目的：

PHP 想使用swoole框架hyperf ，但是hyperf的开发需要mac或者linux环境，所以在 windows下的使用连接docker的方案！

环境要求：

windows 已安装phpstorm

linux 系统已安装Docker（我这里是虚拟机，ip：192.168.2.252）

 

安装过程：

一、创建TLS加密认证脚本目录和证书存放目录

 

 

 

[root@localhost ~]# cd /docker/
[root@localhost docker]# ls
dockerfile  mysql  prometheus  redis  test
[root@localhost docker]# mkdir -p script cert

 

 

二、创建TLS加密认证脚本文件

 

 

 

[root@localhost docker]# touch script/cert.sh
[root@localhost docker]# vim script/cert.sh

 

 shell脚本内容：

 

• 用IP使用下面配置（本地环境），主要区别在subjectAltName的值

 

#!/bin/bash
set -e
if [ -z $1 ];then
        echo "请输入Docker服务器主机名"
        exit 0
fi
HOST=$1
mkdir -p /docker/cert
cd /docker/cert
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
# 配置白名单，推荐配置0.0.0.0，允许所有IP连接但只有证书才可以连接成功
echo subjectAltName = IP:$HOST,IP:0.0.0.0 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

 

 

• 用域名使用下面配置

 

#!/bin/bash
set -e
if [ -z $1 ];then
        echo "请输入Docker服务器主机名"
        exit 0
fi
HOST=$1
mkdir -p /docker/cert
cd /docker/cert
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
# 配置白名单，推荐配置0.0.0.0，允许所有IP连接但只有证书才可以连接成功
echo subjectAltName = DNS:$HOST,IP:0.0.0.0 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
rm -v client.csr server.csr
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

 

三、执行shell脚本

 

密码均设置为forpastime  192.168.2.252为主机ip地址

 

 

 

[root@localhost script]# sh cert.sh 192.168.2.252
Generating RSA private key, 4096 bit long modulus
...............................................................................................................................................................++
.................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:zh
State or Province Name (full name) []:sc
Locality Name (eg, city) [Default City]:cd
Organization Name (eg, company) [Default Company Ltd]:for
Organizational Unit Name (eg, section) []:past
Common Name (eg, your name or your server's hostname) []:time
Email Address []:564179234@qq.com
Generating RSA private key, 4096 bit long modulus
........................................................++
.................................................................................................................++
e is 65537 (0x10001)
Signature ok
subject=/CN=192.168.2.252
Getting CA Private Key
Enter pass phrase for ca-key.pem:
Generating RSA private key, 4096 bit long modulus
..................................................................................................++
.......................................................................................++
e is 65537 (0x10001)
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:
已删除"client.csr"
已删除"server.csr"
mode of "ca-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "server-key.pem" changed from 0644 (rw-r--r--) to 0400 (r--------)
mode of "ca.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of "server-cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
mode of "cert.pem" changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
[root@localhost script]# cd ../cert/
[root@localhost cert]# ls
ca-key.pem  ca.pem  ca.srl  cert.pem  extfile.cnf  key.pem  server-cert.pem  server-key.peml

 

四、修改docker配置文件

原有的

 “ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock”

前面加上“#”号注掉重写

以下是代码：

 

 

 

#自定义配置 -H代表指定docker的监听方式，这里是socket文件文件位置，也就是socket方式，2375就是tcp端口 
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/docker/cert/ca.pem --tlscert=/docker/cert/server-cert.pem --tlskey=/docker/cert/server-key.pem

 

 

ExecStart=/usr/bin/dockerd  \

-H unix:///var/run/docker.sock  \

-H tcp://0.0.0.0:2375  \

--tlsverify --tlscacert=/docker/cert/ca.pem \ 

--tlscert=/docker/cert/server-cert.pem \ 

--tlskey=/docker/cert/server-key.pem \

 

五、重启docker查看docker状态和2375端口

 

 

 

[root@localhost docker]# systemctl daemon-reload
[root@localhost docker]# systemctl restart docker
[root@localhost docker]# docker ps
CONTAINER ID   IMAGE             COMMAND                  CREATED        STATUS          PORTS                                                 NAMES
be038170aa24   prom/prometheus   "/bin/prometheus --c…"   17 hours ago   Up 56 seconds   0.0.0.0:3001->3001/tcp, :::3001->3001/tcp, 9090/tcp   prometheus
65365e02ee48   grafana/grafana   "/run.sh"                17 hours ago   Up 56 seconds   0.0.0.0:3000->3000/tcp, :::3000->3000/tcp             grafana
[root@localhost docker]# ss -nltp | grep 2375
LISTEN     0      1024      [::]:2375                  [::]:*                   users:(("dockerd",pid=27751,fd=10))

