Wrote first docker-tcp script version

Updated docker-tcp.md
2021-05-17 09:58:54 +02:00 · 2021-05-17 09:29:18 +02:00
2 changed files with 187 additions and 11 deletions
--- a/content/posts/docker-tcp.md
+++ b/content/posts/docker-tcp.md
@ -65,7 +65,7 @@ In the above snippet, replace `<HOST>` with the hostname (output of the
 `hostname` command) of the machine who's API you want to expose. Now we've
 created `server-key.pem` and `server.csr`.

-As a final step, we need to create a file named `extfile.cnf` with the
+After this, we need to create a file named `extfile.cnf` with the
 following content:

 ```
@ -75,3 +75,87 @@ extendedKeyUsage = serverAuth

 Here, we once again replace `<HOST>` with the machine's hostname, and `<IP>`
 with the machine's public IP.
+
+This file can now be used to generate the actual signed certificate:
+
+```shell
+openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem \
+    -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
+```
+
+Here, we can once again change the days argument to the value we want. After
+all these steps, we're left with a signed server-side certificate.
+
+## Client-side
+
+Now we'll generate the client-side certificates. We start by creating a `csr`
+file:
+
+```shell
+openssl genrsa -out key.pem 4096
+openssl req -subj '/CN=client' -new -key key.pem -out client.csr
+```
+
+After this, we create another `.cnf`, this time to configure the client-side
+keys. Add this to a file named `extfile-client.cnf`:
+
+```
+extendedKeyUsage = clientAuth
+```
+
+And then, we generate the client-side key:
+
+```
+openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey \
+    ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
+```
+
+Once again change the days value to whatever you want. Now we're left with all
+the files we need to securely expose the API.
+
+## Exposing the API
+
+**Note**: the following steps will restart the Docker engine and all
+running containers, so make sure this won't break anything.
+
+Start by creating a directory on the host that you're not going to delete. In
+the following steps, replace `<DIR>` with the absolute path to this directory.
+After this, copy `ca.pem`, `server-cert.pem` and `server-key.pem` to this
+directory.
+
+We're gonna be creating a system config file for the Docker service (this guide
+assumes the use of `systemd`). In
+`/etc/systemd/docker.service.d/startup_options.conf`, put the following:
+
+```shell
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd --tlsverify --tlscacert='<DIR>/ca.pem' --tlscert='<DIR>/server-cert.pem' --tlskey='<DIR>/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
+```
+
+Don't forget the replace `<PATH>` with the path to your actual directory.
+
+The final step is restarting the Docker engine:
+
+```shell
+systemctl daemon-reload
+systemctl restart docker.service
+```
+
+**Note**: these commands require root.
+
+After all this, you should have a Docker API that's accessible using an
+encrypted connection. Let's test it by adding it to Portainer!
+
+## Adding engine to Portainer
+
+Thankfully this is the easy part. In Portainer, add a new endpoint and choose
+the "Docker" type. Pick a name for your endpoint, fill in the endpoint URL
+including the port number (Docker's default port number is `2376`) and enable
+the "TLS" switch. We choose "TLS with server and client verification", as this
+is the safest. The files to upload are `ca.pem` for the TLS CA certificate,
+`cert.pem` for the TLS certificate and `key.pem` for the TLS key. If all goes
+well, you should now connect to the host!
+
+Now, I know these steps can be quite tedious to repeat, so I've written
+[a script](/scripts/docker-tcp.sh) that can automate this process for you.
--- a/static/scripts/docker-tcp.sh
+++ b/static/scripts/docker-tcp.sh
@ -10,9 +10,21 @@ days=365

 # Displays how to use the program
 function usage() {
-    echo "This script generates OpenSSL certificate pairs which can be used to expose a Docker API."
-    echo
-    echo "Usage: $0 [-h] [-d DAYS] HOST IP"
+    cat << EOF
+This script generates OpenSSL certificate pairs which can be used to expose a
+Docker API.
