func ConfigureAuth(p Provisioner) error {
var (
err error
)
driver := p.GetDriver()
machineName := driver.GetMachineName()
authOptions := p.GetAuthOptions()
org := mcnutils.GetUsername() + "." + machineName
bits := 2048
ip, err := driver.GetIP()
if err != nil {
return err
}
log.Info("Copying certs to the local machine directory...")
if err := mcnutils.CopyFile(authOptions.CaCertPath, filepath.Join(authOptions.StorePath, "ca.pem")); err != nil {
return fmt.Errorf("Copying ca.pem to machine dir failed: %s", err)
}
if err := mcnutils.CopyFile(authOptions.ClientCertPath, filepath.Join(authOptions.StorePath, "cert.pem")); err != nil {
return fmt.Errorf("Copying cert.pem to machine dir failed: %s", err)
}
if err := mcnutils.CopyFile(authOptions.ClientKeyPath, filepath.Join(authOptions.StorePath, "key.pem")); err != nil {
return fmt.Errorf("Copying key.pem to machine dir failed: %s", err)
}
// The Host IP is always added to the certificate's SANs list
hosts := append(authOptions.ServerCertSANs, ip, "localhost")
log.Debugf("generating server cert: %s ca-key=%s private-key=%s org=%s san=%s",
authOptions.ServerCertPath,
authOptions.CaCertPath,
authOptions.CaPrivateKeyPath,
org,
hosts,
)
// TODO: Switch to passing just authOptions to this func
// instead of all these individual fields
err = cert.GenerateCert(
hosts,
authOptions.ServerCertPath,
authOptions.ServerKeyPath,
authOptions.CaCertPath,
authOptions.CaPrivateKeyPath,
org,
bits,
)
if err != nil {
return fmt.Errorf("error generating server cert: %s", err)
}
if err := p.Service("docker", serviceaction.Stop); err != nil {
return err
}
if _, err := p.SSHCommand("sudo ip link delete docker0"); err != nil {
return err
}
// upload certs and configure TLS auth
caCert, err := ioutil.ReadFile(authOptions.CaCertPath)
if err != nil {
return err
}
serverCert, err := ioutil.ReadFile(authOptions.ServerCertPath)
if err != nil {
return err
}
serverKey, err := ioutil.ReadFile(authOptions.ServerKeyPath)
if err != nil {
return err
}
log.Info("Copying certs to the remote machine...")
// printf will choke if we don't pass a format string because of the
// dashes, so that's the reason for the '%%s'
certTransferCmdFmt := "printf '%%s' '%s' | sudo tee %s"
// These ones are for Jessie and Mike <3 <3 <3
if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(caCert), authOptions.CaCertRemotePath)); err != nil {
return err
}
if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(serverCert), authOptions.ServerCertRemotePath)); err != nil {
return err
}
if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(serverKey), authOptions.ServerKeyRemotePath)); err != nil {
return err
}
dockerURL, err := driver.GetURL()
if err != nil {
return err
}
u, err := url.Parse(dockerURL)
if err != nil {
return err
}
dockerPort := 2376
parts := strings.Split(u.Host, ":")
if len(parts) == 2 {
dPort, err := strconv.Atoi(parts[1])
if err != nil {
return err
}
dockerPort = dPort
}
dkrcfg, err := p.GenerateDockerOptions(dockerPort)
if err != nil {
return err
}
log.Info("Setting Docker configuration on the remote daemon...")
if _, err = p.SSHCommand(fmt.Sprintf("printf %%s \"%s\" | sudo tee %s", dkrcfg.EngineOptions, dkrcfg.EngineOptionsPath)); err != nil {
return err
}
if err := p.Service("docker", serviceaction.Start); err != nil {
return err
}
return waitForDocker(p, dockerPort)
}
func BootstrapCertificates(authOptions *auth.AuthOptions) error {
certDir := authOptions.CertDir
caCertPath := authOptions.CaCertPath
caPrivateKeyPath := authOptions.CaPrivateKeyPath
clientCertPath := authOptions.ClientCertPath
clientKeyPath := authOptions.ClientKeyPath
// TODO: I'm not super happy about this use of "org", the user should
// have to specify it explicitly instead of implicitly basing it on
// $USER.