 

 

在windows电脑cmd窗口访问

telnet 192.168.2.252 2375，出现空白窗口即表示配置生效

 

使用证书访问 https://192.168.2.252:2375/info

 

 

 

[root@localhost script]# curl https://192.168.2.252:2375/info --cert /docker/cert/cert.pem 
--key /docker/cert/key.pem --cacert /docker/cert/ca.pem
{"ID":"BDSM:MYI6:CDN4:G5WW:EVKK:O4OM:F5O5:CKRK:RCVM:KR5M:IY6M:CSSJ",
"Containers":63,"ContainersRunning":2,"ContainersPaused":0,
"ContainersStopped":61,"Images":29,"Driver":"overlay2",
"DriverStatus":[["Backing Filesystem","xfs"],["Supports d_type","true"],
["Native Overlay Diff","true"],["userxattr","false"]],"Plugins":{"Volume":["local"],
"Network":["bridge","host","ipvlan","macvlan","null","overlay"],
"Authorization":null,"Log":["awslogs","fluentd","gcplogs","gelf","journald","json-file","local","logentries","splunk","syslog"]},"MemoryLimit":true,"SwapLimit":true,"KernelMemory":true,"KernelMemoryTCP":true,"CpuCfsPeriod":true,"CpuCfsQuota":true,"CPUShares":true,"CPUSet":true,"PidsLimit":true,"IPv4Forwarding":true,"BridgeNfIptables":true,"BridgeNfIp6tables":true,"Debug":false,"NFd":38,"OomKillDisable":true,"NGoroutines":43,"SystemTime":"2022-07-01T13:26:19.459215671+08:00","LoggingDriver":"json-file","CgroupDriver":"cgroupfs","CgroupVersion":"1","NEventsListener":0,"KernelVersion":"3.10.0-1160.el7.x86_64","OperatingSystem":"CentOS Linux 7 (Core)","OSVersion":"7","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://index.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":[],"AllowNondistributableArtifactsHostnames":[],"InsecureRegistryCIDRs":["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":["https://no15i93v.mirror.aliyuncs.com/"],"Secure":true,"Official":true}},"Mirrors":["https://no15i93v.mirror.aliyuncs.com/"]},"NCPU":4,"MemTotal":8201256960,"GenericResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":"","NoProxy":"","Name":"localhost.localdomain","Labels":[],"ExperimentalBuild":false,"ServerVersion":"20.10.15","Runtimes":{"io.containerd.runc.v2":{"path":"runc"},"io.containerd.runtime.v1.linux":{"path":"runc"},"runc":{"path":"runc"}},"DefaultRuntime":"runc",
"Swarm":{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive",
"ControlAvailable":false,"Error":"","RemoteManagers":null},
"LiveRestoreEnabled":false,"Isolation":"","InitBinary":"docker-init",
"ContainerdCommit":{"ID":"212e8b6fa2f44b9c21b2798135fc6fb7c53efc16","Expected":"212e8b6fa2f44b9c21b2798135fc6fb7c53efc16"},
"RuncCommit":{"ID":"v1.1.1-0-g52de29d","Expected":"v1.1.1-0-g52de29d"},
"InitCommit":{"ID":"de40ad0","Expected":"de40ad0"},
"SecurityOptions":["name=seccomp,profile=default"],"Warnings":null}

记得暴露2375端口

iptables -I INPUT -p tcp --dport 2375 -j ACCEPT

我这是本地环境直接关闭防火墙

# 查看防火墙状态 

 firewall-cmd --state 

 #临时关闭防火墙 

 systemctl stop firewalld.service 

 # 永久关闭防火墙 

 systemctl disable firewalld

 

六、phpstorm配置

• 1.将上面生成的证书复制到本地电脑 

我这里放在E盘

 

• 2.打开phpstorm设置

 

遇见的问题：

出现无法连接：

“com.github.dockerjava.api.exception.DockerClientException: Enabled TLS verif

'C:\Users\Administrator\.docker\machine\machines\default' doesn't exist.”

解决方法:打开本地电脑C:\Users\Administrator\.docker\machine\machines\

查看该目录下是否有没有default文件夹，没有就手动创建

 

• 3.创建后在左下角点击【Services】，再“docker”右键点击【connect】，连接成功！