From 81438d91d2a4d4420ae73e0c954171695ba0345d Mon Sep 17 00:00:00 2001
From: zhaoertao <ertaozh@cn.ibm.comls>
Date: Fri, 3 Jul 2015 04:25:08 -0400
Subject: [PATCH] enhance of setting up certificate for docker host

---
 xCAT-server/sbin/xcatconfig                   | 16 +++-
 .../xcat/scripts/setup-dockerhost-cert.sh     | 80 +++++++++++++++++++
 xCAT/postscripts/setupdockerhost              | 58 ++++----------
 3 files changed, 108 insertions(+), 46 deletions(-)
 create mode 100755 xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh

diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig
index 3dcc2c344..73e693b42 100755
--- a/xCAT-server/sbin/xcatconfig
+++ b/xCAT-server/sbin/xcatconfig
@@ -1620,10 +1620,7 @@ sub genCredentials
         xCAT::MsgUtils->message('E',
                        "Could not create $::INSTALLDIR/postscripts/ca directory.");
     }
-    else
-    {
-        verbose("Created $::INSTALLDIR/postscripts/ca directory.");
-    }
+
     $cmd = "/bin/cp -p /etc/xcat/ca/ca-cert.pem $::INSTALLDIR/postscripts/ca/ca-cert.pem";
     $outref = xCAT::Utils->runcmd("$cmd", 0);
     if ($::RUNCMD_RC != 0)
@@ -1663,6 +1660,17 @@ sub genCredentials
          }
         }
     }
+    if ((! -d "/etc/xcatdockerca/cert") || $::FORCE || $::genCredentials) {
+        my $cmd = "echo 'y\ny\ny\ny' |$::XCATROOT/share/xcat/scripts/setup-dockerhost-cert.sh";
+        verbose("Running $cmd");
+        my $rc = system($cmd);
+        if ($rc >> 8) {
+            xCAT::MsgUtils->message('E',
+                        "Could not create xCAT dockerhost certificate in /etc/xcatdockerca/cert.");
+        } else {
+            verbose("Create xCAT dockerhost certificate in /etc/xcatdockerca/cert directory.");
+        }
+    }
 