org := mcnutils.GetUsername()
bits := 2048
if _, err := os.Stat(certDir); err != nil {
if os.IsNotExist(err) {
if err := os.MkdirAll(certDir, 0700); err != nil {
log.Fatalf("Error creating machine certificate dir: %s", err)
}
} else {
log.Fatal(err)
}
}
if _, err := os.Stat(caCertPath); os.IsNotExist(err) {
log.Infof("Creating CA: %s", caCertPath)
// check if the key path exists; if so, error
if _, err := os.Stat(caPrivateKeyPath); err == nil {
log.Fatalf("The CA key already exists. Please remove it or specify a different key/cert.")
}
if err := GenerateCACertificate(caCertPath, caPrivateKeyPath, org, bits); err != nil {
log.Infof("Error generating CA certificate: %s", err)
}
}
if _, err := os.Stat(clientCertPath); os.IsNotExist(err) {
log.Infof("Creating client certificate: %s", clientCertPath)
if _, err := os.Stat(certDir); err != nil {
if os.IsNotExist(err) {
if err := os.Mkdir(certDir, 0700); err != nil {
log.Fatalf("Error creating machine client cert dir: %s", err)
}
} else {
log.Fatal(err)
}
}
// check if the key path exists; if so, error
if _, err := os.Stat(clientKeyPath); err == nil {
log.Fatalf("The client key already exists. Please remove it or specify a different key/cert.")
}
if err := GenerateCert([]string{""}, clientCertPath, clientKeyPath, caCertPath, caPrivateKeyPath, org, bits); err != nil {
log.Fatalf("Error generating client certificate: %s", err)
}
}
return nil
}
func BootstrapCertificates(authOptions *auth.Options) error {
certDir := authOptions.CertDir
caCertPath := authOptions.CaCertPath
caPrivateKeyPath := authOptions.CaPrivateKeyPath
clientCertPath := authOptions.ClientCertPath
clientKeyPath := authOptions.ClientKeyPath
// TODO: I'm not super happy about this use of "org", the user should
// have to specify it explicitly instead of implicitly basing it on
// $USER.
caOrg := mcnutils.GetUsername()
org := caOrg + ".<bootstrap>"
bits := 2048
if _, err := os.Stat(certDir); err != nil {
if os.IsNotExist(err) {
if err := os.MkdirAll(certDir, 0700); err != nil {
return fmt.Errorf("Creating machine certificate dir failed: %s", err)
}
} else {
return err
}
}
if _, err := os.Stat(caCertPath); os.IsNotExist(err) {
log.Infof("Creating CA: %s", caCertPath)
// check if the key path exists; if so, error
if _, err := os.Stat(caPrivateKeyPath); err == nil {
return errors.New("The CA key already exists. Please remove it or specify a different key/cert.")
}
if err := GenerateCACertificate(caCertPath, caPrivateKeyPath, caOrg, bits); err != nil {
return fmt.Errorf("Generating CA certificate failed: %s", err)
}
}
if _, err := os.Stat(clientCertPath); os.IsNotExist(err) {
log.Infof("Creating client certificate: %s", clientCertPath)
if _, err := os.Stat(certDir); err != nil {
if os.IsNotExist(err) {
if err := os.Mkdir(certDir, 0700); err != nil {
return fmt.Errorf("Creating machine client cert dir failed: %s", err)
}
} else {
return err
}
}
// check if the key path exists; if so, error
if _, err := os.Stat(clientKeyPath); err == nil {
return errors.New("The client key already exists. Please remove it or specify a different key/cert.")
