func main() { if _, err := os.Stat(caCertPath); os.IsNotExist(err) { log.Printf("Creating CA: %s", caCertPath) // check if the key path exists; if so, error if _, err := os.Stat(caKeyPath); err == nil { log.Fatalf("The CA key already exists. Please remove it or specify a different key/cert.") } if err := utils.GenerateCACertificate(caCertPath, caKeyPath, org, bits); err != nil { log.Printf("Error generating CA certificate: %s", err) } } if _, err := os.Stat(clientCertPath); os.IsNotExist(err) { log.Printf("Creating client certificate: %s", clientCertPath) // check if the key path exists; if so, error if _, err := os.Stat(clientKeyPath); err == nil { log.Fatalf("The client key already exists. Please remove it or specify a different key/cert.") } err = utils.GenerateCert( []string{""}, clientCertPath, clientKeyPath, caCertPath, caKeyPath, org, bits, ) if err != nil { log.Fatalf("Error generating client certificate: %s", err) } } if len(os.Args) <= 1 { return } for _, ip := range os.Args[1:] { serverKeyPath := fmt.Sprintf("%s-key.pem", ip) serverCertPath := fmt.Sprintf("%s.pem", ip) if _, err := os.Stat(serverCertPath); os.IsNotExist(err) { log.Printf("Creating server certificate: %s", serverCertPath) err = utils.GenerateCert( []string{ip}, serverCertPath, serverKeyPath, caCertPath, caKeyPath, org, bits, ) if err != nil { log.Fatalf("error generating server cert: %s", err) } } } }
func writeCerts(generateServer bool, hostname []string, cfg *config.CloudConfig, certPath, keyPath, caCertPath, caKeyPath string) error { if !generateServer { return machineUtil.GenerateCert([]string{""}, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS) } if cfg.Rancher.Docker.ServerKey == "" || cfg.Rancher.Docker.ServerCert == "" { err := machineUtil.GenerateCert(hostname, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS) if err != nil { return err } cert, err := ioutil.ReadFile(certPath) if err != nil { return err } key, err := ioutil.ReadFile(keyPath) if err != nil { return err } cfg, err = cfg.Merge(map[interface{}]interface{}{ "rancher": map[interface{}]interface{}{ "docker": map[interface{}]interface{}{ "ca_key": cfg.Rancher.Docker.CAKey, "ca_cert": cfg.Rancher.Docker.CACert, "server_cert": string(cert), "server_key": string(key), }, }, }) if err != nil { return err } return cfg.Save() } if err := ioutil.WriteFile(certPath, []byte(cfg.Rancher.Docker.ServerCert), 0400); err != nil { return err } return ioutil.WriteFile(keyPath, []byte(cfg.Rancher.Docker.ServerKey), 0400) }
func writeCerts(generateServer bool, hostname []string, cfg *config.CloudConfig, certPath, keyPath, caCertPath, caKeyPath string) error { if !generateServer { return machineUtil.GenerateCert([]string{""}, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS) } if cfg.Rancher.UserDocker.ServerKey == "" || cfg.Rancher.UserDocker.ServerCert == "" { err := machineUtil.GenerateCert(hostname, certPath, keyPath, caCertPath, caKeyPath, NAME, BITS) if err != nil { return err } cert, err := ioutil.ReadFile(certPath) if err != nil { return err } key, err := ioutil.ReadFile(keyPath) if err != nil { return err } return cfg.SetConfig(&config.CloudConfig{ Rancher: config.RancherConfig{ UserDocker: config.DockerConfig{ CAKey: cfg.Rancher.UserDocker.CAKey, CACert: cfg.Rancher.UserDocker.CACert, ServerCert: string(cert), ServerKey: string(key), }, }, }) } if err := ioutil.WriteFile(certPath, []byte(cfg.Rancher.UserDocker.ServerCert), 0400); err != nil { return err } return ioutil.WriteFile(keyPath, []byte(cfg.Rancher.UserDocker.ServerKey), 0400) }
