This repository has been archived on 2021-08-14. You can view files and clone it, but cannot push or open issues/pull-requests.
bever-dam/static/scripts/docker-tcp.sh

136 lines
3.0 KiB
Bash
Raw Normal View History

2021-05-16 22:37:43 +02:00
#!/usr/bin/env sh
# This script generates an openSSL key pair which can be used to expose a
# Docker API over the internet.
2021-05-16 22:56:50 +02:00
# Defaults
days=365
# Displays how to use the program
function usage() {
2021-05-17 09:58:54 +02:00
cat << EOF
This script generates OpenSSL certificate pairs which can be used to expose a
Docker API.
Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]
2021-05-17 10:44:57 +02:00
HOST domain name where your machine is accessible
2021-05-17 09:58:54 +02:00
IP public IP of the machine to expose
CERTDIR directory where the certificates will reside on the machine. If
specified, a startup_options.conf file is created for you, which
can then be copied over to the host.
-h show this message
-d how many days the certificate will be valid; defaults to 365
EOF
2021-05-16 22:56:50 +02:00
exit 1
}
while getopts ':hd:' c; do
case $c in
h ) usage ;;
d ) days="$OPTARG" ;;
esac
done
shift $((OPTIND - 1))
2021-05-17 09:58:54 +02:00
host="$1"
ip="$2"
certdir="$3"
2021-05-16 22:56:50 +02:00
# Check for correct amount of arguments
2021-05-17 09:58:54 +02:00
[ $# -lt 2 ] && [ $# -gt 3 ] && usage
2021-05-16 22:56:50 +02:00
2021-05-17 09:58:54 +02:00
# =====SERVER-SIDE=====
2021-05-16 22:56:50 +02:00
# Generate CA key
2021-05-17 09:58:54 +02:00
openssl genrsa \
-aes256 \
-out ca-key.pem \
4096
openssl req \
-new \
-x509 \
-days "$days" \
-key ca-key.pem \
-sha256 \
-out ca.pem
2021-05-16 22:56:50 +02:00
# Generate server key
2021-05-17 09:58:54 +02:00
openssl genrsa \
-out server-key.pem \
4096
openssl req \
-subj "/CN=$host" \
-sha256 \
-new \
-key server-key.pem \
-out server.csr
2021-05-16 22:56:50 +02:00
# Create extfile.cnf
2021-05-17 09:58:54 +02:00
echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
2021-05-16 22:56:50 +02:00
echo extendedKeyUsage = serverAuth >> extfile.cnf
2021-05-17 09:58:54 +02:00
# Generate server-side certificate
openssl x509 \
-req \
2021-05-17 15:23:06 +02:00
-days "$days" \
2021-05-17 09:58:54 +02:00
-sha256 \
-in server.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out server-cert.pem \
-extfile extfile.cnf
# =====CLIENT-SIDE=====
# Generate key & csr
openssl genrsa \
-out key.pem \
4096
openssl req \
-subj '/CN=client' \
-new \
-key key.pem \
-out client.csr
# Create extfile-client.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf
# Generate certificate
openssl x509 \
-req \
2021-05-17 15:23:06 +02:00
-days "$days" \
2021-05-17 09:58:54 +02:00
-sha256 \
-in client.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out cert.pem \
-extfile extfile-client.cnf
# Create startup_options.conf
if [ -n "$certdir" ]; then
cat > startup_options.conf << EOF
[Service]
ExecStart=
2021-05-17 10:44:57 +02:00
ExecStart=/usr/sbin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
2021-05-17 09:58:54 +02:00
EOF
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
2021-05-17 10:44:57 +02:00
echo "'startup_options.conf' should be placed in '/etc/systemd/system/docker.service.d/startup_options.conf'."
2021-05-17 09:58:54 +02:00
else
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
echo "Create a 'startup_options.conf' file as specified."
fi
echo "Now, you can restart the Docker daemon using:"
echo " systemctl daemon-reload"
echo " systemctl restart docker.service"