diff --git a/config/config.go b/config/config.go index 189f022c..68a513bd 100644 --- a/config/config.go +++ b/config/config.go @@ -48,11 +48,19 @@ type Config struct { Rescue bool `yaml:"rescue,omitempty"` RescueContainer *ContainerConfig `yaml:"rescue_container,omitempty"` State ConfigState `yaml:"state,omitempty"` + Userdocker UserDockerInfo `yaml:"userdocker,omitempty"` SystemContainers []ContainerConfig `yaml:"system_containers,omitempty"` SystemDockerArgs []string `yaml:"system_docker_args,flow,omitempty"` Modules []string `yaml:"modules,omitempty"` } +type UserDockerInfo struct { + UseTLS bool `yaml:"use_tls,omitempty"` + TLSServerCert string `yaml:"tls_server_cert"` + TLSServerKey string `yaml:"tls_server_key"` + TLSCACert string `yaml:"tls_ca_cert"` +} + type ConfigState struct { FsType string `yaml:"fstype"` Dev string `yaml:"dev"` diff --git a/config/default.go b/config/default.go index 272df1e6..d412a711 100644 --- a/config/default.go +++ b/config/default.go @@ -14,6 +14,9 @@ func NewConfig() *Config { }, SystemDockerArgs: []string{"docker", "-d", "-s", "overlay", "-b", "none"}, Modules: []string{}, + Userdocker: UserDockerInfo{ + UseTLS: true, + }, SystemContainers: []ContainerConfig{ { Cmd: "--name=system-state " + @@ -47,6 +50,8 @@ func NewConfig() *Config { "--privileged " + "-v=/lib/modules:/lib/modules:ro " + "-v=/usr/bin/docker:/usr/bin/docker:ro " + + "-v=/init:/usr/bin/tlsconf:ro " + + "-v=/init:/usr/bin/rancherctl:ro " + "--volumes-from=system-state " + "userdocker", }, diff --git a/main.go b/main.go index 2a117a75..bf2bac59 100644 --- a/main.go +++ b/main.go @@ -42,7 +42,7 @@ func main() { registerCmd("/sbin/halt", power.Halt) registerCmd("/usr/bin/respawn", respawn.Main) registerCmd("/usr/sbin/rancherctl", control.Main) - registerCmd("/sbin/tlsconf", util.TLSConf) + registerCmd("/usr/bin/tlsconf", util.TLSConf) if !reexec.Init() { log.Fatalf("Failed to find an entry point for %s", os.Args[0]) diff --git a/scripts/dockerimages/scripts/docker.sh b/scripts/dockerimages/scripts/docker.sh index 1ca3562e..21a149fa 100755 --- a/scripts/dockerimages/scripts/docker.sh +++ b/scripts/dockerimages/scripts/docker.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -x -e CGROUPS="perf_event net_cls freezer devices blkio memory cpuacct cpu cpuset" @@ -16,4 +16,33 @@ if ! lsmod | grep -q br_netfilter; then fi rm -f /var/run/docker.pid -exec docker -d -s overlay + +USE_TLS=$(rancherctl config get userdocker.use_tls) + +if [ "$USE_TLS" == "true" ]; then + TLS_CA_CERT=$(rancherctl config get userdocker.tls_ca_cert) + TLS_SERVER_CERT=$(rancherctl config get userdocker.tls_server_cert) + TLS_SERVER_KEY=$(rancherctl config get userdocker.tls_server_key) + + TLS_PATH=/etc/docker/tls + mkdir -p $TLS_PATH + + if [ -n "$TLS_CA_CERT" ] && [ -n "$TLS_SERVER_CERT" ] && [ -n "$TLS_SERVER_KEY" ]; then + echo "$TLS_CA_CERT" > $TLS_PATH/ca.pem + echo "$TLS_SERVER_CERT" > $TLS_PATH/server-cert.pem + echo "$TLS_SERVER_KEY" > $TLS_PATH/server-key.pem + else + tlsconf + TLS_CA_CERT="$(cat $TLS_PATH/ca.pem)" + TLS_SERVER_CERT="$(cat $TLS_PATH/server-cert.pem)" + TLS_SERVER_KEY="$(cat $TLS_PATH/server-key.pem)" + fi + + rancherctl config set -- userdocker.tls_ca_cert "$TLS_CA_CERT" + rancherctl config set -- userdocker.tls_server_cert "$TLS_SERVER_CERT" + rancherctl config set -- userdocker.tls_server_key "$TLS_SERVER_KEY" + + exec docker -d -s overlay --tlsverify --tlscacert=$TLS_PATH/ca.pem --tlscert=$TLS_PATH/server-cert.pem --tlskey=$TLS_PATH/server-key.pem -H=0.0.0.0:2376 -H=unix:///var/run/docker.sock +else + exec docker -d -s overlay +fi diff --git a/util/util.go b/util/util.go index a595c73c..6d91e5cf 100644 --- a/util/util.go +++ b/util/util.go @@ -26,7 +26,7 @@ func TLSConf() { caCertPath := "ca.pem" caKeyPath := "ca-key.pem" - outDir := "/var/run/" + outDir := "/etc/docker/tls/" generateCaCerts := true inputCaKey := ""