From 22529fd6ccf20e8e654f92c617521c081ebcc272 Mon Sep 17 00:00:00 2001
From: pashko <pm@pm.org.ru>
Date: Fri, 6 Jun 2025 11:43:06 +0800
Subject: [PATCH] Add docker/mTLS

---
 docker/mTLS | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 docker/mTLS

diff --git a/docker/mTLS b/docker/mTLS
new file mode 100644
index 0000000..0049550
--- /dev/null
+++ b/docker/mTLS
@@ -0,0 +1,51 @@
+
+   17  mkdir /etc/docker/tls
+   18  cd /etc/docker/tls
+   19  openssl genrsa -out server-key.pem 4096
+   20  dnf install openssl
+   21  openssl genrsa -out server-key.pem 4096
+   22  openssl genrsa -aes256 -out ca-key.pem 4096
+   23  openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
+   24  openssl genrsa -out key.pem 4096
+   25  openssl genrsa -out server-key.pem 4096
+   26  openssl req -subj "/CN=dev01.tnt.local" -sha256 -new -key server-key.pem -out server.csr
+   27  echo subjectAltName = DNS:dev01.tnt.local,IP:10.2.24.21,IP:127.0.0.1 >> extfile.cnf
+   28  echo extendedKeyUsage = serverAuth >> extfile.cnf
+   29  openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
+   30  openssl genrsa -out key.pem 4096
+   31  openssl req -subj '/CN=client' -new -key key.pem -out client.csr
+   32  echo extendedKeyUsage = clientAuth > extfile-client.cnf
+   33  openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem  -CAcreateserial -out cert.pem -extfile extfile-client.cnf
+   34  rm -v client.csr server.csr extfile.cnf extfile-client.cnf
+   35  chmod -v 0400 ca-key.pem key.pem server-key.pem
+   36  chmod -v 0444 ca.pem server-cert.pem cert.pem
+   37  systemctl cat docker
+   38  mcedit /lib/systemd/system/docker.service
+   39  systemctl stop docker
+   40  mcedit /lib/systemd/system/docker.service
+   41  systemctl daemon-reload
+   42  systemctl start docker
+   43  systemctl status docker
+   44  cat /etc/docker/tls/ca.pem
+   45  cat etc/docker/tls/server-cert.pem
+   46  cat /etc/docker/tls/server-cert.pem
+   47  cat /etc/docker/tls/key.pem
+   48  cat /etc/docker/tls/ca.pem
+   49  ls -la
+   50  cat cert.pem
+   51  cat /etc/docker/tls/key.pem
+
+
+
+mcedit /lib/systemd/system/docker.service
+[Service]
+Type=notify
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
+ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --tlsverify  --tlscacert=/etc/docker/tls/ca.pem --tlscert=/etc/docker/tls/server-cert.pem --tlskey=/etc/docker/tls/server-key.pem -H=0.0.0.0:2376
+ExecReload=/bin/kill -s HUP $MAINPID
+TimeoutSec=0
+RestartSec=2
+Restart=always
\ No newline at end of file