+
+Usage: $0 [-h] [-d DAYS] HOST IP [CERTDIR]
+
+    HOST     hostname of the machine to expose
+    IP       public IP of the machine to expose
+    CERTDIR  directory where the certificates will reside on the machine. If
+             specified, a startup_options.conf file is created for you, which
+             can then be copied over to the host.
+
+    -h       show this message
+    -d       how many days the certificate will be valid; defaults to 365
+EOF
    exit 1
 }

@ -25,19 +37,99 @@ while getopts ':hd:' c; do
 done
 shift $((OPTIND - 1))

+host="$1"
+ip="$2"
+certdir="$3"
+
 # Check for correct amount of arguments
-[ $# -eq 2 ] || usage
+[ $# -lt 2 ] && [ $# -gt 3 ] && usage


+# =====SERVER-SIDE=====
 # Generate CA key
-openssl genrsa -aes256 -out ca-key.pem 4096
-openssl req -new -x509 -days "$DAYS" -key ca-key.pem -sha256 -out ca.pem
+openssl genrsa \
+    -aes256 \
+    -out ca-key.pem \
+    4096
+openssl req \
+    -new \
+    -x509 \
+    -days "$days" \
+    -key ca-key.pem \
+    -sha256 \
+    -out ca.pem

 # Generate server key
-openssl genrsa -out server-key.pem 4096
-openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
+openssl genrsa \
+    -out server-key.pem \
+    4096
+openssl req \
+    -subj "/CN=$host" \
+    -sha256 \
+    -new \
+    -key server-key.pem \
+    -out server.csr

 # Create extfile.cnf
-
-echo subjectAltName = "DNS:$HOST,IP:$IP,IP:127.0.0.1" > extfile.cnf
+echo subjectAltName = "DNS:$host,IP:$ip,IP:127.0.0.1" > extfile.cnf
 echo extendedKeyUsage = serverAuth >> extfile.cnf
+
+# Generate server-side certificate
+openssl x509 \
+    -req \
+    -days 365 \
+    -sha256 \
+    -in server.csr \
+    -CA ca.pem \
+    -CAkey ca-key.pem \
+    -CAcreateserial \
+    -out server-cert.pem \
+    -extfile extfile.cnf
+
+
+# =====CLIENT-SIDE=====
+# Generate key & csr
+openssl genrsa \
+    -out key.pem \
+    4096
+openssl req \
+    -subj '/CN=client' \
+    -new \
+    -key key.pem \
+    -out client.csr
+
+# Create extfile-client.cnf
+echo extendedKeyUsage = clientAuth > extfile-client.cnf
+
+# Generate certificate
+openssl x509 \
+    -req \
+    -days 365 \
+    -sha256 \
+    -in client.csr \
+    -CA ca.pem \
+    -CAkey ca-key.pem \
+    -CAcreateserial \
+    -out cert.pem \
+    -extfile extfile-client.cnf
+
+# Create startup_options.conf
+if [ -n "$certdir" ]; then
+    cat > startup_options.conf << EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd --tlsverify --tlscacert='$certdir/ca.pem' --tlscert='$certdir/server-cert.pem' --tlskey='$certdir/server-key.pem' -H fd:// -H tcp://0.0.0.0:2376
+EOF
+
+    echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to '$certdir' on the machine."
+    echo "'startup_options.conf' should be placed in '/etc/systemd/docker.service.d/startup_options.conf'."
+
+else
+    echo "Copy 'ca.pem', 'server-cert.pem' and 'server-key.pem' over to the chosen directory on the machine."
+    echo "Create a 'startup_options.conf' file as specified."
+
+fi
+
+echo "Now, you can restart the Docker daemon using:"
+echo "  systemctl daemon-reload"
+echo "  systemctl restart docker.service"
Author	SHA1	Message	Date
Jef Roosens	2cb6d2686c	Wrote first docker-tcp script version continuous-integration/drone the build was successful Details	2021-05-17 09:58:54 +02:00
Jef Roosens	fac578b878	Updated docker-tcp.md	2021-05-17 09:29:18 +02:00