Chewing_Bever
/
bever-dam
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Activity

Wrote first docker-tcp script version
continuous-integration/drone the build was successful Details

master
Jef Roosens 2021-05-17 09:58:54 +02:00
parent fac578b878
commit 2cb6d2686c
Signed by: Jef Roosens
GPG Key ID: B580B976584B5F30
2 changed files with 105 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/posts/docker-tcp.md
View File

@ -79,8 +79,8 @@ with the machine's public IP.
This file can now be used to generate the actual signed certificate: This file can now be used to generate the actual signed certificate:
```shell ```shell
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey \ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem \
ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
``` ```
Here, we can once again change the days argument to the value we want. After Here, we can once again change the days argument to the value we want. After
@ -151,7 +151,7 @@ encrypted connection. Let's test it by adding it to Portainer!
Thankfully this is the easy part. In Portainer, add a new endpoint and choose Thankfully this is the easy part. In Portainer, add a new endpoint and choose
the "Docker" type. Pick a name for your endpoint, fill in the endpoint URL the "Docker" type. Pick a name for your endpoint, fill in the endpoint URL
including the port number (Docker's default port number is `2375`) and enable including the port number (Docker's default port number is `2376`) and enable
the "TLS" switch. We choose "TLS with server and client verification", as this the "TLS" switch. We choose "TLS with server and client verification", as this
is the safest. The files to upload are `ca.pem` for the TLS CA certificate, is the safest. The files to upload are `ca.pem` for the TLS CA certificate,
`cert.pem` for the TLS certificate and `key.pem` for the TLS key. If all goes `cert.pem` for the TLS certificate and `key.pem` for the TLS key. If all goes

112
static/scripts/docker-tcp.sh
View File

@ -10,9 +10,21 @@ days=365
# Displays how to use the program # Displays how to use the program
function usage() { function usage() {
echo "This script generates OpenSSL certificate pairs which can be used to expose a Docker API." cat << EOF
echo This script generates OpenSSL certificate pairs which can be used to expose a
echo "Usage: $0 [-h] [-d DAYS] HOST IP" Docker API.
Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]
HOST hostname of the machine to expose
IP public IP of the machine to expose
CERTDIR directory where the certificates will reside on the machine. If
specified, a startup_options.conf file is created for you, which
can then be copied over to the host.
-h show this message
-d how many days the certificate will be valid; defaults to 365
EOF
exit 1 exit 1
} }
@ -25,19 +37,99 @@ while getopts ':hd:' c; do
done done
shift $((OPTIND - 1)) shift $((OPTIND - 1))
host="$1"
ip="$2"
certdir="$3"
# Check for correct amount of arguments # Check for correct amount of arguments
[ $# -eq 2 ] || usage [ $# -lt 2 ] && [ $# -gt 3 ] && usage
# =====SERVER-SIDE=====
# Generate CA key # Generate CA key
openssl genrsa -aes256 -out ca-key.pem 4096 openssl genrsa \
openssl req -new -x509 -days "$DAYS" -key ca-key.pem -sha256 -out ca.pem -aes256 \
-out ca-key.pem \
4096
openssl req \
-new \
-x509 \
-days "$days" \
-key ca-key.pem \
-sha256 \
-out ca.pem
# Generate server key # Generate server key
openssl genrsa -out server-key.pem 4096 openssl genrsa \
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr -out server-key.pem \
4096
openssl req \
-subj "/CN=$host" \
-sha256 \
-new \
-key server-key.pem \
-out server.csr
# Create extfile.cnf # Create extfile.cnf
echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
echo subjectAltName = "DNS:$HOST,IP:$IP,IP:127.0.0.1" > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf echo extendedKeyUsage = serverAuth >> extfile.cnf
# Generate server-side certificate
openssl x509 \
-req \
-days 365 \
-sha256 \
-in server.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out server-cert.pem \
-extfile extfile.cnf
# =====CLIENT-SIDE=====
# Generate key & csr
openssl genrsa \
-out key.pem \
4096
openssl req \
-subj '/CN=client' \
-new \
-key key.pem \
-out client.csr
# Create extfile-client.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf
# Generate certificate
openssl x509 \
-req \
-days 365 \
-sha256 \
-in client.csr \
-CA ca.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out cert.pem \
-extfile extfile-client.cnf
# Create startup_options.conf
if [ -n "$certdir" ]; then
cat > startup_options.conf << EOF
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
EOF
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
echo "'startup_options.conf' should be placed in '/etc/systemd/docker.service.d/startup_options.conf'."
else
echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
echo "Create a 'startup_options.conf' file as specified."
fi
echo "Now, you can restart the Docker daemon using:"
echo " systemctl daemon-reload"
echo " systemctl restart docker.service"