diff --git a/cmd/control/tlsconf.go b/cmd/control/tlsconf.go index 095f2bec..33b2d779 100644 --- a/cmd/control/tlsconf.go +++ b/cmd/control/tlsconf.go @@ -1,7 +1,6 @@ package control import ( - "fmt" "io/ioutil" "os" "path/filepath" @@ -157,7 +156,12 @@ func Generate(generateServer bool, outDir string, hostnames []string) error { } if outDir == "" { - return fmt.Errorf("out directory (-d, --dir) not specified") + if generateServer { + outDir = "/etc/docker/tls" + } else { + outDir = "/home/rancher/.docker" + } + log.Infof("Out directory (-d, --dir) not specified, using default: %s", outDir) } caCertPath := filepath.Join(outDir, "ca.pem") caKeyPath := filepath.Join(outDir, "ca-key.pem") @@ -179,6 +183,17 @@ func Generate(generateServer bool, outDir string, hostnames []string) error { if err != nil { return err } + if err := writeCerts(generateServer, hostnames, cfg, certPath, keyPath, caCertPath, caKeyPath); err != nil { + return err + } - return writeCerts(generateServer, hostnames, cfg, certPath, keyPath, caCertPath, caKeyPath) + if !generateServer { + if err := filepath.Walk(outDir, func(path string, info os.FileInfo, err error) error { + return os.Chown(path, 1100, 1100) // rancher:rancher + }); err != nil { + return err + } + } + + return nil } diff --git a/cmd/userdocker/main.go b/cmd/userdocker/main.go index 0fdcfff0..194a5038 100644 --- a/cmd/userdocker/main.go +++ b/cmd/userdocker/main.go @@ -219,7 +219,7 @@ func main(cfg *config.CloudConfig) error { if dockerCfg.TLS { log.Debug("Generating TLS certs if needed") - if err := control.Generate(true, "/etc/docker/tls", []string{"localhost"}); err != nil { + if err := control.Generate(true, "/etc/docker/tls", []string{"127.0.0.1", "*", "*.*", "*.*.*", "*.*.*.*"}); err != nil { return err } } diff --git a/os-config.yml b/os-config.yml index 7559083d..3212f4e5 100644 --- a/os-config.yml +++ b/os-config.yml @@ -313,6 +313,6 @@ rancher: url: https://releases.rancher.com/os/releases.yml image: rancher/os docker: - tls_args: [--tlsverify, --tlscacert=ca.pem, --tlscert=server-cert.pem, --tlskey=server-key.pem, + tls_args: [--tlsverify, --tlscacert=/etc/docker/tls/ca.pem, --tlscert=/etc/docker/tls/server-cert.pem, --tlskey=/etc/docker/tls/server-key.pem, '-H=0.0.0.0:2376'] args: [daemon, --log-opt, max-size=25m, --log-opt, max-file=2, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --userland-proxy=false] diff --git a/tests/integration/assets/test_01/cloud-config.yml b/tests/integration/assets/test_01/cloud-config.yml index 5f4dd988..5e9a4bfc 100644 --- a/tests/integration/assets/test_01/cloud-config.yml +++ b/tests/integration/assets/test_01/cloud-config.yml @@ -11,6 +11,6 @@ rancher: mtu: 1500 docker: args: [daemon, --log-opt, max-file=2, --log-opt, max-size=25m, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --userland-proxy=false] - tls_args: [--tlsverify, --tlscacert=/home/rancher/.docker/ca.pem, --tlscert=/home/rancher/.docker/server-cert.pem, --tlskey=/home/rancher/.docker/server-key.pem, '-H=0.0.0.0:2376'] + tls: true ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUlsWAL5Rf0Wis/A7k7Tlqx0fZS60VzCZrPZYbP/wkL95jv0XzCx8bd1rZHeybblHPDNpND3BLv4qPY5DxRyexF4seGuzcJI/pOvGUGjQondeMPgDTFEo5w939gSdeTZcfXzQ0wAVhzwDbgH4zPfMzbdoo8Aiu9jkKljXw8IFju0gh+t6iKkGZCIjKT9o7zza1vGfkodhvi2V3VzPdNO28gaxZaRNtmBYUoVnGyR6nXN1Q3CJaVuh5o6GPCOqrhHNbYOFZKBpDiHbxPhVpxHQD2+8yUSGTG7WW75FfZePja5y8d0c/O5L37ZYx4AZAd3KgQYDBT2XCEJGQNawNbfpt diff --git a/tests/integration/rostest/test_01_cloud_config.py b/tests/integration/rostest/test_01_cloud_config.py index 4216a4ea..0265b44c 100644 --- a/tests/integration/rostest/test_01_cloud_config.py +++ b/tests/integration/rostest/test_01_cloud_config.py @@ -71,26 +71,13 @@ def test_docker_tls_args(qemu, cloud_config): u.wait_for_ssh(ssh_command) subprocess.check_call( - ssh_command + ['sudo', 'ros', 'tls', 'generate', '-s', '--hostname', '10.10.2.120', '-d', '~/.docker'], + ssh_command + ['sudo', 'ros', 'tls', 'gen'], stderr=subprocess.STDOUT, universal_newlines=True) subprocess.check_call( - ssh_command + ['sudo', 'ros', 'config', 'set', 'rancher.docker.tls', 'true'], + ssh_command + ['docker', '--tlsverify', '-H', '127.0.0.1:2376', 'version'], stderr=subprocess.STDOUT, universal_newlines=True) - subprocess.check_call( - ssh_command + ['sudo', 'system-docker', 'restart', 'docker'], - stderr=subprocess.STDOUT, universal_newlines=True) - u.wait_for_ssh(ssh_command) - - v = subprocess.check_output( - ssh_command + ['sh', '-c', 'ps -ef | grep docker'], - stderr=subprocess.STDOUT, universal_newlines=True) - - expected = string.join(cloud_config['rancher']['docker']['tls_args']) - - assert v.find(expected) != -1 - @pytest.mark.timeout(40) def test_rancher_network(qemu, cloud_config):