Merge pull request #682 from imikushin/tls

Fix server TLS key and cert auto-generation
2025-07-06 19:38:37 +00:00 · 2015-12-11 16:39:47 +05:00 · 2015-12-11 16:39:47 +05:00 · 6e453ccbcd
commit 6e453ccbcd
parent 23c8f5eaec fde9d035b0
5 changed files with 23 additions and 21 deletions
--- a/cmd/control/tlsconf.go
+++ b/cmd/control/tlsconf.go
@ -1,7 +1,6 @@
 package control

 import (
-	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@ -157,7 +156,12 @@ func Generate(generateServer bool, outDir string, hostnames []string) error {
 	}

 	if outDir == "" {
-		return fmt.Errorf("out directory (-d, --dir) not specified")
+		if generateServer {
+			outDir = "/etc/docker/tls"
+		} else {
+			outDir = "/home/rancher/.docker"
+		}
+		log.Infof("Out directory (-d, --dir) not specified, using default: %s", outDir)
 	}
 	caCertPath := filepath.Join(outDir, "ca.pem")
 	caKeyPath := filepath.Join(outDir, "ca-key.pem")
@ -179,6 +183,17 @@ func Generate(generateServer bool, outDir string, hostnames []string) error {
 	if err != nil {
 		return err
 	}
+	if err := writeCerts(generateServer, hostnames, cfg, certPath, keyPath, caCertPath, caKeyPath); err != nil {
+		return err
+	}

-	return writeCerts(generateServer, hostnames, cfg, certPath, keyPath, caCertPath, caKeyPath)
+	if !generateServer {
+		if err := filepath.Walk(outDir, func(path string, info os.FileInfo, err error) error {
+			return os.Chown(path, 1100, 1100) // rancher:rancher
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
--- a/cmd/userdocker/main.go
+++ b/cmd/userdocker/main.go
@ -219,7 +219,7 @@ func main(cfg *config.CloudConfig) error {

 	if dockerCfg.TLS {
 		log.Debug("Generating TLS certs if needed")
-		if err := control.Generate(true, "/etc/docker/tls", []string{"localhost"}); err != nil {
+		if err := control.Generate(true, "/etc/docker/tls", []string{"127.0.0.1", "*", "*.*", "*.*.*", "*.*.*.*"}); err != nil {
 			return err
 		}
 	}
--- a/os-config.yml
+++ b/os-config.yml
@ -313,6 +313,6 @@ rancher:
    url: https://releases.rancher.com/os/releases.yml
    image: rancher/os
  docker:
-    tls_args: [--tlsverify, --tlscacert=ca.pem, --tlscert=server-cert.pem, --tlskey=server-key.pem,
+    tls_args: [--tlsverify, --tlscacert=/etc/docker/tls/ca.pem, --tlscert=/etc/docker/tls/server-cert.pem, --tlskey=/etc/docker/tls/server-key.pem,
      '-H=0.0.0.0:2376']
    args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --userland-proxy=false]
--- a/tests/integration/assets/test_01/cloud-config.yml
+++ b/tests/integration/assets/test_01/cloud-config.yml
@ -11,6 +11,6 @@ rancher:
        mtu: 1500
  docker:
    args: [daemon, --log-opt, max-file=2, --log-opt, max-size=25m, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --userland-proxy=false]
-    tls_args: [--tlsverify, --tlscacert=/home/rancher/.docker/ca.pem, --tlscert=/home/rancher/.docker/server-cert.pem, --tlskey=/home/rancher/.docker/server-key.pem, '-H=0.0.0.0:2376']
+    tls: true
 ssh_authorized_keys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUlsWAL5Rf0Wis/A7k7Tlqx0fZS60VzCZrPZYbP/wkL95jv0XzCx8bd1rZHeybblHPDNpND3BLv4qPY5DxRyexF4seGuzcJI/pOvGUGjQondeMPgDTFEo5w939gSdeTZcfXzQ0wAVhzwDbgH4zPfMzbdoo8Aiu9jkKljXw8IFju0gh+t6iKkGZCIjKT9o7zza1vGfkodhvi2V3VzPdNO28gaxZaRNtmBYUoVnGyR6nXN1Q3CJaVuh5o6GPCOqrhHNbYOFZKBpDiHbxPhVpxHQD2+8yUSGTG7WW75FfZePja5y8d0c/O5L37ZYx4AZAd3KgQYDBT2XCEJGQNawNbfpt
--- a/tests/integration/rostest/test_01_cloud_config.py
+++ b/tests/integration/rostest/test_01_cloud_config.py
@ -71,26 +71,13 @@ def test_docker_tls_args(qemu, cloud_config):
    u.wait_for_ssh(ssh_command)

    subprocess.check_call(
-        ssh_command + ['sudo', 'ros', 'tls', 'generate', '-s', '--hostname', '10.10.2.120', '-d', '~/.docker'],
+        ssh_command + ['sudo', 'ros', 'tls', 'gen'],
        stderr=subprocess.STDOUT, universal_newlines=True)

    subprocess.check_call(
-        ssh_command + ['sudo', 'ros', 'config', 'set', 'rancher.docker.tls', 'true'],
+        ssh_command + ['docker', '--tlsverify', '-H', '127.0.0.1:2376', 'version'],
        stderr=subprocess.STDOUT, universal_newlines=True)

-    subprocess.check_call(
-        ssh_command + ['sudo', 'system-docker', 'restart', 'docker'],
-        stderr=subprocess.STDOUT, universal_newlines=True)
-    u.wait_for_ssh(ssh_command)
-
-    v = subprocess.check_output(
-        ssh_command + ['sh', '-c', 'ps -ef | grep docker'],
-        stderr=subprocess.STDOUT, universal_newlines=True)
-
-    expected = string.join(cloud_config['rancher']['docker']['tls_args'])
-
-    assert v.find(expected) != -1
-

@pytest.mark.timeout(40)
 def test_rancher_network(qemu, cloud_config):