enhance of setting up certificate for docker host

2025-05-22 03:32:04 +00:00 · 2015-07-03 04:25:08 -04:00 · 2015-07-03 04:25:08 -04:00 · 81438d91d2
commit 81438d91d2
parent 154327aef3
3 changed files with 108 additions and 46 deletions
--- a/xCAT-server/sbin/xcatconfig
+++ b/xCAT-server/sbin/xcatconfig
@ -1620,10 +1620,7 @@ sub genCredentials
        xCAT::MsgUtils->message('E',
                       "Could not create $::INSTALLDIR/postscripts/ca directory.");
    }
-    else
-    {
-        verbose("Created $::INSTALLDIR/postscripts/ca directory.");
-    }
+
    $cmd = "/bin/cp -p /etc/xcat/ca/ca-cert.pem $::INSTALLDIR/postscripts/ca/ca-cert.pem";
    $outref = xCAT::Utils->runcmd("$cmd", 0);
    if ($::RUNCMD_RC != 0)
@ -1663,6 +1660,17 @@ sub genCredentials
         }
        }
    }
+    if ((! -d "/etc/xcatdockerca/cert") || $::FORCE || $::genCredentials) {
+        my $cmd = "echo 'y\ny\ny\ny' |$::XCATROOT/share/xcat/scripts/setup-dockerhost-cert.sh";
+        verbose("Running $cmd");
+        my $rc = system($cmd);
+        if ($rc >> 8) {
+            xCAT::MsgUtils->message('E',
+                        "Could not create xCAT dockerhost certificate in /etc/xcatdockerca/cert.");
+        } else {
+            verbose("Create xCAT dockerhost certificate in /etc/xcatdockerca/cert directory.");
+        }
+    }

    #  copy to postscript directory, no longer use cert directory
    $cmd    = "/bin/rm -rf $::INSTALLDIR/postscripts/cert >/dev/null 2>&1";
--- a/xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh
+++ b/xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh
@ -0,0 +1,80 @@
+# IBM(c) 2007 EPL license http://www.eclipse.org/legal/epl-v10.html
+# To create certficate for docker host
+echo "$0 xcatdockerhost"
+
+umask 0077
+CNA="xcatdockerhost"
+
+XCATDOCKERDIR=/etc/xcatdockerca
+XCATDOCKERCADIR=$XCATDOCKERDIR/ca
+
+if [ ! -e $XCATDOCKERDIR ]; then
+  mkdir -p $XCATDOCKERDIR
+  mkdir -p $XCATDOCKERCADIR
+fi
+
+if [ ! -e $XCATDOCKERCADIR/openssl.cnf ]; then
+  cp /etc/xcat/ca/openssl.cnf $XCATDOCKERCADIR/
+fi
+if [ ! -e $XCATDOCKERCADIR/ca-cert.pem ]; then
+  cp /etc/xcat/ca/ca-cert.pem $XCATDOCKERCADIR/
+fi
+
+if [ ! -e $XCATDOCKERCADIR/private/ca-key.pem ]; then
+  mkdir -p $XCATDOCKERCADIR/private
+  cp /etc/xcat/ca/private/ca-key.pem $XCATDOCKERCADIR/private/
+fi
+
+if [ -e $XCATDOCKERDIR/cert ]; then
+  echo -n "$XCATDOCKERDIR/cert already exists, delete and start over (y/n)?"
+  read ANSWER
+  if [ "$ANSWER" != "y" ]; then
+    echo "Aborting at user request"
+    exit 0
+  fi
+  rm -rf $XCATDOCKERDIR/cert
+fi
+mkdir -p $XCATDOCKERDIR/cert
+
+
+cd $XCATDOCKERDIR
+
+if [ ! -e $XCATDOCKERCADIR/openssl.cnf ]; then
+  echo -n "$XCATDOCKERCADIR/openssl.cnf not exist"
+  exit 1
+fi
+sed -i "s@^dir.*=.*/etc/xcat/ca@dir = $XCATDOCKERCADIR@g" $XCATDOCKERCADIR/openssl.cnf 
+
+if [ ! -e $XCATDOCKERCADIR/index ]; then
+  touch $XCATDOCKERCADIR/index
+fi
+if [ ! -e $XCATDOCKERCADIR/serial ]; then
+  echo "00" > $XCATDOCKERCADIR/serial
+fi
+if [ ! -e $XCATDOCKERCADIR/certs ]; then
+  mkdir -p $XCATDOCKERCADIR/certs
+fi
+
+openssl genrsa -out ca/dockerhost-key.pem 2048
+openssl req -config ca/openssl.cnf -new -key ca/dockerhost-key.pem -out cert/dockerhost-req.pem -extensions server -subj "/CN=$CNA"
+mv cert/dockerhost-req.pem  ca/$CNA\.csr
+cd -
+cd $XCATDOCKERCADIR
+
+#   - "make sign" doesn't seem to work on my AIX system???
+#   - seems to be a problem with the use of the wildcard in the Makefile
+#   - call cmds directly instead - seems safe
+# make sign
+
+#CA certificate and CA private key do not match
+openssl ca -startdate 600101010101Z -config openssl.cnf -in $CNA\.csr -out $CNA\.cert -extensions server -batch
+#openssl ca -selfsign -config openssl.cnf -in $CNA\.csr -startdate 700101010101Z -days 7305 -out $CNA\.cert -extensions v3_ca -batch
+if [ -f $CNA\.cert ]; then
+    rm $CNA\.csr
+fi
+
+cp ca-cert.pem $XCATDOCKERDIR/cert/
+mv $CNA\.cert $XCATDOCKERDIR/cert/dockerhost-cert.pem
+mv dockerhost-key.pem $XCATDOCKERDIR/cert/
+
+cd -
--- a/xCAT/postscripts/setupdockerhost
+++ b/xCAT/postscripts/setupdockerhost
@ -77,60 +77,36 @@ if ! docker ps >/dev/null 2>&1; then
 fi

