docs: create guides/PRTG/docker-monitoring
This commit is contained in:
parent
df0e34880e
commit
d0f908da85
1 changed files with 137 additions and 0 deletions
137
guides/PRTG/docker-monitoring.md
Normal file
137
guides/PRTG/docker-monitoring.md
Normal file
|
|
@ -0,0 +1,137 @@
|
|||
---
|
||||
title: Monitoring von Docker mit PRTG einrichten
|
||||
description:
|
||||
published: true
|
||||
date: 2024-02-10T22:38:39.069Z
|
||||
tags:
|
||||
editor: markdown
|
||||
dateCreated: 2024-02-10T22:38:39.069Z
|
||||
---
|
||||
|
||||
# Monitoring von Docker mit PRTG einrichten
|
||||
|
||||
## Monitoring von Docker mit PRTG <a name="distribution-starten-und-docker-compose-einrichten"></a>
|
||||
|
||||
Um den Docker Daemon von außen erreichbar zu haben muss man noch einige Zertifikate erstellen und ihn von der Firwall aus erreichbar machen.
|
||||
|
||||
Die Zertifikate werden mit den Folgenden Befehl erstellt, beim Feld wo die *PEM pass phrase* eingeben werden muss kann ein beliebiges Passwort eingegeben werden, dies wird dann in den späteren Schritten wieder benötigt.
|
||||
|
||||
~~~
|
||||
mkdir -p /opt/certs
|
||||
cd /opt/certs
|
||||
openssl genrsa -aes256 -out ca-key.pem 4096
|
||||
Enter PEM pass phrase:
|
||||
Verifying - Enter PEM pass phrase:
|
||||
~~~
|
||||
~~~
|
||||
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
|
||||
Enter pass phrase for ca-key.pem:
|
||||
You are about to be asked to enter information that will be incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
Country Name (2 letter code) [XX]:
|
||||
State or Province Name (full name) []:
|
||||
Locality Name (eg, city) [Default City]:
|
||||
Organization Name (eg, company) [Default Company Ltd]:
|
||||
Organizational Unit Name (eg, section) []:
|
||||
Common Name (eg, your name or your server's hostname) []:
|
||||
Email Address []:
|
||||
~~~
|
||||
|
||||
Danach erstellt man nun noch mit foldenen Befehlen die Server-Zertifikate für Docker:
|
||||
|
||||
~~~
|
||||
openssl genrsa -out server-key.pem 4096
|
||||
~~~
|
||||
|
||||
Hier bitte die Adresse der IP-Adresse (Interface) ergänzen von woher der Zugriff erfolgt.
|
||||
|
||||
~~~
|
||||
HOST=10.161.24.10
|
||||
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
|
||||
echo subjectAltName = DNS:$HOST,IP:10.161.24.10,IP:127.0.0.1 >> extfile.cnf
|
||||
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
||||
~~~
|
||||
|
||||
~~~
|
||||
openssl genrsa -out key.pem 4096
|
||||
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
|
||||
~~~
|
||||
|
||||
~~~
|
||||
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
|
||||
Certificate request self-signature ok
|
||||
subject=CN = client
|
||||
Enter pass phrase for ca-key.pem:
|
||||
~~~
|
||||
|
||||
### Konfigurationen am Docker Service anpassen <a name="distribution-starten-und-docker-compose-einrichten"></a>
|
||||
|
||||
Wir müssen Docker noch sagen, das er nun auf ein andere Adresse hören soll, dafür passieren wir die Service Datei von Docker an. Wir stopen einmal den Docker-Daemon und editieren anschließend die Datei.
|
||||
|
||||
~~~
|
||||
systemctl stop docker
|
||||
|
||||
mkdir -p /etc/systemd/system/docker.service.d/
|
||||
nano -w /etc/systemd/system/docker.service.d/docker-daemon.conf
|
||||
~~~
|
||||
|
||||
Der Inhalt sollte dann wiefolgt aussehen, der Docker Daemon hört nun auf alle Interfacen und IP-Adressen. Da wir aber die Adressen in den Zertifikaten beschränkt haben, sollten trotzdem fremde Systeme im Netzwerk keinen Zugriff bekommen können.
|
||||
|
||||
~~~
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2376 -H fd:// --tlsverify=true --tlscacert=/opt/certs/ca.pem --tlscert=/opt/certs/cert.pem --tlskey=/opt/certs/key.pem --containerd=/run/containerd/containerd.sock
|
||||
~~~
|
||||
|
||||
Danach müssen wir noch den Systemd Service reloaden und können Docker wieder starten mit:
|
||||
|
||||
~~~
|
||||
systemctl daemon-reload
|
||||
systemctl start docker
|
||||
~~~
|
||||
|
||||
Anschließend ist dieses hier der Server Schlüssel:
|
||||
|
||||
~~~
|
||||
cat key.pem
|
||||
~~~
|
||||
|
||||
~~~
|
||||
----BEGIN PRIVATE KEY-----
|
||||
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDiFvMRT/LP4+K+
|
||||
...
|
||||
-----END PRIVATE KEY-----
|
||||
~~~
|
||||
|
||||
Und das ist das Zertifikart:
|
||||
|
||||
~~~
|
||||
cat cert.pem
|
||||
~~~
|
||||
|
||||
~~~
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFODCCAyCgAwIBAgIUKzDT5l92Xd89Ksnzh3xoQfzWSgUwDQYJKoZIhvcNAQEL
|
||||
...
|
||||
-----END CERTIFICATE-----
|
||||
~~~
|
||||
|
||||
### Firewall für Docker noch anpassen <a name="distribution-starten-und-docker-compose-einrichten"></a>
|
||||
|
||||
~~~
|
||||
sudo firewall-cmd --permanent --add-port=2376/tcp --zone=public
|
||||
sudo firewall-cmd --reload
|
||||
~~~
|
||||
|
||||
## Quellen
|
||||
|
||||
https://kb.paessler.com/en/topic/67250-how-can-i-create-private-key-and-certificate-for-the-docker-sensor
|
||||
|
||||
https://kb.paessler.com/en/topic/283-how-can-i-use-a-trusted-ssl-certificate-with-the-prtg-web-interface
|
||||
|
||||
https://docs.docker.com/engine/security/protect-access/#create-a-ca-server-and-client-keys-with-openssl
|
||||
Loading…
Reference in a new issue