os/cmd/control/tlsconf.go

package control

import (
	"io/ioutil"
	"os"
	"path/filepath"

	"github.com/rancher/os/log"

	"github.com/codegangsta/cli"
	machineUtil "github.com/docker/machine/utils"
	"github.com/rancher/os/config"
	"github.com/rancher/os/util"
)

const (
	NAME          string = "rancher"
	BITS          int    = 2048
	ServerTLSPath string = "/etc/docker/tls"
	ClientTLSPath string = "/home/rancher/.docker"
	Cert          string = "cert.pem"
	Key           string = "key.pem"
	ServerCert    string = "server-cert.pem"
	ServerKey     string = "server-key.pem"
	CaCert        string = "ca.pem"
	CaKey         string = "ca-key.pem"
)

func tlsConfCommands() []cli.Command {
	return []cli.Command{
		{
			Name:      "generate",
			ShortName: "gen",
			Usage:     "generates new set of TLS configuration certs",
			Action:    tlsConfCreate,
			Flags: []cli.Flag{
				cli.StringSliceFlag{
					Name:  "hostname, H",
					Usage: "the hostname for which you want to generate the certificate",
					Value: &cli.StringSlice{"localhost"},
				},
				cli.BoolFlag{
					Name:  "server, s",
					Usage: "generate the server keys instead of client keys",
				},
				cli.StringFlag{
					Name:  "dir, d",
					Usage: "the directory to save/read the certs to/from",
					Value: "",
				},
			},
		},
	}
}

func writeCerts(generateServer bool, hostname []string, certPath, keyPath, caCertPath, caKeyPath string) error {
	if !generateServer {
		return machineUtil.GenerateCert([]string{""}, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS)
	}

	if err := machineUtil.GenerateCert(hostname, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS); err != nil {
		return err
	}

	cert, err := ioutil.ReadFile(certPath)
	if err != nil {
		return err
	}

	key, err := ioutil.ReadFile(keyPath)
	if err != nil {
		return err
	}

	// certPath, keyPath are already written to by machineUtil.GenerateCert()
	if err := config.Set("rancher.docker.server_cert", string(cert)); err != nil {
		return err
	}
	if err := config.Set("rancher.docker.server_key", string(key)); err != nil {
		return err
	}

	return nil
}

func writeCaCerts(cfg *config.CloudConfig, caCertPath, caKeyPath string) error {
	if cfg.Rancher.Docker.CACert == "" {
		if err := machineUtil.GenerateCACertificate(caCertPath, caKeyPath, NAME, BITS); err != nil {
			return err
		}

		caCert, err := ioutil.ReadFile(caCertPath)
		if err != nil {
			return err
		}

		caKey, err := ioutil.ReadFile(caKeyPath)
		if err != nil {
			return err
		}

		// caCertPath, caKeyPath are already written to by machineUtil.GenerateCACertificate()
		if err := config.Set("rancher.docker.ca_cert", string(caCert)); err != nil {
			return err
		}
		if err := config.Set("rancher.docker.ca_key", string(caKey)); err != nil {
			return err
		}
	} else {
		cfg = config.LoadConfig()

		if err := util.WriteFileAtomic(caCertPath, []byte(cfg.Rancher.Docker.CACert), 0400); err != nil {
			return err
		}

		if err := util.WriteFileAtomic(caKeyPath, []byte(cfg.Rancher.Docker.CAKey), 0400); err != nil {
			return err
		}
	}

	return nil
}

func tlsConfCreate(c *cli.Context) error {
	err := generate(c)
	if err != nil {
		log.Fatal(err)
	}

	return nil
}

func generate(c *cli.Context) error {
	generateServer := c.Bool("server")
	outDir := c.String("dir")
	hostnames := c.StringSlice("hostname")

	return Generate(generateServer, outDir, hostnames)
}

func Generate(generateServer bool, outDir string, hostnames []string) error {
	if outDir == "" {
		if generateServer {
			outDir = ServerTLSPath
		} else {
			outDir = ClientTLSPath
		}
		log.Infof("Out directory (-d, --dir) not specified, using default: %s", outDir)
	}
	caCertPath := filepath.Join(outDir, CaCert)
	caKeyPath := filepath.Join(outDir, CaKey)
	certPath := filepath.Join(outDir, Cert)
	keyPath := filepath.Join(outDir, Key)

