Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #23 docker-machine restart fails with CentOS VM #24

Merged
merged 1 commit into from
Oct 20, 2016
Merged

Fix #23 docker-machine restart fails with CentOS VM #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@ BUILD_DIR=$(shell pwd)/build
ISO_NAME=live-centos

HANDLE_USER_DATA=$(shell base64 -w 0 scripts/handle-user-data)
CERT_GEN=$(shell base64 -w 0 scripts/cert-gen.sh)

default: iso

kickstart:
mkdir -p $(BUILD_DIR)
touch $(BUILD_DIR)/$(KICKSTART_FILE)
handle_user_data='$(HANDLE_USER_DATA)' envsubst < $(KICKSTART_TEMPLATE) > $(BUILD_DIR)/$(KICKSTART_FILE)
handle_user_data='$(HANDLE_USER_DATA)' cert_gen='$(CERT_GEN)' envsubst < $(KICKSTART_TEMPLATE) > $(BUILD_DIR)/$(KICKSTART_FILE)

iso: kickstart
cd $(BUILD_DIR); sudo livecd-creator --config $(BUILD_DIR)/$(KICKSTART_FILE) --logfile=$(BUILD_DIR)/livecd-creator.log --fslabel $(ISO_NAME)

clean:
rm -rf $(BUILD_DIR)

41 changes: 41 additions & 0 deletions centos-7-minimal.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ shutdown

%packages --excludedocs --instLangs=en
@core
openssl
bash
centos-logos
docker
Expand Down Expand Up @@ -99,6 +100,46 @@ yum remove -y redhat-logos linux-firmware
# Clear yum package and metadata cache
yum clean all

# Place holder cert generation script. This is needed to create certs when system
# boots first time to make sure docker daemon running with cert enabled. On restart
# this script will first check cert is already available or not.
cat > cert-gen.sh.base64 << EOF
${cert_gen}
EOF

base64 -d < cert-gen.sh.base64 > cert-gen.sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically I think line 104 to 108 are really repetitive and can be automated. One would just write '+${cert_gen}' and one inserts the full monty - cat command, base 63 decode and all.

It would be something like:

${cert_gen}
chmod +x cert-gen.sh
mv cert-gen.sh /opt

where the variable would expand to something like

cat > cert-gen.sh.base64 << EOF
<base 64 encoded script>
EOF
base64 -d < cert-gen.sh.base64 > cert-gen.sh

I think this would be even nicer than what we have. Maybe another issue!?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#25

chmod +x cert-gen.sh
mv cert-gen.sh /opt

# This unit file will take precedence over unit file which present /usr location
# and it have daemon running using cert so when restart happen then also docker
# daemon works as expected.
cat << EOF > /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
After=network.target
Requires=rc-local

[Service]
Type=notify
ExecStartPre=/opt/cert-gen.sh
ExecStart=/usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver devicemapper --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem
ExecReload=/bin/kill -s HUP
MountFlags=slave
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Environment=

[Install]
WantedBy=multi-user.target
EOF

systemctl enable docker

rm -rf /usr/lib/locale/locale-archive
rm -rf /var/cache/yum/*

Expand Down
83 changes: 83 additions & 0 deletions scripts/cert-gen.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
#!/bin/sh

# Generate certs pair for configuring TLS enabled docker daemon
export RANDFILE=/root/.rnd

. /etc/sysconfig/docker

if [ -e $DOCKER_CERT_PATH/ca.pem ]; then
# Certificates already generated
exit
fi

function randomString {
# If a param was passed, it's the length of the string we want
if [[ -n $1 ]] && [[ "$1" -lt 20 ]]; then
local myStrLength=$1;
else
# otherwise set to default
local myStrLength=8;
fi

dd if=/dev/urandom bs=1 2>/dev/null | tr -dc '[:alnum:]' | dd bs=1 count=$myStrLength 2>/dev/null
}

# Get a temporary workspace
dir=`mktemp -d`
cd $dir

# Get a random password for the CA and save it
passfile=tmp.pass
password=$(randomString 10)
echo $password > $passfile

# Generate the CA
openssl genrsa -aes256 -passout file:$passfile -out ca-key.pem 2048
openssl req -new -x509 -passin file:$passfile -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=/ST=/L=/O=/OU=/CN=example.com"

# Generate Server Key and Sign it
openssl genrsa -out server-key.pem 2048
openssl req -subj "/CN=example.com" -new -key server-key.pem -out server.csr
# Allow from routable local IP
extip='127.0.0.1'
extipfile=extfile.cnf
echo subjectAltName = IP:$extip > $extipfile
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.pem -passin file:$passfile -extfile $extipfile

# Generate the Client Key and Sign it
openssl genrsa -out key.pem 2048
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
extfile=tmp.ext
echo extendedKeyUsage = clientAuth > $extfile
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile $extfile -passin file:$passfile

# Clean up

# set the cert path as configured in /etc/sysconfig/docker

# Move files into place
mv ca.pem $DOCKER_CERT_PATH
mv server.pem $DOCKER_CERT_PATH
mv server-key.pem $DOCKER_CERT_PATH

# Since the default user is docker and it can run docker without sudo
CLIENT_SIDE_CERT_PATH=/home/docker/.docker

mkdir -p $CLIENT_SIDE_CERT_PATH
cp $DOCKER_CERT_PATH/ca.pem $CLIENT_SIDE_CERT_PATH
mv cert.pem key.pem $CLIENT_SIDE_CERT_PATH

chown docker:docker $CLIENT_SIDE_CERT_PATH

chmod 0444 $CLIENT_SIDE_CERT_PATH/ca.pem
chmod 0444 $CLIENT_SIDE_CERT_PATH/cert.pem
chmod 0444 $CLIENT_SIDE_CERT_PATH/key.pem
chown docker:docker $CLIENT_SIDE_CERT_PATH/ca.pem
chown docker:docker $CLIENT_SIDE_CERT_PATH/cert.pem
chown docker:docker $CLIENT_SIDE_CERT_PATH/key.pem

chmod -v 0400 $DOCKER_CERT_PATH/ca.pem $DOCKER_CERT_PATH/server.pem $DOCKER_CERT_PATH/server-key.pem

# End of certs pair generation steps for TLS enabled docker daemon
cd /
rm -fr $dir
5 changes: 4 additions & 1 deletion scripts/handle-user-data
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ mount_data_partition() {

# Just in case, the links will fail if not
umount -f /var/lib/docker || true
rm -rf /var/lib/docker /var/lib/boot2docker
rm -rf /var/lib/docker /var/lib/boot2docker /etc/docker

# Detected a disk with a normal linux install (/var/lib/docker + more))
mkdir -p /var/lib
Expand All @@ -30,6 +30,9 @@ mount_data_partition() {
mkdir -p /mnt/$PARTNAME/var/lib/boot2docker
ln -s /mnt/$PARTNAME/var/lib/boot2docker /var/lib/boot2docker

mkdir -p /mnt/$PARTNAME/var/lib/boot2docker/etc/docker
ln -s /mnt/$PARTNAME/var/lib/boot2docker/etc/docker /etc/docker

# Make sure /tmp is on the disk too
rm -rf /mnt/$PARTNAME/tmp || true
mv /tmp /mnt/$PARTNAME/tmp
Expand Down