wire up tls config

2025-08-12 03:52:37 +00:00 · 2015-02-17 17:05:03 -08:00 · 2015-02-17 17:05:03 -08:00 · 597a46c574
commit 597a46c574
parent 529ce4336d
5 changed files with 46 additions and 4 deletions
--- a/config/config.go
+++ b/config/config.go
@ -48,11 +48,19 @@ type Config struct {
 	Rescue           bool              `yaml:"rescue,omitempty"`
 	RescueContainer  *ContainerConfig  `yaml:"rescue_container,omitempty"`
 	State            ConfigState       `yaml:"state,omitempty"`
 	Userdocker       UserDockerInfo    `yaml:"userdocker,omitempty"`
 	SystemContainers []ContainerConfig `yaml:"system_containers,omitempty"`
 	SystemDockerArgs []string          `yaml:"system_docker_args,flow,omitempty"`
 	Modules          []string          `yaml:"modules,omitempty"`
 }
 type UserDockerInfo struct {
 	UseTLS 		bool 	`yaml:"use_tls,omitempty"`
 	TLSServerCert 	string	`yaml:"tls_server_cert"`
 	TLSServerKey 	string	`yaml:"tls_server_key"`
 	TLSCACert 	string	`yaml:"tls_ca_cert"`
 }
 type ConfigState struct {
 	FsType   string `yaml:"fstype"`
 	Dev      string `yaml:"dev"`
--- a/config/default.go
+++ b/config/default.go
@ -14,6 +14,9 @@ func NewConfig() *Config {
 		},
 		SystemDockerArgs: []string{"docker", "-d", "-s", "overlay", "-b", "none"},
 		Modules:          []string{},
 		Userdocker: UserDockerInfo{
 				UseTLS: true,
 			},
 		SystemContainers: []ContainerConfig{
 			{
 				Cmd: "--name=system-state " +
@ -47,6 +50,8 @@ func NewConfig() *Config {
 					"--privileged " +
 					"-v=/lib/modules:/lib/modules:ro " +
 					"-v=/usr/bin/docker:/usr/bin/docker:ro " +
 					"-v=/init:/usr/bin/tlsconf:ro " +
 					"-v=/init:/usr/bin/rancherctl:ro " +
 					"--volumes-from=system-state " +
 					"userdocker",
 			},
--- a/main.go
+++ b/main.go
@ -42,7 +42,7 @@ func main() {
 	registerCmd("/sbin/halt", power.Halt)
 	registerCmd("/usr/bin/respawn", respawn.Main)
 	registerCmd("/usr/sbin/rancherctl", control.Main)
-	registerCmd("/sbin/tlsconf", util.TLSConf)
+	registerCmd("/usr/bin/tlsconf", util.TLSConf)
 	if !reexec.Init() {
 		log.Fatalf("Failed to find an entry point for %s", os.Args[0])
--- a/scripts/dockerimages/scripts/docker.sh
+++ b/scripts/dockerimages/scripts/docker.sh
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -x -e
 CGROUPS="perf_event net_cls freezer devices blkio memory cpuacct cpu cpuset"
@ -16,4 +16,33 @@ if ! lsmod | grep -q br_netfilter; then
 fi
 rm -f /var/run/docker.pid
-exec docker -d -s overlay
+
 USE_TLS=$(rancherctl config get userdocker.use_tls)
 if [ "$USE_TLS" == "true" ]; then
    TLS_CA_CERT=$(rancherctl config get userdocker.tls_ca_cert)
    TLS_SERVER_CERT=$(rancherctl config get userdocker.tls_server_cert)
    TLS_SERVER_KEY=$(rancherctl config get userdocker.tls_server_key)    
    TLS_PATH=/etc/docker/tls
    mkdir -p $TLS_PATH 
    if [ -n "$TLS_CA_CERT" ] && [ -n "$TLS_SERVER_CERT" ] && [ -n "$TLS_SERVER_KEY" ]; then
 	echo "$TLS_CA_CERT" > $TLS_PATH/ca.pem
 	echo "$TLS_SERVER_CERT" > $TLS_PATH/server-cert.pem
 	echo "$TLS_SERVER_KEY" > $TLS_PATH/server-key.pem
    else
        tlsconf
    	TLS_CA_CERT="$(cat $TLS_PATH/ca.pem)"
    	TLS_SERVER_CERT="$(cat $TLS_PATH/server-cert.pem)"
    	TLS_SERVER_KEY="$(cat $TLS_PATH/server-key.pem)"
    fi 
    rancherctl config set -- userdocker.tls_ca_cert "$TLS_CA_CERT"
    rancherctl config set -- userdocker.tls_server_cert "$TLS_SERVER_CERT"
    rancherctl config set -- userdocker.tls_server_key "$TLS_SERVER_KEY"
    exec docker -d -s overlay --tlsverify --tlscacert=$TLS_PATH/ca.pem --tlscert=$TLS_PATH/server-cert.pem --tlskey=$TLS_PATH/server-key.pem -H=0.0.0.0:2376 -H=unix:///var/run/docker.sock
 else
    exec docker -d -s overlay
 fi
--- a/util/util.go
+++ b/util/util.go
@ -26,7 +26,7 @@ func TLSConf() {
 	caCertPath := "ca.pem"
 	caKeyPath := "ca-key.pem"
-	outDir := "/var/run/"
+	outDir := "/etc/docker/tls/"
 	generateCaCerts := true
 	inputCaKey := ""