}
// Used to generate the client certificate.
certOptions := &Options{
Hosts: []string{""},
CertFile: clientCertPath,
KeyFile: clientKeyPath,
CAFile: caCertPath,
CAKeyFile: caPrivateKeyPath,
Org: org,
Bits: bits,
SwarmMaster: false,
}
if err := GenerateCert(certOptions); err != nil {
return fmt.Errorf("Generating client certificate failed: %s", err)
}
}
return nil
}
func ConfigureAuth(p Provisioner) error {
var (
err error
)
driver := p.GetDriver()
machineName := driver.GetMachineName()
authOptions := p.GetAuthOptions()
org := mcnutils.GetUsername() + "." + machineName
bits := 2048
ip, err := driver.GetIP()
if err != nil {
return err
}
log.Info("Copying certs to the local machine directory...")
if err := mcnutils.CopyFile(authOptions.CaCertPath, filepath.Join(authOptions.StorePath, "ca.pem")); err != nil {
return fmt.Errorf("Copying ca.pem to machine dir failed: %s", err)
}
if err := mcnutils.CopyFile(authOptions.ClientCertPath, filepath.Join(authOptions.StorePath, "cert.pem")); err != nil {
return fmt.Errorf("Copying cert.pem to machine dir failed: %s", err)
}
if err := mcnutils.CopyFile(authOptions.ClientKeyPath, filepath.Join(authOptions.StorePath, "key.pem")); err != nil {
return fmt.Errorf("Copying key.pem to machine dir failed: %s", err)
}
log.Debugf("generating server cert: %s ca-key=%s private-key=%s org=%s",
authOptions.ServerCertPath,
authOptions.CaCertPath,
authOptions.CaPrivateKeyPath,
org,
)
// TODO: Switch to passing just authOptions to this func
// instead of all these individual fields
err = cert.GenerateCert(
[]string{ip, "localhost"},
authOptions.ServerCertPath,
authOptions.ServerKeyPath,
authOptions.CaCertPath,
authOptions.CaPrivateKeyPath,
org,
bits,
)
if err != nil {
return fmt.Errorf("error generating server cert: %s", err)
}
if err := p.Service("docker", serviceaction.Stop); err != nil {
return err
}
// upload certs and configure TLS auth
caCert, err := ioutil.ReadFile(authOptions.CaCertPath)
if err != nil {
return err
}
serverCert, err := ioutil.ReadFile(authOptions.ServerCertPath)
if err != nil {
return err
}
serverKey, err := ioutil.ReadFile(authOptions.ServerKeyPath)
if err != nil {
return err
}
log.Info("Copying certs to the remote machine...")
// Create the file with echo then move it to its proper location
certTransferCmdFmt := fmt.Sprintf(
"%s && %s",
"echo -e %q > /tmp/docker_cert",
p.GetDriver().SSHSudo("mv /tmp/docker_cert %s"),
)
// These ones are for Jessie and Mike <3 <3 <3
if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(caCert), authOptions.CaCertRemotePath)); err != nil {
return err
}
if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(serverCert), authOptions.ServerCertRemotePath)); err != nil {
return err
}
if _, err := p.SSHCommand(fmt.Sprintf(certTransferCmdFmt, string(serverKey), authOptions.ServerKeyRemotePath)); err != nil {
return err
}
dockerUrl, err := driver.GetURL()
if err != nil {
return err
}
u, err := url.Parse(dockerUrl)
if err != nil {
return err
}
dockerPort := 2376
parts := strings.Split(u.Host, ":")
if len(parts) == 2 {
dPort, err := strconv.Atoi(parts[1])
if err != nil {
return err
}
dockerPort = dPort
}
dkrcfg, err := p.GenerateDockerOptions(dockerPort)
if err != nil {
return err
}
log.Info("Setting Docker configuration on the remote daemon...")
// Create the file with echo then move it to its proper location
move_config_command := fmt.Sprintf(
"echo -e %q > /tmp/docker_defaults && %s",
dkrcfg.EngineOptions,
p.GetDriver().SSHSudo("mv /tmp/docker_defaults %s"),
)
if _, err = p.SSHCommand(fmt.Sprintf(
move_config_command,
dkrcfg.EngineOptionsPath,
)); err != nil {
return err
}
if err := p.Service("docker", serviceaction.Start); err != nil {
return err
}
return waitForDocker(p, dockerPort)
}