Docker how to use tls

According to the official docker docs docker security let's make tls connection to docker host:

go to the  docker host and generate CA key:

#  openssl genrsa -aes256 -out ca-key.pem 4096

then generate  CA certificate:

#  openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Now create server private keey:

#  openssl genrsa -out server-key.pem 4096

And then certificate request:

#   openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Create extfile.cnf to be able connect to docker host via hostname or IP:

#  echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
#  echo extendedKeyUsage = serverAuth >> extfile.cnf

Now, generate the signed certificate:

#  openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf


Now we can generate clients' private key

#  openssl genrsa -out key.pem 4096
#  echo extendedKeyUsage = clientAuth > extfile-client.cnf

and request for certificate:

#  openssl req -subj '/CN=client' -new -key key.pem -out client.csr

and create clinet's certificate:

#  openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf


change permission :

#   chmod -v 0400 ca-key.pem key.pem server-key.pem
#   chmod -v 0444 ca.pem server-cert.pem cert.pem


Stop docker service and modify it:

#  systemctl stop docker

#  vi /usr/lib/systemd/system/docker.service

Modify ExecStart command:

ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/private/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock


and then reload daemon config and start docker service:

#  systemctl daemon-reload
#  systemct start docker

Add firewall rules:
#  firewall-cmd --permanent --zone=public --add-port=2376/tcp
#  firewall-cmd --reload




Now on the client host put the appropriate key, certificates: ca.pem, cert.pem, key.pem and set DOCKER_HOST variable :

#  export DOCKER_HOST=$HOST:2376

and try to connect to docker host :

#  docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem info

Firewalld how to block all but allow specific

Usually, default zone = public

So, to block all  need to make default zone drop:

firewall-cmd  --set-default-zone=drop

Then add the specific address to zone trusted:

firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted

and service ssh

firewall-cmd --permanent --add-service=ssh --zone=trusted

and specific interface to zone trusted:

firewall-cmd --permanent --zone=trusted --add-interface=eth0

save firewalld config:

firewall-cmd --reload


If you need to restrict access to port published by docker container :

firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'

Add you docker network (in this case 172.17.0.0/16 ):

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'

Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'

If you need to allow access from work's address 2.3.4.5 to these ports:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5  -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'

firewall-cmd --reload

Postgresql Centos 7

To install Postgresql :

yum install -y postgresql-server

Initialize  cluster:

postgresql-setup initdb

Modify config /var/lib/pgsql/data/pg_hba.conf, comment all rows and left one:

local     all             postgres                    peer

Such we enable access to all databases from localhost via Unix socket only user postgres.

Also, you can reset password system's user postgres:

passwd postgres

Now start postgresql server:

systemctl start postgresql

Became postgres user:

su - posgres

Enter postgres shell:

psql

Now you can create a new database, user and grant all privileges to the datababase:

CREATE DATABASE test_database;

CREATE USER test_user WITH password 'qwerty';

GRANT ALL ON DATABASE test_database TO test_user;

Now you can't connect as user  test_user because in config  /var/lib/pgsql/data/pg_hba.conf all connection disabled except postgres. Lets add next row to config file:

local     test_database   test_user                                      md5

and then restart postgresql server :

systemctl restart postgresql

and try to connect :

psql  -d template1 test_user

server'll ask password for user test_user

If you need to connect to the server from another host, need to add next 

host      test_database   test_user     192.168.1.21/32             md5

But you should place it before the previous, set listening interface in config /var/lib/pgsql/data/postgresql.conf:

listen_addresses = '*'

and restart postgresql server

For backup all databases need to run from user postgres:

su - postgres 

pg_dumpall  > pgdumpall.sql

To restore use:

su - postgres

psql -f  pgdumpall.sq

Install Net SDK 3.1 on Centos 7

To install .Net Core SDK 3.1 on Centos 7 need to do the next:

yum update

rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm

yum install -y dotnet-sdk-3.1

That's all. :)

Now you can test it. Let's create .Net Core console application:

dotnet new console -o helloworldApp

cd helloworldApp/

dotnet run

You should get "Hello World!" on the console.

Also you can create .Net Core web app:

cd 

dotnet new razor -o myfirstwebapp

cd myfirstwebapp/

dotnet run

You should see something like this:

vsftpd on Centos7

To install vsftpd on Centos7 it need to do next:

yum update
yum install -y vsftpd

rm -f /etc/vsftpd/vsftpd.conf

cat << EOF >> /etc/vsftpd/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
pasv_address=
pasv_max_port=65399
pasv_min_port=65350
anonymous_enable=NO
local_enable=YES
write_enable=YES
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
vsftpd_log_file=/var/log/vsftpd.log
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_allowed_list
userlist_deny=NO
listen_port=21
EOF

generate key file /etc/vsftpd/vsftpd.pem:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

and fill in the value for pasv_addres in the file  /etc/vsftpd/vsftpd.conf IP address your server:

pasv_address=XXX.XXX.XXX.XXX

restart vsftpd service:

systemctl restart vsftpd

Add firewall rules :

firewall-cmd --permanent --add-port=20-21/tcp
firewall-cmd --permanent --add-port=65350-65399/tcp
firewall-cmd --reload

and now you can add users from your system in to the file /etc/vsftpd/user_allowed_list

to disable ssh access for ftp users need set /sbin/nologin shell instead /bin/bash for users:

usermod -s /sbin/nologin $USER

and add /sbin/nologin in the /etc/shells

To connect to ftp use for example FileZilla and configure connection like this:

That's all.