From 41f333d0ff5d8e7066dd8222e629a5b52fffb3eb Mon Sep 17 00:00:00 2001 From: Ivan Mikushin Date: Thu, 2 Jun 2016 12:16:30 -0700 Subject: [PATCH] Disable docker server TLS cert auto-generation Because users should be explicit about their docker TLS certs. Also, re-generate the key and cert files when `ros tls gen` is run (used to be cached). --- cmd/control/tlsconf.go | 100 +++++++++-------- cmd/userdocker/main.go | 35 +++++- .../assets/test_01/cloud-config.yml | 1 - .../assets/test_02/cloud-config.yml | 102 ++++++++++++++++++ .../rostest/test_01_cloud_config.py | 3 + tests/integration/rostest/test_02_tls.py | 22 ++++ 6 files changed, 208 insertions(+), 55 deletions(-) create mode 100644 tests/integration/assets/test_02/cloud-config.yml create mode 100644 tests/integration/rostest/test_02_tls.py diff --git a/cmd/control/tlsconf.go b/cmd/control/tlsconf.go index 63a9e4d1..f6c25791 100644 --- a/cmd/control/tlsconf.go +++ b/cmd/control/tlsconf.go @@ -14,8 +14,16 @@ import ( ) const ( - NAME string = "rancher" - BITS int = 2048 + NAME string = "rancher" + BITS int = 2048 + ServerTlsPath string = "/etc/docker/tls" + ClientTlsPath string = "/home/rancher/.docker" + Cert string = "cert.pem" + Key string = "key.pem" + ServerCert string = "server-cert.pem" + ServerKey string = "server-key.pem" + CaCert string = "ca.pem" + CaKey string = "ca-key.pem" ) func tlsConfCommands() []cli.Command { @@ -45,44 +53,34 @@ func tlsConfCommands() []cli.Command { } } -func writeCerts(generateServer bool, hostname []string, cfg *config.CloudConfig, certPath, keyPath, caCertPath, caKeyPath string) error { +func writeCerts(generateServer bool, hostname []string, certPath, keyPath, caCertPath, caKeyPath string) error { if !generateServer { return machineUtil.GenerateCert([]string{""}, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS) } - if cfg.Rancher.Docker.ServerKey == "" || cfg.Rancher.Docker.ServerCert == "" { - err := machineUtil.GenerateCert(hostname, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS) - if err != nil { - return err - } - - cert, err := ioutil.ReadFile(certPath) - if err != nil { - return err - } - - key, err := ioutil.ReadFile(keyPath) - if err != nil { - return err - } - - // certPath, keyPath are already written to by machineUtil.GenerateCert() - if err := config.Set("rancher.docker.server_cert", string(cert)); err != nil { - return err - } - if err := config.Set("rancher.docker.server_key", string(key)); err != nil { - return err - } - } - - cfg = config.LoadConfig() - - if err := util.WriteFileAtomic(certPath, []byte(cfg.Rancher.Docker.ServerCert), 0400); err != nil { + if err := machineUtil.GenerateCert(hostname, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS); err != nil { return err } - return util.WriteFileAtomic(keyPath, []byte(cfg.Rancher.Docker.ServerKey), 0400) + cert, err := ioutil.ReadFile(certPath) + if err != nil { + return err + } + key, err := ioutil.ReadFile(keyPath) + if err != nil { + return err + } + + // certPath, keyPath are already written to by machineUtil.GenerateCert() + if err := config.Set("rancher.docker.server_cert", string(cert)); err != nil { + return err + } + if err := config.Set("rancher.docker.server_key", string(key)); err != nil { + return err + } + + return nil } func writeCaCerts(cfg *config.CloudConfig, caCertPath, caKeyPath string) error { @@ -108,16 +106,16 @@ func writeCaCerts(cfg *config.CloudConfig, caCertPath, caKeyPath string) error { if err := config.Set("rancher.docker.ca_key", string(caKey)); err != nil { return err } - } + } else { + cfg = config.LoadConfig() - cfg = config.LoadConfig() + if err := util.WriteFileAtomic(caCertPath, []byte(cfg.Rancher.Docker.CACert), 0400); err != nil { + return err + } - if err := util.WriteFileAtomic(caCertPath, []byte(cfg.Rancher.Docker.CACert), 0400); err != nil { - return err - } - - if err := util.WriteFileAtomic(caKeyPath, []byte(cfg.Rancher.Docker.CAKey), 0400); err != nil { - return err + if err := util.WriteFileAtomic(caKeyPath, []byte(cfg.Rancher.Docker.CAKey), 0400); err != nil { + return err + } } return nil @@ -143,20 +141,20 @@ func generate(c *cli.Context) error { func Generate(generateServer bool, outDir string, hostnames []string) error { if outDir == "" { if generateServer { - outDir = "/etc/docker/tls" + outDir = ServerTlsPath } else { - outDir = "/home/rancher/.docker" + outDir = ClientTlsPath } log.Infof("Out directory (-d, --dir) not specified, using default: %s", outDir) } - caCertPath := filepath.Join(outDir, "ca.pem") - caKeyPath := filepath.Join(outDir, "ca-key.pem") - certPath := filepath.Join(outDir, "cert.pem") - keyPath := filepath.Join(outDir, "key.pem") + caCertPath := filepath.Join(outDir, CaCert) + caKeyPath := filepath.Join(outDir, CaKey) + certPath := filepath.Join(outDir, Cert) + keyPath := filepath.Join(outDir, Key) if generateServer { - certPath = filepath.Join(outDir, "server-cert.pem") - keyPath = filepath.Join(outDir, "server-key.pem") + certPath = filepath.Join(outDir, ServerCert) + keyPath = filepath.Join(outDir, ServerKey) } if _, err := os.Stat(outDir); os.IsNotExist(err) { @@ -166,12 +164,10 @@ func Generate(generateServer bool, outDir string, hostnames []string) error { } cfg := config.LoadConfig() - - err := writeCaCerts(cfg, caCertPath, caKeyPath) - if err != nil { + if err := writeCaCerts(cfg, caCertPath, caKeyPath); err != nil { return err } - if err := writeCerts(generateServer, hostnames, cfg, certPath, keyPath, caCertPath, caKeyPath); err != nil { + if err := writeCerts(generateServer, hostnames, certPath, keyPath, caCertPath, caKeyPath); err != nil { return err } diff --git a/cmd/userdocker/main.go b/cmd/userdocker/main.go index ab3d9534..60324677 100644 --- a/cmd/userdocker/main.go +++ b/cmd/userdocker/main.go @@ -18,6 +18,8 @@ import ( "github.com/rancher/os/compose" "github.com/rancher/os/config" rosDocker "github.com/rancher/os/docker" + "github.com/rancher/os/util" + "path/filepath" ) const ( @@ -41,6 +43,36 @@ func Main() { select {} } +func writeCerts(cfg *config.CloudConfig) error { + outDir := control.ServerTlsPath + if err := os.MkdirAll(outDir, 0700); err != nil { + return err + } + caCertPath := filepath.Join(outDir, control.CaCert) + caKeyPath := filepath.Join(outDir, control.CaKey) + serverCertPath := filepath.Join(outDir, control.ServerCert) + serverKeyPath := filepath.Join(outDir, control.ServerKey) + if cfg.Rancher.Docker.CACert != "" { + if err := util.WriteFileAtomic(caCertPath, []byte(cfg.Rancher.Docker.CACert), 0400); err != nil { + return err + } + + if err := util.WriteFileAtomic(caKeyPath, []byte(cfg.Rancher.Docker.CAKey), 0400); err != nil { + return err + } + } + if cfg.Rancher.Docker.ServerCert != "" { + if err := util.WriteFileAtomic(serverCertPath, []byte(cfg.Rancher.Docker.ServerCert), 0400); err != nil { + return err + } + + if err := util.WriteFileAtomic(serverKeyPath, []byte(cfg.Rancher.Docker.ServerKey), 0400); err != nil { + return err + } + } + return nil +} + func startDocker(cfg *config.CloudConfig) error { storageContext := cfg.Rancher.Docker.StorageContext if storageContext == "" { @@ -77,8 +109,7 @@ func startDocker(cfg *config.CloudConfig) error { log.Debugf("User Docker args: %v", args) if dockerCfg.TLS { - log.Debug("Generating TLS certs if needed") - if err := control.Generate(true, "/etc/docker/tls", []string{"127.0.0.1", "*", "*.*", "*.*.*", "*.*.*.*"}); err != nil { + if err := writeCerts(cfg); err != nil { return err } } diff --git a/tests/integration/assets/test_01/cloud-config.yml b/tests/integration/assets/test_01/cloud-config.yml index cf05068d..63d0d0d0 100644 --- a/tests/integration/assets/test_01/cloud-config.yml +++ b/tests/integration/assets/test_01/cloud-config.yml @@ -15,6 +15,5 @@ rancher: mtu: 1500 docker: args: [daemon, --log-opt, max-file=2, --log-opt, max-size=25m, -s, overlay, -G, docker, -H, 'unix:///var/run/docker.sock', --userland-proxy=false] - tls: true