	if generateServer {
		certPath = filepath.Join(outDir, ServerCert)
		keyPath = filepath.Join(outDir, ServerKey)
	}

	if _, err := os.Stat(outDir); os.IsNotExist(err) {
		if err := os.MkdirAll(outDir, 0700); err != nil {
			return err
		}
	}

	cfg := config.LoadConfig()
	if err := writeCaCerts(cfg, caCertPath, caKeyPath); err != nil {
		return err
	}
	if err := writeCerts(generateServer, hostnames, certPath, keyPath, caCertPath, caKeyPath); err != nil {
		return err
	}

	if !generateServer {
		if err := filepath.Walk(outDir, func(path string, info os.FileInfo, err error) error {
			return os.Chown(path, 1100, 1100) // rancher:rancher
		}); err != nil {
			return err
		}
	}

	return nil
}
gofmt 2015-02-23 12:00:33 -07:00			`package control`
Refactor tlsconf 2015-02-19 13:48:10 -07:00
			`import (`
Refactor tls command 2015-03-16 13:50:30 -07:00			`"io/ioutil"`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`"os"`
			`"path/filepath"`

make ros log to dmesg Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> 2016-11-23 20:49:35 +10:00			`"github.com/rancher/os/log"`
Refactor tls command 2015-03-16 13:50:30 -07:00
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00			`"github.com/codegangsta/cli"`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`machineUtil "github.com/docker/machine/utils"`
Replace rancherio with rancher Signed-off-by: Wang Long <long.wanglong@huawei.com> 2015-10-12 19:50:17 +08:00			`"github.com/rancher/os/config"`
Atomic writes 2016-06-02 14:32:26 -07:00			`"github.com/rancher/os/util"`
Refactor tls command 2015-03-16 13:50:30 -07:00			`)`

			`const (`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`NAME string = "rancher"`
			`BITS int = 2048`
Fix golint errors 2016-11-28 00:06:00 -08:00			`ServerTLSPath string = "/etc/docker/tls"`
			`ClientTLSPath string = "/home/rancher/.docker"`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`Cert string = "cert.pem"`
			`Key string = "key.pem"`
			`ServerCert string = "server-cert.pem"`
			`ServerKey string = "server-key.pem"`
			`CaCert string = "ca.pem"`
			`CaKey string = "ca-key.pem"`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`)`