     #  copy to postscript directory, no longer use cert directory
     $cmd    = "/bin/rm -rf $::INSTALLDIR/postscripts/cert >/dev/null 2>&1";
diff --git a/xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh b/xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh
new file mode 100755
index 000000000..e2c989a9b
--- /dev/null
+++ b/xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh
@@ -0,0 +1,80 @@
+# IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html
+# To create certficate for docker host
+echo "$0 xcatdockerhost"
+
+umask 0077
+CNA="xcatdockerhost"
+
+XCATDOCKERDIR=/etc/xcatdockerca
+XCATDOCKERCADIR=$XCATDOCKERDIR/ca
+
+if [ ! -e $XCATDOCKERDIR ]; then
+  mkdir -p $XCATDOCKERDIR
+  mkdir -p $XCATDOCKERCADIR
+fi
+
+if [ ! -e $XCATDOCKERCADIR/openssl.cnf ]; then
+  cp /etc/xcat/ca/openssl.cnf $XCATDOCKERCADIR/
+fi
+if [ ! -e $XCATDOCKERCADIR/ca-cert.pem ]; then
+  cp /etc/xcat/ca/ca-cert.pem $XCATDOCKERCADIR/
+fi
+
+if [ ! -e $XCATDOCKERCADIR/private/ca-key.pem ]; then
+  mkdir -p $XCATDOCKERCADIR/private
+  cp /etc/xcat/ca/private/ca-key.pem $XCATDOCKERCADIR/private/
+fi
+
+if [ -e $XCATDOCKERDIR/cert ]; then
+  echo -n "$XCATDOCKERDIR/cert already exists, delete and start over (y/n)?"
+  read ANSWER
+  if [ "$ANSWER" != "y" ]; then
+    echo "Aborting at user request"
+    exit 0
+  fi
+  rm -rf $XCATDOCKERDIR/cert
+fi
+mkdir -p $XCATDOCKERDIR/cert
+
+
+cd $XCATDOCKERDIR
+
+if [ ! -e $XCATDOCKERCADIR/openssl.cnf ]; then
+  echo -n "$XCATDOCKERCADIR/openssl.cnf not exist"
+  exit 1
+fi
+sed -i "s@^dir.*=.*/etc/xcat/ca@dir = $XCATDOCKERCADIR@g" $XCATDOCKERCADIR/openssl.cnf 
+
+if [ ! -e $XCATDOCKERCADIR/index ]; then
+  touch $XCATDOCKERCADIR/index
+fi
+if [ ! -e $XCATDOCKERCADIR/serial ]; then
+  echo "00" > $XCATDOCKERCADIR/serial
+fi
+if [ ! -e $XCATDOCKERCADIR/certs ]; then
+  mkdir -p $XCATDOCKERCADIR/certs
+fi
+
+openssl genrsa -out ca/dockerhost-key.pem 2048
+openssl req -config ca/openssl.cnf -new -key ca/dockerhost-key.pem -out cert/dockerhost-req.pem -extensions server -subj "/CN=$CNA"
+mv cert/dockerhost-req.pem  ca/$CNA\.csr
+cd -
+cd $XCATDOCKERCADIR
+
+#   - "make sign" doesn't seem to work on my AIX system???
+#   - seems to be a problem with the use of the wildcard in the Makefile
+#   - call cmds directly instead - seems safe
+# make sign
+
+#CA certificate and CA private key do not match
+openssl ca -startdate 600101010101Z -config openssl.cnf -in $CNA\.csr -out $CNA\.cert -extensions server -batch
+#openssl ca -selfsign -config openssl.cnf -in $CNA\.csr -startdate 700101010101Z -days 7305 -out $CNA\.cert -extensions v3_ca -batch
+if [ -f $CNA\.cert ]; then
+    rm $CNA\.csr
+fi
+
+cp ca-cert.pem $XCATDOCKERDIR/cert/
+mv $CNA\.cert $XCATDOCKERDIR/cert/dockerhost-cert.pem
+mv dockerhost-key.pem $XCATDOCKERDIR/cert/
+
+cd -
diff --git a/xCAT/postscripts/setupdockerhost b/xCAT/postscripts/setupdockerhost
index 4fac84c6f..da06482c5 100755
--- a/xCAT/postscripts/setupdockerhost
+++ b/xCAT/postscripts/setupdockerhost
@@ -77,60 +77,36 @@ if ! docker ps >/dev/null 2>&1; then
 fi
 
 #Setup TLS 
-if [ ! -d /etc/xcat ]; then
-    mkdir -p /etc/xcat
-    mkdir -p /etc/xcat/tool
-    mkdir -p /etc/xcat/ca
-    mkdir -p /etc/xcat/ca/private
-    mkdir -p /etc/xcat/ca/certs
-fi
 master=$MASTER
 if ! ping $master -c 1 > /dev/null 2>&1 ; then  
     echo "Host $master is not reachable"
     exit 1
 fi 
-scp $master:/opt/xcat/share/xcat/scripts/setup-server-cert.sh /etc/xcat/tool/
-scp $master:/etc/xcat/ca/openssl.cnf /etc/xcat/ca
-scp $master:/etc/xcat/ca/private/* /etc/xcat/ca/private/  #The private key must be xCAT MN private key
 
-if [ ! -e /etc/xcat/tool/setup-server-cert.sh ]; then
-    echo "Get cert creating tool Failed"
-    exit 1
-fi
-chmod +x /etc/xcat/tool/setup-server-cert.sh
-cp /xcatpost/ca/ca-cert.pem /etc/xcat/ca/
-touch /etc/xcat/ca/index
-echo "00" > /etc/xcat/ca/serial
-# Need to add -batch for openssl ca to not prompt anything
-/etc/xcat/tool/setup-server-cert.sh `hostname`
-
-if [ ! -e /etc/xcat/cert/server-key.pem -o ! -e /etc/xcat/cert/server-cert.pem ]; then
-    echo "Setup server certification failed"
-    exit 1
-fi
-
-if [ ! -d /root/.docker/ ];then
+if [ ! -d /root/.docker ]; then
     mkdir -p /root/.docker
 fi
-CN_CA_PEM="/root/.docker/ca-cert.pem"
-CN_KEY_PEM="/root/.docker/key.pem"
-CN_CERT_PEM="/root/.docker/cert.pem"
-cp /etc/xcat/ca/ca-cert.pem $CN_CA_PEM
-cp /etc/xcat/cert/server-key.pem $CN_KEY_PEM
-cp /etc/xcat/cert/server-cert.pem $CN_CERT_PEM
 