ssh_authorized_keys: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUlsWAL5Rf0Wis/A7k7Tlqx0fZS60VzCZrPZYbP/wkL95jv0XzCx8bd1rZHeybblHPDNpND3BLv4qPY5DxRyexF4seGuzcJI/pOvGUGjQondeMPgDTFEo5w939gSdeTZcfXzQ0wAVhzwDbgH4zPfMzbdoo8Aiu9jkKljXw8IFju0gh+t6iKkGZCIjKT9o7zza1vGfkodhvi2V3VzPdNO28gaxZaRNtmBYUoVnGyR6nXN1Q3CJaVuh5o6GPCOqrhHNbYOFZKBpDiHbxPhVpxHQD2+8yUSGTG7WW75FfZePja5y8d0c/O5L37ZYx4AZAd3KgQYDBT2XCEJGQNawNbfpt diff --git a/tests/integration/assets/test_02/cloud-config.yml b/tests/integration/assets/test_02/cloud-config.yml new file mode 100644 index 00000000..af7e26d2 --- /dev/null +++ b/tests/integration/assets/test_02/cloud-config.yml @@ -0,0 +1,102 @@ +#cloud-config +rancher: + docker: + tls: true + ca_cert: |+ + -----BEGIN CERTIFICATE----- + MIIC0TCCAbmgAwIBAgIQEMQoBLQ2IMOqlCeG7l8+fzANBgkqhkiG9w0BAQsFADAS + MRAwDgYDVQQKEwdyYW5jaGVyMB4XDTE2MDYwNjE2MTYwMFoXDTE5MDUyMjE2MTYw + MFowEjEQMA4GA1UEChMHcmFuY2hlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBAND9PyJVU47CNsA5AjByvEv0KkD106JGHkQc+8lzVyTZw+TV6AvQm+Gt + jiYTgWzL+aGQXFDAK8EDSPzo0koNcFHJeQAJnCULZzm5irqwKZSMlDZSCRO0bJsm + CVpJpYlAc4wHb05nGtR3WB/XvudNWi9HuAZta7JAZ41LXCpC1VZ+K7EbSMsud1/w + 86nkqEU4FeiEbObiKUWS1sQSEs9mmaVg1qaFvorQEREyfXHl+ngwA7tlbl8pF3NS + Ti1Uod746LUSoO2ZmNgmrONsOwl8GYjZNGz+q1YcqeiD9G78rd5gG9uPvEPM89Zm + pGM4iNE/NYMcWv2WcYx0qC9rLR1GwQ8CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKs + MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEmCbU+l9JilTEvF + L0bLFV3XXfN/YaC5tD3K5J2ReOGQcKuZodlpXJpYg/QbcdMbn+N58VuKtIiphU9l + oLbJx0a9mbN9PSuzOo4Ln24SVfEEAZI39BdgMH5LiTLE/7KXgqqPoCLk7dWOkiOn + QTNCJgP84PsMXcXnkZ2bcQjApvQ99kMqcl/TL9bBLCzGC0ZoG+G9dnzHjDd2WbKg + k/3gGJo6vWZD1WOYwxWAqtFEw2iWYRXmAQ1AqzJT83dLpUt1Dh3yP7/p7LAC/s1c + xW0SpP/lE1MjNc2eWAdpEgvBT6ry3WzLekaBgCRlVpkb/rCpWQp3Ocwyoj04qMdC + d59A+HI= + -----END CERTIFICATE----- + ca_key: |+ + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEA0P0/IlVTjsI2wDkCMHK8S/QqQPXTokYeRBz7yXNXJNnD5NXo + C9Cb4a2OJhOBbMv5oZBcUMArwQNI/OjSSg1wUcl5AAmcJQtnObmKurAplIyUNlIJ + E7RsmyYJWkmliUBzjAdvTmca1HdYH9e+501aL0e4Bm1rskBnjUtcKkLVVn4rsRtI + yy53X/DzqeSoRTgV6IRs5uIpRZLWxBISz2aZpWDWpoW+itARETJ9ceX6eDADu2Vu + XykXc1JOLVSh3vjotRKg7ZmY2Cas42w7CXwZiNk0bP6rVhyp6IP0bvyt3mAb24+8 + Q8zz1makYziI0T81gxxa/ZZxjHSoL2stHUbBDwIDAQABAoIBAQCo+aobW3w0+CkG + oNF5VLuUefXUEi8sjJ8aGYknZ7+1BvHRy3ZUXzY6cXZ2qNzDl+Td0fgiPk7iP4K7 + IpAs2dLP/iN8eUir1x1+WdumeJsWBdgsV4YJTZ9mjomPW+6hG+CQ/s3rSYgy88/n + 5yvunudlRQqw/7XNKS/Q2XbKoMEXrXMF4yuMzhFfajw3c9boLJYpLArwau3b4UAq + Zx1tDDs5jSiCTdjySDfsbju59Fx68Pb6edeOUhKlNp22MlLRFwKPYEUI/6PCLA7h + sIoL1c3UEH4Tl64e4TgP9kIVlpB6s55cPkFnfm/XvJ14ipLnFhC3NUAWr5iNIxEi + vjP/vbgxAoGBAPnS1SYkgBsMy1BBPiglJu1OrSQsG8JVRtAfDbNGxpF5jcbjOAQV + RWqWrnVvpWt34B0cohKiM0F1YgjPUsy2fEgLr6YTk5ZCxBk4PnJqOfwpkygP7KGR + VHgJNdiX4SPTDjy1roZWnZvfxrHwKTRIhYY3VoCWMFGLYlzMEukWM++3AoGBANYn + 99CWrpnxvhBuU6dKqoSwf43QOyCPDKU0uqtahw2n2BhrDO+gM0IFPh5Mi7rWhmWn + er2VXZrwXJTxUxLrCO/N68IzJp8uxEDr1mS+vTDiz5ix2+pr1BbolZOLHpUipi9x + atG1oIM8Sw6kvl8tyHvQQQNlmTHD0s51joat1AlpAoGBAOf36W0aVU1IqvxhKEr0 + fFm7RS+iOUBQGImlW/5MSJLJ0GiNkPTRn3wiX+mxemL4k0PU03UD4R311cqiX5qw + E2R+XWGTKeZLJnTYcbuhgSfwnrCDYNCA9nLi8nmkRSwTjFO4y0333S7gMUoF2uyu + LjV66rpJOqJtDy9lWmXN9PmvAoGATqGINRdObom7To8jufYJXATuIKTHQPIlI3eT + 3pyzn8jz6CtOKaG5kFEaeMeEOorP9/0hbQCtyNjeNXXSGc0gj+Qc30YmtSXXuzqc + kosSLiPpM1iCtbT3v52QZgcbqIh7WkobfXphwC3gJTVKDOpjhUp2xIeGUyZifZne + RgcHJpkCgYA4yfNbzKPKF4sGp7CNKPnpAsE6LmK0kWBfQQAGbe7IlD90DFLgH9vz + 9erDf1oX4lrnkTtbNxbW1jrMSaAjXS6PyOr6/Qd6XoCgpcEv83Kf7/A0SUuaWTJk + yeXy5mu3kosqk+GKvaqSzVlmJG0O6awbG1BFK51xWq1LImmVSkwjjw== + -----END RSA PRIVATE KEY----- + server_cert: |+ + -----BEGIN CERTIFICATE----- + MIIDDTCCAfWgAwIBAgIRAMiHeN7t0NKghK3RSflXZ5MwDQYJKoZIhvcNAQELBQAw + EjEQMA4GA1UEChMHcmFuY2hlcjAeFw0xNjA2MDYxNjE2MDBaFw0xOTA1MjIxNjE2 + MDBaMBIxEDAOBgNVBAoTB3JhbmNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw + ggEKAoIBAQD8iRzgcfhfUuurgEzefUIMeHJRu5OF1ILsekYpJKWesYhhvA47BC1+ + Nm96BLbfmpp5A7F+ZNQvmO8tNBnnHXWPVbeBmDayLWRhzRkDbPWRx4q9ciIhUsNe + iAeF+iAVJ+S7XTFnRPY7NS+boisuaNG1ecA4XIH/dRmd50DfGfvv6Ntv22ffV1pA + 2vmqIT0O19Bw60jIB7UJSUFofPmpo60TJH7wFusqwttCXjbHbOz/+iKP+eKLksMa + 6oYdwd+hZyHqNMCDDEryQjsnUW9+1IoVattaa/2Y+/aWaczNzbcI2xcrG76lHnD7 + Gqj8rthzv+0XP63cq5dG/KIyo11TcEXNAgMBAAGjXjBcMA4GA1UdDwEB/wQEAwID + qDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAd + BgNVHREEFjAUgglsb2NhbGhvc3SCASqHBH8AAAEwDQYJKoZIhvcNAQELBQADggEB + AHVIh+WjfMM71PJz+fEdAIhWaxKpv9x27ZcWkReIprxdO+2s7ltZgyFpZgAGn5Zo + TSMfKkuCbjni0j+dhgWzrExVDF0sbyyYmnpskykA1lC4CLuPvdrXt55Kje/ZUmPO + B7vfWjDeae+p3iZ9sXRcJTNhIO2GtA+gKE+9PkNRG1X9H2EOvVkZoDDaxaMZVU85 + XteKadiTwSiKkopRyyM9uhOPVg1nFtUcC4M+p1NgdSqp2gccpf6fLYocnrJrvuaG + ci0e+nDcgYYXGj9Cl1OxDA0QIWuhWBKZPdS4RNwu8boONMqM+CGe8CibbFKBEt2R + ZiC3i7FAxsmSVLItyaRB8EI= + -----END CERTIFICATE----- + server_key: |+ + -----BEGIN RSA PRIVATE KEY----- + MIIEpQIBAAKCAQEA/Ikc4HH4X1Lrq4BM3n1CDHhyUbuThdSC7HpGKSSlnrGIYbwO + OwQtfjZvegS235qaeQOxfmTUL5jvLTQZ5x11j1W3gZg2si1kYc0ZA2z1kceKvXIi + IVLDXogHhfogFSfku10xZ0T2OzUvm6IrLmjRtXnAOFyB/3UZnedA3xn77+jbb9tn + 31daQNr5qiE9DtfQcOtIyAe1CUlBaHz5qaOtEyR+8BbrKsLbQl42x2zs//oij/ni + i5LDGuqGHcHfoWch6jTAgwxK8kI7J1FvftSKFWrbWmv9mPv2lmnMzc23CNsXKxu+ + pR5w+xqo/K7Yc7/tFz+t3KuXRvyiMqNdU3BFzQIDAQABAoIBAQDUiMDY1JJoB214 + ZP5MsbaIsEXmK6u4kmWtiCrMLZ+Fs3xIZPDFEnsHIeEoHBeckI05E7ap3UoG1PtW + W+cA73YlL8rFMsm1oyY8eVR34Ze7HOjTD99RlEoAoRNT2nJt26lRVtlhRFTG97gd + j5ov8N+tj84KoTB3QqJQlnOuUDwMZ41roFOLEooXSA00qDFENlpBQsEtW+3Ga5ut + INH0CQnynIqt05p24oGxaLjrnmqbEhhJtAyGNHgIJAGoEmPwtPkPcd56QDnoO1wk + 4fBiHgdqUfj21rBFgsIuW3NGzHvtJXopS8kaR3NaIIBCfRxxytLgtNNNW77W54ig + MvuJZr0BAoGBAP3VnIGlVZrIBzsWgPKWyPZ2s9jVR5Ub19x+6wwaGqyH19mQaGxw + x1Wic/F4dF4qqoCwyRRkpyHmGPfChgYMEp0jff5MD2Q4JfxEtGP9agFOV0cJkJr6 + pY3zSbsmft+K4NhEBVMAQfFgb5mb5eSEWl+SI/jn6ee0PyvcI2LzXZVxAoGBAP6w + qiy9wbXFtzA7RC2sBlGFyZekC81DTVSIv586kMDY8oqg34Z07s1JuQYvIlavJ9lw + e50vLW8h3O2r4dge7v6CKAlbeaRtaQfpXJRezH9YQJ9lTJoXY6W7LbnBAPcexFps + J/2rul4RSLUZPuLSpGAcYall77o3rwn9oOocL9gdAoGBAJh/Vhh5iRWFaPqxyWR0 + /GU96Uyyzd+iK6x3v6S0piPTNPWrkWDc3JTxFXET6e2M+oR4MUYENnjiMUvgXP6T + EDfB0/cMIQ8XwJJvgGS2IZKJS1wNPggt33qJmFlMhlqsp+ql6wDznapzQnjptVL1 + xQm31c67HcarfmxORCA1j5qxAoGAIeJBEajBL7y5LWqFHIppYMkq08jYZRuSGzAC + Rl3VSkLSqczTUCEYcClhu0fkCqJM6+nCGFxhcAqSSPB4IHelFikcyHnqCg0gTxQl + 4/tku4BzQIGKmmmIMVFguPjLdxUZzGndPCtvpPopsSZFromVos/D0nSkWyLzX6Hl + mZ/cYaUCgYEA2xufKaPgEdYcuI1rYKHWvhb0DI6QRK/0EfPbo6jkSdpYPBXfJ61F + JkGZVxqZI7r/U55RMmdgCpRAZCISCOm0jepaR32v5Ckan88UTyu8EuXNhvMK2jWP + DJ+16tv9ZXGwkAVJNpVv0Ze6E4yiNZz3Nuq16nBR5QeQmQSGOwbMRRI= + -----END RSA PRIVATE KEY----- + +ssh_authorized_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUlsWAL5Rf0Wis/A7k7Tlqx0fZS60VzCZrPZYbP/wkL95jv0XzCx8bd1rZHeybblHPDNpND3BLv4qPY5DxRyexF4seGuzcJI/pOvGUGjQondeMPgDTFEo5w939gSdeTZcfXzQ0wAVhzwDbgH4zPfMzbdoo8Aiu9jkKljXw8IFju0gh+t6iKkGZCIjKT9o7zza1vGfkodhvi2V3VzPdNO28gaxZaRNtmBYUoVnGyR6nXN1Q3CJaVuh5o6GPCOqrhHNbYOFZKBpDiHbxPhVpxHQD2+8yUSGTG7WW75FfZePja5y8d0c/O5L37ZYx4AZAd3KgQYDBT2XCEJGQNawNbfpt diff --git a/tests/integration/rostest/test_01_cloud_config.py b/tests/integration/rostest/test_01_cloud_config.py index 87ed91d5..18cd0b7d 100644 --- a/tests/integration/rostest/test_01_cloud_config.py +++ b/tests/integration/rostest/test_01_cloud_config.py @@ -72,7 +72,10 @@ def test_services_include(qemu, cloud_config): def test_docker_tls_args(qemu, cloud_config): SSH(qemu, ssh_command).check_call(''' set -e -x +sudo ros tls gen --server -H localhost sudo ros tls gen +sudo ros c set rancher.docker.tls true +sudo system-docker restart docker sleep 5 docker --tlsverify version '''.strip()) diff --git a/tests/integration/rostest/test_02_tls.py b/tests/integration/rostest/test_02_tls.py new file mode 100644 index 00000000..b5c7bf19 --- /dev/null +++ b/tests/integration/rostest/test_02_tls.py @@ -0,0 +1,22 @@ +import pytest +import rostest.util as u +from rostest.util import SSH + +ssh_command = ['./scripts/ssh', '--qemu', '--key', './tests/integration/assets/test.key'] +cloud_config_path = './tests/integration/assets/test_02/cloud-config.yml' + + +@pytest.fixture(scope="module") +def qemu(request): + q = u.run_qemu(request, ['--cloud-config', cloud_config_path]) + u.flush_out(q.stdout) + return q + + +@pytest.mark.timeout(40) +def test_docker_tls_args(qemu): + SSH(qemu, ssh_command).check_call(''' +set -e -x +sudo ros tls gen +docker --tlsverify version + '''.strip())