move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00			`func tlsConfCommands() []cli.Command {`
gofmt 2015-02-23 12:00:33 -07:00			`return []cli.Command{`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00			`{`
fix `ros tls generate` `ros tls generate -s` used to leave empty strings in rancher.docker.{ca_cert,ca_key} config keys, so the documented setup workflow would not work. 2015-12-08 18:07:12 +05:00			`Name: "generate",`
			`ShortName: "gen",`
			`Usage: "generates new set of TLS configuration certs",`
			`Action: tlsConfCreate,`
gofmt 2015-02-23 12:00:33 -07:00			`Flags: []cli.Flag{`
Refactor tls command 2015-03-16 13:50:30 -07:00			`cli.StringSliceFlag{`
fix `ros tls generate` `ros tls generate -s` used to leave empty strings in rancher.docker.{ca_cert,ca_key} config keys, so the documented setup workflow would not work. 2015-12-08 18:07:12 +05:00			`Name: "hostname, H",`
Refactor tls command 2015-03-16 13:50:30 -07:00			`Usage: "the hostname for which you want to generate the certificate",`
			`Value: &cli.StringSlice{"localhost"},`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00			`},`
gofmt 2015-02-23 12:00:33 -07:00			`cli.BoolFlag{`
Refactor tls command 2015-03-16 13:50:30 -07:00			`Name: "server, s",`
			`Usage: "generate the server keys instead of client keys",`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00			`},`
gofmt 2015-02-23 12:00:33 -07:00			`cli.StringFlag{`
Refactor tls command 2015-03-16 13:50:30 -07:00			`Name: "dir, d",`
			`Usage: "the directory to save/read the certs to/from",`
remove default directory from tls generate cmd 2015-04-29 04:38:43 -07:00			`Value: "",`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00			`},`
			`},`
			`},`
			`}`
gofmt 2015-02-23 12:00:33 -07:00			`}`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`func writeCerts(generateServer bool, hostname []string, certPath, keyPath, caCertPath, caKeyPath string) error {`
Refactor tls command 2015-03-16 13:50:30 -07:00			`if !generateServer {`
			`return machineUtil.GenerateCert([]string{""}, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS)`
			`}`
Refactor tlsconf 2015-02-19 13:48:10 -07:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`if err := machineUtil.GenerateCert(hostname, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS); err != nil {`
			`return err`
Simplify configuration 2016-05-31 14:34:04 -07:00			`}`
Reshuffle cloud-config Read files cloud-config.d in alphanumeric order, then cloud-config.yml `ros config` writes to cloud-config.yml (and cloud-config.d/private.yml - only private keys) Add (c *CloudConfig) Save() method, use it to save the changed config Read and apply metadata as part of LoadConfig() Simplify ros config export logic 2015-09-23 16:36:28 +05:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`cert, err := ioutil.ReadFile(certPath)`
			`if err != nil {`
			`return err`
			`}`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`key, err := ioutil.ReadFile(keyPath)`
			`if err != nil {`
Refactor tls command 2015-03-16 13:50:30 -07:00			`return err`
gofmt 2015-02-23 12:00:33 -07:00			`}`
Refactor tlsconf 2015-02-19 13:48:10 -07:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`// certPath, keyPath are already written to by machineUtil.GenerateCert()`
			`if err := config.Set("rancher.docker.server_cert", string(cert)); err != nil {`
			`return err`
			`}`
			`if err := config.Set("rancher.docker.server_key", string(key)); err != nil {`
			`return err`
			`}`
Refactor tlsconf 2015-02-19 13:48:10 -07:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`return nil`
Refactor tls command 2015-03-16 13:50:30 -07:00			`}`
move tlsconf to rancherctl 2015-02-21 13:31:10 -08:00
Simplify configuration 2016-05-31 14:34:04 -07:00			`func writeCaCerts(cfg *config.CloudConfig, caCertPath, caKeyPath string) error {`
rename rancher.user_docker to rancher.docker in cloud-config 2015-09-11 14:10:50 +05:00			`if cfg.Rancher.Docker.CACert == "" {`
Refactor tls command 2015-03-16 13:50:30 -07:00			`if err := machineUtil.GenerateCACertificate(caCertPath, caKeyPath, NAME, BITS); err != nil {`
Simplify configuration 2016-05-31 14:34:04 -07:00			`return err`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`}`

Refactor tls command 2015-03-16 13:50:30 -07:00			`caCert, err := ioutil.ReadFile(caCertPath)`
			`if err != nil {`
Simplify configuration 2016-05-31 14:34:04 -07:00			`return err`
Refactor tls command 2015-03-16 13:50:30 -07:00			`}`
Refactor tlsconf 2015-02-19 13:48:10 -07:00
Refactor tls command 2015-03-16 13:50:30 -07:00			`caKey, err := ioutil.ReadFile(caKeyPath)`
			`if err != nil {`
Simplify configuration 2016-05-31 14:34:04 -07:00			`return err`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`}`

Simplify configuration 2016-05-31 14:34:04 -07:00			`// caCertPath, caKeyPath are already written to by machineUtil.GenerateCACertificate()`
			`if err := config.Set("rancher.docker.ca_cert", string(caCert)); err != nil {`
			`return err`
fix `ros tls generate` `ros tls generate -s` used to leave empty strings in rancher.docker.{ca_cert,ca_key} config keys, so the documented setup workflow would not work. 2015-12-08 18:07:12 +05:00			`}`
Simplify configuration 2016-05-31 14:34:04 -07:00			`if err := config.Set("rancher.docker.ca_key", string(caKey)); err != nil {`
			`return err`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`}`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`} else {`
			`cfg = config.LoadConfig()`
Refactor tls command 2015-03-16 13:50:30 -07:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`if err := util.WriteFileAtomic(caCertPath, []byte(cfg.Rancher.Docker.CACert), 0400); err != nil {`
			`return err`
			`}`
Refactor tls command 2015-03-16 13:50:30 -07:00
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`if err := util.WriteFileAtomic(caKeyPath, []byte(cfg.Rancher.Docker.CAKey), 0400); err != nil {`
			`return err`
			`}`
fix `ros tls generate` `ros tls generate -s` used to leave empty strings in rancher.docker.{ca_cert,ca_key} config keys, so the documented setup workflow would not work. 2015-12-08 18:07:12 +05:00			`}`