func setupCertificates(caCertPath, caKeyPath, clientCertPath, clientKeyPath string) error { org := utils.GetUsername() bits := 2048 if _, err := os.Stat(utils.GetMachineCertDir()); err != nil { if os.IsNotExist(err) { if err := os.MkdirAll(utils.GetMachineCertDir(), 0700); err != nil { log.Fatalf("Error creating machine config dir: %s", err) } } else { log.Fatal(err) } } if _, err := os.Stat(caCertPath); os.IsNotExist(err) { log.Infof("Creating CA: %s", caCertPath) // check if the key path exists; if so, error if _, err := os.Stat(caKeyPath); err == nil { log.Fatalf("The CA key already exists. Please remove it or specify a different key/cert.") } if err := utils.GenerateCACertificate(caCertPath, caKeyPath, org, bits); err != nil { log.Infof("Error generating CA certificate: %s", err) } } if _, err := os.Stat(clientCertPath); os.IsNotExist(err) { log.Infof("Creating client certificate: %s", clientCertPath) if _, err := os.Stat(utils.GetMachineCertDir()); err != nil { if os.IsNotExist(err) { if err := os.Mkdir(utils.GetMachineCertDir(), 0700); err != nil { log.Fatalf("Error creating machine client cert dir: %s", err) } } else { log.Fatal(err) } } // check if the key path exists; if so, error if _, err := os.Stat(clientKeyPath); err == nil { log.Fatalf("The client key already exists. Please remove it or specify a different key/cert.") } if err := utils.GenerateCert([]string{""}, clientCertPath, clientKeyPath, caCertPath, caKeyPath, org, bits); err != nil { log.Fatalf("Error generating client certificate: %s", err) } } return nil }
func ConfigureAuth(p Provisioner) error { var ( err error ) machineName := p.GetDriver().GetMachineName() authOptions := p.GetAuthOptions() org := machineName bits := 2048 ip, err := p.GetDriver().GetIP() if err != nil { return err } // copy certs to client dir for docker client machineDir := filepath.Join(utils.GetMachineDir(), machineName) if err := utils.CopyFile(authOptions.CaCertPath, filepath.Join(machineDir, "ca.pem")); err != nil { log.Fatalf("Error copying ca.pem to machine dir: %s", err) } if err := utils.CopyFile(authOptions.ClientCertPath, filepath.Join(machineDir, "cert.pem")); err != nil { log.Fatalf("Error copying cert.pem to machine dir: %s", err) } if err := utils.CopyFile(authOptions.ClientKeyPath, filepath.Join(machineDir, "key.pem")); err != nil { log.Fatalf("Error copying key.pem to machine dir: %s", err) } log.Debugf("generating server cert: %s ca-key=%s private-key=%s org=%s", authOptions.ServerCertPath, authOptions.CaCertPath, authOptions.PrivateKeyPath, org, ) // TODO: Switch to passing just authOptions to this func // instead of all these individual fields err = utils.GenerateCert( []string{ip}, authOptions.ServerCertPath, authOptions.ServerKeyPath, authOptions.CaCertPath, authOptions.PrivateKeyPath, org, bits, ) if err != nil { return fmt.Errorf("error generating server cert: %s", err) } if err := p.Service("docker", pkgaction.Stop); err != nil { return err } // upload certs and configure TLS auth caCert, err := ioutil.ReadFile(authOptions.CaCertPath) if err != nil { return err } serverCert, err := ioutil.ReadFile(authOptions.ServerCertPath) if err != nil { return err } serverKey, err := ioutil.ReadFile(authOptions.ServerKeyPath) if err != nil { return err } // printf will choke if we don't pass a format string because of the // dashes, so that's the reason for the '%%s' certTransferCmdFmt := "printf '%%s' '%s' | sudo tee %s" // These ones are for Jessie and Mike <3 <3 <3 if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(caCert), authOptions.CaCertRemotePath)); err != nil { return err } if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(serverCert), authOptions.ServerCertRemotePath)); err != nil { return err } if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(serverKey), authOptions.ServerKeyRemotePath)); err != nil { return err } dockerUrl, err := p.GetDriver().GetURL() if err != nil { return err } u, err := url.Parse(dockerUrl) if err != nil { return err } dockerPort := 2376 parts := strings.Split(u.Host, ":") if len(parts) == 2 { dPort, err := strconv.Atoi(parts[1]) if err != nil { return err } dockerPort = dPort } dkrcfg, err := p.GenerateDockerOptions(dockerPort) if err != nil { return err } if _, err = p.SSHCommand(fmt.Sprintf("printf \"%s\" | sudo tee %s", dkrcfg.EngineOptions, dkrcfg.EngineOptionsPath)); err != nil { return err } if err := p.Service("docker", pkgaction.Start); err != nil { return err } // TODO: Do not hardcode daemon port, ask the driver if err := utils.WaitForDocker(ip, dockerPort); err != nil { return err } return nil }
func ConfigureAuth(p Provisioner, authOptions auth.AuthOptions) error { var ( err error ) machineName := p.GetDriver().GetMachineName() org := machineName bits := 2048 ip, err := p.GetDriver().GetIP() if err != nil { return err } // copy certs to client dir for docker client machineDir := filepath.Join(utils.GetMachineDir(), machineName) if err := utils.CopyFile(authOptions.CaCertPath, filepath.Join(machineDir, "ca.pem")); err != nil { log.Fatalf("Error copying ca.pem to machine dir: %s", err) } if err := utils.CopyFile(authOptions.ClientCertPath, filepath.Join(machineDir, "cert.pem")); err != nil { log.Fatalf("Error copying cert.pem to machine dir: %s", err) } if err := utils.CopyFile(authOptions.ClientKeyPath, filepath.Join(machineDir, "key.pem")); err != nil { log.Fatalf("Error copying key.pem to machine dir: %s", err) } log.Debugf("generating server cert: %s ca-key=%s private-key=%s org=%s", authOptions.ServerCertPath, authOptions.CaCertPath, authOptions.PrivateKeyPath, org, ) // TODO: Switch to passing just authOptions to this func // instead of all these individual fields err = utils.GenerateCert( []string{ip}, authOptions.ServerCertPath, authOptions.ServerKeyPath, authOptions.CaCertPath, authOptions.PrivateKeyPath, org, bits, ) if err != nil { return fmt.Errorf("error generating server cert: %s", err) } if err := p.Service("docker", pkgaction.Stop); err != nil { return err } dockerDir := p.GetDockerOptionsDir() cmd, err := p.SSHCommand(fmt.Sprintf("sudo mkdir -p %s", dockerDir)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } // upload certs and configure TLS auth caCert, err := ioutil.ReadFile(authOptions.CaCertPath) if err != nil { return err } // due to windows clients, we cannot use filepath.Join as the paths // will be mucked on the linux hosts machineCaCertPath := path.Join(dockerDir, "ca.pem") authOptions.CaCertRemotePath = machineCaCertPath serverCert, err := ioutil.ReadFile(authOptions.ServerCertPath) if err != nil { return err } machineServerCertPath := path.Join(dockerDir, "server.pem") authOptions.ServerCertRemotePath = machineServerCertPath serverKey, err := ioutil.ReadFile(authOptions.ServerKeyPath) if err != nil { return err } machineServerKeyPath := path.Join(dockerDir, "server-key.pem") authOptions.ServerKeyRemotePath = machineServerKeyPath cmd, err = p.SSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee %s", string(caCert), machineCaCertPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } cmd, err = p.SSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee %s", string(serverKey), machineServerKeyPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } cmd, err = p.SSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee %s", string(serverCert), machineServerCertPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } dockerUrl, err := p.GetDriver().GetURL() if err != nil { return err } u, err := url.Parse(dockerUrl) if err != nil { return err } dockerPort := 2376 parts := strings.Split(u.Host, ":") if len(parts) == 2 { dPort, err := strconv.Atoi(parts[1]) if err != nil { return err } dockerPort = dPort } dkrcfg, err := p.GenerateDockerOptions(dockerPort, authOptions) if err != nil { return err } cmd, err = p.SSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee -a %s", dkrcfg.EngineOptions, dkrcfg.EngineOptionsPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } if err := p.Service("docker", pkgaction.Start); err != nil { return err } return nil }
