¹âãåç §ããŠãã ããã