bever-dam/static/scripts/docker-tcp.sh

#!/usr/bin/env sh

# This script generates an openSSL key pair which can be used to expose a
# Docker API over the internet.


# Defaults
days=365


# Displays how to use the program
function usage() {
    cat << EOF
This script generates OpenSSL certificate pairs which can be used to expose a
Docker API.

Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]

    HOST     domain name where your machine is accessible
    IP       public IP of the machine to expose
    CERTDIR  directory where the certificates will reside on the machine. If
             specified, a startup_options.conf file is created for you, which
             can then be copied over to the host.

    -h       show this message
    -d       how many days the certificate will be valid; defaults to 365
EOF
    exit 1
}


while getopts ':hd:' c; do
    case $c in
        h ) usage ;;
        d ) days="$OPTARG" ;;
    esac
done
shift $((OPTIND - 1))

host="$1"
ip="$2"
certdir="$3"

# Check for correct amount of arguments
[ $# -lt 2 ] && [ $# -gt 3 ] && usage


# =====SERVER-SIDE=====
# Generate CA key
openssl genrsa \
    -aes256 \
    -out ca-key.pem \
    4096
openssl req \
    -new \
    -x509 \
    -days "$days" \
    -key ca-key.pem \
    -sha256 \
    -out ca.pem

# Generate server key
openssl genrsa \
    -out server-key.pem \
    4096
openssl req \
    -subj "/CN=$host" \
    -sha256 \
    -new \
    -key server-key.pem \
    -out server.csr

# Create extfile.cnf
echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf

# Generate server-side certificate
openssl x509 \
    -req \
    -days 365 \
    -sha256 \
    -in server.csr \
    -CA ca.pem \
    -CAkey ca-key.pem \
    -CAcreateserial \
    -out server-cert.pem \
    -extfile extfile.cnf


# =====CLIENT-SIDE=====
# Generate key & csr
openssl genrsa \
    -out key.pem \
    4096
openssl req \
    -subj '/CN=client' \
    -new \
    -key key.pem \
    -out client.csr

# Create extfile-client.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf

# Generate certificate
openssl x509 \
    -req \
    -days 365 \
    -sha256 \
    -in client.csr \
    -CA ca.pem \
    -CAkey ca-key.pem \
    -CAcreateserial \
    -out cert.pem \
    -extfile extfile-client.cnf

# Create startup_options.conf
if [ -n "$certdir" ]; then
    cat > startup_options.conf << EOF
[Service]
ExecStart=
ExecStart=/usr/sbin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
EOF

    echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
    echo "'startup_options.conf' should be placed in '/etc/systemd/system/docker.service.d/startup_options.conf'."

else
    echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
    echo "Create a 'startup_options.conf' file as specified."

fi

echo "Now, you can restart the Docker daemon using:"
echo "  systemctl daemon-reload"
echo "  systemctl restart docker.service"
Started writing Docker TCP post 2021-05-16 22:37:43 +02:00			`#!/usr/bin/env sh`

			`# This script generates an openSSL key pair which can be used to expose a`
			`# Docker API over the internet.`


Started docker-tcp.sh 2021-05-16 22:56:50 +02:00			`# Defaults`
			`days=365`


			`# Displays how to use the program`
			`function usage() {`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`cat << EOF`
			`This script generates OpenSSL certificate pairs which can be used to expose a`
			`Docker API.`

			`Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]`

Removed some faulty information 2021-05-17 10:44:57 +02:00			`HOST domain name where your machine is accessible`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`IP public IP of the machine to expose`
			`CERTDIR directory where the certificates will reside on the machine. If`
			`specified, a startup_options.conf file is created for you, which`
			`can then be copied over to the host.`

			`-h show this message`
			`-d how many days the certificate will be valid; defaults to 365`
			`EOF`
Started docker-tcp.sh 2021-05-16 22:56:50 +02:00			`exit 1`
			`}`


			`while getopts ':hd:' c; do`
			`case $c in`
			`h ) usage ;;`
			`d ) days="$OPTARG" ;;`
			`esac`
			`done`
			`shift $((OPTIND - 1))`

Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`host="$1"`
			`ip="$2"`
			`certdir="$3"`

Started docker-tcp.sh 2021-05-16 22:56:50 +02:00			`# Check for correct amount of arguments`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`[ $# -lt 2 ] && [ $# -gt 3 ] && usage`
Started docker-tcp.sh 2021-05-16 22:56:50 +02:00

Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`# =====SERVER-SIDE=====`
Started docker-tcp.sh 2021-05-16 22:56:50 +02:00			`# Generate CA key`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`openssl genrsa \`
			`-aes256 \`
			`-out ca-key.pem \`
			`4096`
			`openssl req \`
			`-new \`
			`-x509 \`
			`-days "$days" \`
			`-key ca-key.pem \`
			`-sha256 \`
			`-out ca.pem`
Started docker-tcp.sh 2021-05-16 22:56:50 +02:00
			`# Generate server key`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`openssl genrsa \`
			`-out server-key.pem \`
			`4096`
			`openssl req \`
			`-subj "/CN=$host" \`
			`-sha256 \`
			`-new \`
			`-key server-key.pem \`
			`-out server.csr`
Started docker-tcp.sh 2021-05-16 22:56:50 +02:00
			`# Create extfile.cnf`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf`
Started docker-tcp.sh 2021-05-16 22:56:50 +02:00			`echo extendedKeyUsage = serverAuth >> extfile.cnf`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00
			`# Generate server-side certificate`
			`openssl x509 \`
			`-req \`
			`-days 365 \`
			`-sha256 \`
			`-in server.csr \`
			`-CA ca.pem \`
			`-CAkey ca-key.pem \`
			`-CAcreateserial \`
			`-out server-cert.pem \`
			`-extfile extfile.cnf`


			`# =====CLIENT-SIDE=====`
			`# Generate key & csr`
			`openssl genrsa \`
			`-out key.pem \`
			`4096`
			`openssl req \`
			`-subj '/CN=client' \`
			`-new \`
			`-key key.pem \`
			`-out client.csr`

			`# Create extfile-client.cnf`
			`echo extendedKeyUsage = clientAuth > extfile-client.cnf`

			`# Generate certificate`
			`openssl x509 \`
			`-req \`
			`-days 365 \`
			`-sha256 \`
			`-in client.csr \`
			`-CA ca.pem \`
			`-CAkey ca-key.pem \`
			`-CAcreateserial \`
			`-out cert.pem \`
			`-extfile extfile-client.cnf`

			`# Create startup_options.conf`
			`if [ -n "$certdir" ]; then`
			`cat > startup_options.conf << EOF`
			`[Service]`
			`ExecStart=`
Removed some faulty information 2021-05-17 10:44:57 +02:00			`ExecStart=/usr/sbin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00			`EOF`

			`echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."`
Removed some faulty information 2021-05-17 10:44:57 +02:00			`echo "'startup_options.conf' should be placed in '/etc/systemd/system/docker.service.d/startup_options.conf'."`
Wrote first docker-tcp script version 2021-05-17 09:58:54 +02:00
			`else`
			`echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."`
			`echo "Create a 'startup_options.conf' file as specified."`

			`fi`

			`echo "Now, you can restart the Docker daemon using:"`
			`echo " systemctl daemon-reload"`
			`echo " systemctl restart docker.service"`