-#DOCKER_OPTS="-b=mydocker0 -H tcp://c910f03c04k03:2375 --tls --tlscacert=/root/.docker/ca-cert.pem --tlscert=/root/.docker/cert.pem --tlskey=/root/.docker/key.pem --tlsverify=true"
-# 3 scenarios
-# 1. No DOCKER_OPTS ====> add DOCKER_OPTS="-b=$dockerbr" line
-# 2. Have DOCKER_OPTS but no "-b" parameter ====> append "-b=$dockerbr" to DOCKER_OPTS
-# 3. Have "-b" parameter in DOCKER_OPTS ====> replace "-b=xxx" with "-b=$dockerbr"
+HOST_CA_PEM="/root/.docker/ca-cert.pem"
+HOST_KEY_PEM="/root/.docker/dockerhost-key.pem"
+HOST_CERT_PEM="/root/.docker/dockerhost-cert.pem"
+
+scp $master:/etc/xcatdockerca/cert/dockerhost-cert.pem $HOST_CERT_PEM
+scp $master:/etc/xcatdockerca/cert/dockerhost-key.pem $HOST_KEY_PEM
+scp $master:/etc/xcatdockerca/cert/ca-cert.pem $HOST_CA_PEM
+
+if [ ! -e $HOST_CA_PEM -o ! -e $HOST_KEY_PEM -o ! -e $HOST_CERT_PEM ];then
+    echo "Can not get dockerhost certificate files"
+    exit 1
+fi
+
 docker_conf_file="/etc/default/docker"
 if [ ! -f "$docker_conf_file" ]; then
     echo "Error: file $docker_conf_file not exist"
     exit 1
 fi
 if ! grep "^DOCKER_OPTS" $docker_conf_file > /dev/null 2>&1 ; then
-    echo "DOCKER_OPTS=\"-H tcp://`hostname`:2375 --tls --tlscacert=/root/.docker/ca-cert.pem --tlscert=/root/.docker/cert.pem --tlskey=/root/.docker/key.pem --tlsverify=true\"" >> $docker_conf_file
+    echo "DOCKER_OPTS=\"-H tcp://`hostname`:2375 --tls --tlscacert=$HOST_CA_PEM --tlscert=$HOST_CERT_PEM --tlskey=$HOST_KEY_PEM --tlsverify=true\"" >> $docker_conf_file
 else
     if grep "^DOCKER_OPTS.*tlsverify" $docker_conf_file > /dev/null 2>&1; then
         sed -i "s@-H [^ |^\"]*@@g" $docker_conf_file
@@ -141,9 +117,7 @@ else
         sed -i "s@--tls@@g" $docker_conf_file
         sed -i "s@\ \{2,\}@@g" $docker_conf_file
     fi 
-    cat $docker_conf_file
-    #sed -i "s/^\(DOCKER_OPTS\=\"[^\"]*\"\)/\1 -H tcp:\/\/`hostname`:2375 --tls --tlscacert=\/root\/.docker\/ca-cert.pem --tlscert=\/root\/.docker\/cert.pem --tlskey=\/root\/.docker\/key.pem --tlsverify=true\"/" $docker_conf_file
-    sed -i "s@^\(DOCKER_OPTS\=\"[^\"]*\)@\1 -H tcp://`hostname`:2375 --tls --tlscacert=$CN_CA_PEM --tlscert=$CN_CERT_PEM --tlskey=$CN_KEY_PEM --tlsverify=true\"@" $docker_conf_file
+    sed -i "s@^\(DOCKER_OPTS\=\"[^\"]*\)@\1 -H tcp://`hostname`:2375 --tls --tlscacert=$HOST_CA_PEM --tlscert=$HOST_CERT_PEM --tlskey=$HOST_KEY_PEM --tlsverify=true\"@" $docker_conf_file
     sed -i 's/\"\{2,\}/"/' $docker_conf_file
 fi