 #Setup TLS 
-if [ ! -d /etc/xcat ]; then
-    mkdir -p /etc/xcat
-    mkdir -p /etc/xcat/tool
-    mkdir -p /etc/xcat/ca
-    mkdir -p /etc/xcat/ca/private
-    mkdir -p /etc/xcat/ca/certs
-fi
 master=$MASTER
 if ! ping $master -c 1 > /dev/null 2>&1 ; then  
    echo "Host $master is not reachable"
    exit 1
 fi 
-scp $master:/opt/xcat/share/xcat/scripts/setup-server-cert.sh /etc/xcat/tool/
-scp $master:/etc/xcat/ca/openssl.cnf /etc/xcat/ca
-scp $master:/etc/xcat/ca/private/* /etc/xcat/ca/private/  #The private key must be xCAT MN private key

-if [ ! -e /etc/xcat/tool/setup-server-cert.sh ]; then
-    echo "Get cert creating tool Failed"
-    exit 1
-fi
-chmod +x /etc/xcat/tool/setup-server-cert.sh
-cp /xcatpost/ca/ca-cert.pem /etc/xcat/ca/
-touch /etc/xcat/ca/index
-echo "00" > /etc/xcat/ca/serial
-# Need to add -batch for openssl ca to not prompt anything
-/etc/xcat/tool/setup-server-cert.sh `hostname`
-
-if [ ! -e /etc/xcat/cert/server-key.pem -o ! -e /etc/xcat/cert/server-cert.pem ]; then
-    echo "Setup server certification failed"
-    exit 1
-fi
-
-if [ ! -d /root/.docker/ ];then
+if [ ! -d /root/.docker ]; then
    mkdir -p /root/.docker
 fi
-CN_CA_PEM="/root/.docker/ca-cert.pem"
-CN_KEY_PEM="/root/.docker/key.pem"
-CN_CERT_PEM="/root/.docker/cert.pem"
-cp /etc/xcat/ca/ca-cert.pem $CN_CA_PEM
-cp /etc/xcat/cert/server-key.pem $CN_KEY_PEM
-cp /etc/xcat/cert/server-cert.pem $CN_CERT_PEM

