wire up tls config

config/config.go

@@ -48,11 +48,19 @@ type Config struct {
 	Rescue           bool              `yaml:"rescue,omitempty"`
 	RescueContainer  *ContainerConfig  `yaml:"rescue_container,omitempty"`
 	State            ConfigState       `yaml:"state,omitempty"`
+	Userdocker       UserDockerInfo    `yaml:"userdocker,omitempty"`
 	SystemContainers []ContainerConfig `yaml:"system_containers,omitempty"`
 	SystemDockerArgs []string          `yaml:"system_docker_args,flow,omitempty"`
 	Modules          []string          `yaml:"modules,omitempty"`
 }
 
+type UserDockerInfo struct {
+	UseTLS 		bool 	`yaml:"use_tls,omitempty"`
+	TLSServerCert 	string	`yaml:"tls_server_cert"`
+	TLSServerKey 	string	`yaml:"tls_server_key"`
+	TLSCACert 	string	`yaml:"tls_ca_cert"`
+}
+
 type ConfigState struct {
 	FsType   string `yaml:"fstype"`
 	Dev      string `yaml:"dev"`

config/default.go

@@ -14,6 +14,9 @@ func NewConfig() *Config {
 		},
 		SystemDockerArgs: []string{"docker", "-d", "-s", "overlay", "-b", "none"},
 		Modules:          []string{},
+		Userdocker: UserDockerInfo{
+				UseTLS: true,
+			},
 		SystemContainers: []ContainerConfig{
 			{
 				Cmd: "--name=system-state " +
@@ -47,6 +50,8 @@ func NewConfig() *Config {
 					"--privileged " +
 					"-v=/lib/modules:/lib/modules:ro " +
 					"-v=/usr/bin/docker:/usr/bin/docker:ro " +
+					"-v=/init:/usr/bin/tlsconf:ro " +
+					"-v=/init:/usr/bin/rancherctl:ro " +
 					"--volumes-from=system-state " +
 					"userdocker",
 			},

main.go

@@ -42,7 +42,7 @@ func main() {
 	registerCmd("/sbin/halt", power.Halt)
 	registerCmd("/usr/bin/respawn", respawn.Main)
 	registerCmd("/usr/sbin/rancherctl", control.Main)
-	registerCmd("/sbin/tlsconf", util.TLSConf)
+	registerCmd("/usr/bin/tlsconf", util.TLSConf)
 
 	if !reexec.Init() {
 		log.Fatalf("Failed to find an entry point for %s", os.Args[0])

scripts/dockerimages/scripts/docker.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -x -e
 
 CGROUPS="perf_event net_cls freezer devices blkio memory cpuacct cpu cpuset"
@@ -16,4 +16,33 @@ if ! lsmod | grep -q br_netfilter; then
 fi
 
 rm -f /var/run/docker.pid
-exec docker -d -s overlay
+
+USE_TLS=$(rancherctl config get userdocker.use_tls)
+
+if [ "$USE_TLS" == "true" ]; then
+    TLS_CA_CERT=$(rancherctl config get userdocker.tls_ca_cert)
+    TLS_SERVER_CERT=$(rancherctl config get userdocker.tls_server_cert)
+    TLS_SERVER_KEY=$(rancherctl config get userdocker.tls_server_key)    
+
+    TLS_PATH=/etc/docker/tls
+    mkdir -p $TLS_PATH 
+
+    if [ -n "$TLS_CA_CERT" ] && [ -n "$TLS_SERVER_CERT" ] && [ -n "$TLS_SERVER_KEY" ]; then
+	echo "$TLS_CA_CERT" > $TLS_PATH/ca.pem
+	echo "$TLS_SERVER_CERT" > $TLS_PATH/server-cert.pem
+	echo "$TLS_SERVER_KEY" > $TLS_PATH/server-key.pem
+    else
+        tlsconf
+    	TLS_CA_CERT="$(cat $TLS_PATH/ca.pem)"
+    	TLS_SERVER_CERT="$(cat $TLS_PATH/server-cert.pem)"
+    	TLS_SERVER_KEY="$(cat $TLS_PATH/server-key.pem)"
+    fi 
+    
+    rancherctl config set -- userdocker.tls_ca_cert "$TLS_CA_CERT"
+    rancherctl config set -- userdocker.tls_server_cert "$TLS_SERVER_CERT"
+    rancherctl config set -- userdocker.tls_server_key "$TLS_SERVER_KEY"
+
+    exec docker -d -s overlay --tlsverify --tlscacert=$TLS_PATH/ca.pem --tlscert=$TLS_PATH/server-cert.pem --tlskey=$TLS_PATH/server-key.pem -H=0.0.0.0:2376 -H=unix:///var/run/docker.sock
+else
+    exec docker -d -s overlay
+fi

util/util.go

@@ -26,7 +26,7 @@ func TLSConf() {
 
 	caCertPath := "ca.pem"
 	caKeyPath := "ca-key.pem"
-	outDir := "/var/run/"
+	outDir := "/etc/docker/tls/"
 	generateCaCerts := true
 
 	inputCaKey := ""