Simplify configuration 2016-05-31 14:34:04 -07:00			`return nil`
Refactor tls command 2015-03-16 13:50:30 -07:00			`}`

Update codegangsta/cli action return signature 2016-05-16 20:36:08 -07:00			`func tlsConfCreate(c *cli.Context) error {`
Refactor tls command 2015-03-16 13:50:30 -07:00			`err := generate(c)`
			`if err != nil {`
			`log.Fatal(err)`
			`}`
Update codegangsta/cli action return signature 2016-05-16 20:36:08 -07:00
			`return nil`
Refactor tls command 2015-03-16 13:50:30 -07:00			`}`

			`func generate(c *cli.Context) error {`
Revert "Revert "Storage"" This reverts commit 7b2bf9327106e3c25341a2f901f2e5c3367116c7. 2015-08-27 12:24:26 -07:00			`generateServer := c.Bool("server")`
			`outDir := c.String("dir")`
			`hostnames := c.StringSlice("hostname")`

			`return Generate(generateServer, outDir, hostnames)`
			`}`

			`func Generate(generateServer bool, outDir string, hostnames []string) error {`
remove default directory from tls generate cmd 2015-04-29 04:38:43 -07:00			`if outDir == "" {`
Default dirs for TLS cert generation /etc/docker/tls - for server /home/rancher/.docker - for client 2015-12-10 14:24:14 +05:00			`if generateServer {`
Fix golint errors 2016-11-28 00:06:00 -08:00			`outDir = ServerTLSPath`
Default dirs for TLS cert generation /etc/docker/tls - for server /home/rancher/.docker - for client 2015-12-10 14:24:14 +05:00			`} else {`
Fix golint errors 2016-11-28 00:06:00 -08:00			`outDir = ClientTLSPath`
Default dirs for TLS cert generation /etc/docker/tls - for server /home/rancher/.docker - for client 2015-12-10 14:24:14 +05:00			`}`
			`log.Infof("Out directory (-d, --dir) not specified, using default: %s", outDir)`
remove default directory from tls generate cmd 2015-04-29 04:38:43 -07:00			`}`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`caCertPath := filepath.Join(outDir, CaCert)`
			`caKeyPath := filepath.Join(outDir, CaKey)`
			`certPath := filepath.Join(outDir, Cert)`
			`keyPath := filepath.Join(outDir, Key)`
Refactor tlsconf 2015-02-19 13:48:10 -07:00
Refactor tls command 2015-03-16 13:50:30 -07:00			`if generateServer {`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`certPath = filepath.Join(outDir, ServerCert)`
			`keyPath = filepath.Join(outDir, ServerKey)`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`}`
Refactor tls command 2015-03-16 13:50:30 -07:00
			`if _, err := os.Stat(outDir); os.IsNotExist(err) {`
			`if err := os.MkdirAll(outDir, 0700); err != nil {`
			`return err`
			`}`
			`}`

Fix boot issues due to invalid configs 2016-06-01 18:41:55 -07:00			`cfg := config.LoadConfig()`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`if err := writeCaCerts(cfg, caCertPath, caKeyPath); err != nil {`
Refactor tls command 2015-03-16 13:50:30 -07:00			`return err`
			`}`
Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). 2016-06-02 12:16:30 -07:00			`if err := writeCerts(generateServer, hostnames, certPath, keyPath, caCertPath, caKeyPath); err != nil {`
Default dirs for TLS cert generation /etc/docker/tls - for server /home/rancher/.docker - for client 2015-12-10 14:24:14 +05:00			`return err`
			`}`

			`if !generateServer {`
			`if err := filepath.Walk(outDir, func(path string, info os.FileInfo, err error) error {`
			`return os.Chown(path, 1100, 1100) // rancher:rancher`
			`}); err != nil {`
			`return err`
			`}`
			`}`
Refactor tls command 2015-03-16 13:50:30 -07:00
Default dirs for TLS cert generation /etc/docker/tls - for server /home/rancher/.docker - for client 2015-12-10 14:24:14 +05:00			`return nil`
Refactor tlsconf 2015-02-19 13:48:10 -07:00			`}`