func (h *Host) ConfigureAuth() error { d := h.Driver if d.DriverName() == "none" { return nil } // copy certs to client dir for docker client machineDir := filepath.Join(utils.GetMachineDir(), h.Name) if err := utils.CopyFile(h.CaCertPath, filepath.Join(machineDir, "ca.pem")); err != nil { log.Fatalf("Error copying ca.pem to machine dir: %s", err) } clientCertPath := filepath.Join(utils.GetMachineCertDir(), "cert.pem") if err := utils.CopyFile(clientCertPath, filepath.Join(machineDir, "cert.pem")); err != nil { log.Fatalf("Error copying cert.pem to machine dir: %s", err) } clientKeyPath := filepath.Join(utils.GetMachineCertDir(), "key.pem") if err := utils.CopyFile(clientKeyPath, filepath.Join(machineDir, "key.pem")); err != nil { log.Fatalf("Error copying key.pem to machine dir: %s", err) } var ( ip = "" ipErr error maxRetries = 4 ) for i := 0; i < maxRetries; i++ { ip, ipErr = h.Driver.GetIP() if ip != "" { break } log.Debugf("waiting for ip: %s", ipErr) time.Sleep(5 * time.Second) } if ipErr != nil { return ipErr } if ip == "" { return fmt.Errorf("unable to get machine IP") } serverCertPath := filepath.Join(h.StorePath, "server.pem") serverKeyPath := filepath.Join(h.StorePath, "server-key.pem") org := h.Name bits := 2048 log.Debugf("generating server cert: %s ca-key=%s private-key=%s org=%s", serverCertPath, h.CaCertPath, h.PrivateKeyPath, org, ) if err := utils.GenerateCert([]string{ip}, serverCertPath, serverKeyPath, h.CaCertPath, h.PrivateKeyPath, org, bits); err != nil { return fmt.Errorf("error generating server cert: %s", err) } if err := h.StopDocker(); err != nil { return err } dockerDir, err := h.GetDockerConfigDir() if err != nil { return err } cmd, err := h.GetSSHCommand(fmt.Sprintf("sudo mkdir -p %s", dockerDir)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } // upload certs and configure TLS auth caCert, err := ioutil.ReadFile(h.CaCertPath) if err != nil { return err } // due to windows clients, we cannot use filepath.Join as the paths // will be mucked on the linux hosts machineCaCertPath := path.Join(dockerDir, "ca.pem") serverCert, err := ioutil.ReadFile(serverCertPath) if err != nil { return err } machineServerCertPath := path.Join(dockerDir, "server.pem") serverKey, err := ioutil.ReadFile(serverKeyPath) if err != nil { return err } machineServerKeyPath := path.Join(dockerDir, "server-key.pem") cmd, err = h.GetSSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee %s", string(caCert), machineCaCertPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } cmd, err = h.GetSSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee %s", string(serverKey), machineServerKeyPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } cmd, err = h.GetSSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee %s", string(serverCert), machineServerCertPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } dockerUrl, err := h.Driver.GetURL() if err != nil { return err } u, err := url.Parse(dockerUrl) if err != nil { return err } dockerPort := 2376 parts := strings.Split(u.Host, ":") if len(parts) == 2 { dPort, err := strconv.Atoi(parts[1]) if err != nil { return err } dockerPort = dPort } cfg, err := h.generateDockerConfig(dockerPort, machineCaCertPath, machineServerKeyPath, machineServerCertPath) if err != nil { return err } cmd, err = h.GetSSHCommand(fmt.Sprintf("echo \"%s\" | sudo tee -a %s", cfg.EngineConfig, cfg.EngineConfigPath)) if err != nil { return err } if err := cmd.Run(); err != nil { return err } if err := h.StartDocker(); err != nil { return err } return nil }