-#DOCKER_OPTS="-b=mydocker0 -H tcp://c910f03c04k03:2375 --tls --tlscacert=/root/.docker/ca-cert.pem --tlscert=/root/.docker/cert.pem --tlskey=/root/.docker/key.pem --tlsverify=true"
-# 3 scenarios
-# 1. No DOCKER_OPTS ====> add DOCKER_OPTS="-b=$dockerbr" line
-# 2. Have DOCKER_OPTS but no "-b" parameter ====> append "-b=$dockerbr" to DOCKER_OPTS
-# 3. Have "-b" parameter in DOCKER_OPTS ====> replace "-b=xxx" with "-b=$dockerbr"
+HOST_CA_PEM="/root/.docker/ca-cert.pem"
+HOST_KEY_PEM="/root/.docker/dockerhost-key.pem"
+HOST_CERT_PEM="/root/.docker/dockerhost-cert.pem"
+
+scp $master:/etc/xcatdockerca/cert/dockerhost-cert.pem $HOST_CERT_PEM
+scp $master:/etc/xcatdockerca/cert/dockerhost-key.pem $HOST_KEY_PEM
+scp $master:/etc/xcatdockerca/cert/ca-cert.pem $HOST_CA_PEM
+
+if [ ! -e $HOST_CA_PEM -o ! -e $HOST_KEY_PEM -o ! -e $HOST_CERT_PEM ];then
+    echo "Can not get dockerhost certificate files"
+    exit 1
+fi
+
 docker_conf_file="/etc/default/docker"
 if [ ! -f "$docker_conf_file" ]; then
    echo "Error: file $docker_conf_file not exist"
    exit 1
 fi
 if ! grep "^DOCKER_OPTS" $docker_conf_file > /dev/null 2>&1 ; then
-    echo "DOCKER_OPTS=\"-H tcp://`hostname`:2375 --tls --tlscacert=/root/.docker/ca-cert.pem --tlscert=/root/.docker/cert.pem --tlskey=/root/.docker/key.pem --tlsverify=true\"" >> $docker_conf_file
+    echo "DOCKER_OPTS=\"-H tcp://`hostname`:2375 --tls --tlscacert=$HOST_CA_PEM --tlscert=$HOST_CERT_PEM --tlskey=$HOST_KEY_PEM --tlsverify=true\"" >> $docker_conf_file
 else
    if grep "^DOCKER_OPTS.*tlsverify" $docker_conf_file > /dev/null 2>&1; then
        sed -i "s@-H [^ |^\"]*@@g" $docker_conf_file
@ -141,9 +117,7 @@ else
        sed -i "s@--tls@@g" $docker_conf_file
        sed -i "s@\ \{2,\}@@g" $docker_conf_file
    fi 
-    cat $docker_conf_file
-    #sed -i "s/^\(DOCKER_OPTS\=\"[^\"]*\"\)/\1 -H tcp:\/\/`hostname`:2375 --tls --tlscacert=\/root\/.docker\/ca-cert.pem --tlscert=\/root\/.docker\/cert.pem --tlskey=\/root\/.docker\/key.pem --tlsverify=true\"/" $docker_conf_file
-    sed -i "s@^\(DOCKER_OPTS\=\"[^\"]*\)@\1 -H tcp://`hostname`:2375 --tls --tlscacert=$CN_CA_PEM --tlscert=$CN_CERT_PEM --tlskey=$CN_KEY_PEM --tlsverify=true\"@" $docker_conf_file
+    sed -i "s@^\(DOCKER_OPTS\=\"[^\"]*\)@\1 -H tcp://`hostname`:2375 --tls --tlscacert=$HOST_CA_PEM --tlscert=$HOST_CERT_PEM --tlskey=$HOST_KEY_PEM --tlsverify=true\"@" $docker_conf_file
    sed -i 's/\"\{2,\}/"/' $docker_conf_file
 fi