hadim/Setup_Docker_TLS.sh

## Setup_Docker_TLS.sh
#!/usr/bin/env bash
# Modified from https://gist.github.com/Stono/7e6fed13cfd79598eb15
#
# MIT License applies to this script. I don't accept any responsibility for
# damage you may cause using it.

set -ex

if [[ $EUID -ne 0 ]]; then
  echo "* This script needs to be run as root"
  exit 1
fi

DOCKER_CONFIG_PATH="/etc/docker"
CURRENT_DIRECTORY="$(pwd)"

if [ "$#" -eq 1 ]; then
  HOSTNAME="$1"
else
  echo "Usage: ./Setup_Docker_TLS.sh HOSTNAME"
  exit 1
fi

echo "* Using Hostname: $HOSTNAME"
echo "* You MUST connect to docker using this host !"

echo "* Ensuring config directory exists..."
mkdir -p "$DOCKER_CONFIG_PATH"
cd "$DOCKER_CONFIG_PATH"

if [ ! -f "ca.src" ]; then
  echo " => Creating ca.srl"
  echo 01 > ca.srl
fi

echo "* Create extfile.cnf."
echo subjectAltName = DNS:$HOSTNAME,IP:0.0.0.0,IP:127.0.0.1 > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf

echo "* Create extfile-client.cnf."
echo extendedKeyUsage = clientAuth > extfile-client.cnf

echo "* Generate ca-key.pem."
openssl genrsa -out ca-key.pem 4096

echo "* Generate ca.pem."
openssl req -new -x509 -subj "/CN=$HOSTNAME" -nodes -days 3650 -key ca-key.pem -out ca.pem

echo "* Generate server-key.pem."
openssl genrsa -out server-key.pem 4096

echo "* Generate server.csr."
openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr

echo "* Generate server-cert.pem."
openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf

echo "* Generate key.pem."
openssl genrsa -out key.pem 4096

echo "* Generate client.csr."
openssl req -subj '/CN=docker.client' -new -key key.pem -out client.csr

echo "* Generate cert.pem."
openssl x509 -req -days 3650 -in client.csr -CA ca.pem \
        -CAkey ca-key.pem -out cert.pem -extfile extfile-client.cnf

rm -v client.csr server.csr extfile.cnf extfile-client.cnf
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

if [ -d "/etc/profile.d" ]; then
  echo "* Creating profile.d/docker"

  cat > "/etc/profile.d/docker.sh" << EOL
#!/bin/bash
export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH
export DOCKER_HOST=tcp://$HOSTNAME:2376
export DOCKER_TLS_VERIFY=1
EOL

  chmod +x /etc/profile.d/docker.sh
  source /etc/profile.d/docker.sh

else
  echo "* WARNING: No /etc/profile.d directoy on your system."
  echo "*   You will need to set the following environment variables before running the docker client:"
  echo "*   export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH"
  echo "*   export DOCKER_HOST=tcp://$HOSTNAME:2376"
  echo "*   export DOCKER_TLS_VERIFY=1"
fi


echo "* Configuring /etc/docker/daemon.json"
cat > "/etc/docker/daemon.json" << EOL
{
  "tlsverify": true,
  "tls": true,
  "tlscacert": "$DOCKER_CONFIG_PATH/ca.pem",
  "tlscert": "$DOCKER_CONFIG_PATH/server-cert.pem",
  "tlskey": "$DOCKER_CONFIG_PATH/server-key.pem",
  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
}
EOL

echo "* Fix systemd starting script to avoid conflict with /etc/docker/daemon.json."
cat > "/etc/systemd/system/docker.service.d/override.conf" << EOL
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
EOL
systemctl daemon-reload

echo "* Compress client TLS files and copy to current directory."
tar cvzf "certs.tar.gz" key.pem ca.pem cert.pem
mv "certs.tar.gz" "$CURRENT_DIRECTORY/certs.tar.gz"
chmod 777 "$CURRENT_DIRECTORY/certs.tar.gz"

echo "* Setp correct permissions."
chgrp -R docker "$DOCKER_CONFIG_PATH"
chmod -R g+xr "$DOCKER_CONFIG_PATH"

echo "* Restarting the docker daemon."
sudo service docker restart

echo "* You will need to set the following environment variables before running the docker client:"
cat /etc/profile.d/docker.sh
	#!/usr/bin/env bash
	# Modified from https://gist.github.com/Stono/7e6fed13cfd79598eb15
	#
	# MIT License applies to this script. I don't accept any responsibility for
	# damage you may cause using it.

	set -ex

	if [[ $EUID -ne 0 ]]; then
	echo "* This script needs to be run as root"
	exit 1
	fi

	DOCKER_CONFIG_PATH="/etc/docker"
	CURRENT_DIRECTORY="$(pwd)"

	if [ "$#" -eq 1 ]; then
	HOSTNAME="$1"
	else
	echo "Usage: ./Setup_Docker_TLS.sh HOSTNAME"
	exit 1
	fi

	echo "* Using Hostname: $HOSTNAME"
	echo "* You MUST connect to docker using this host !"

	echo "* Ensuring config directory exists..."
	mkdir -p "$DOCKER_CONFIG_PATH"
	cd "$DOCKER_CONFIG_PATH"

	if [ ! -f "ca.src" ]; then
	echo " => Creating ca.srl"
	echo 01 > ca.srl
	fi

	echo "* Create extfile.cnf."
	echo subjectAltName = DNS:$HOSTNAME,IP:0.0.0.0,IP:127.0.0.1 > extfile.cnf
	echo extendedKeyUsage = serverAuth >> extfile.cnf

	echo "* Create extfile-client.cnf."
	echo extendedKeyUsage = clientAuth > extfile-client.cnf

	echo "* Generate ca-key.pem."
	openssl genrsa -out ca-key.pem 4096

	echo "* Generate ca.pem."
	openssl req -new -x509 -subj "/CN=$HOSTNAME" -nodes -days 3650 -key ca-key.pem -out ca.pem

	echo "* Generate server-key.pem."
	openssl genrsa -out server-key.pem 4096

	echo "* Generate server.csr."
	openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr

	echo "* Generate server-cert.pem."
	openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf

	echo "* Generate key.pem."
	openssl genrsa -out key.pem 4096

	echo "* Generate client.csr."
	openssl req -subj '/CN=docker.client' -new -key key.pem -out client.csr

	echo "* Generate cert.pem."
	openssl x509 -req -days 3650 -in client.csr -CA ca.pem \
	-CAkey ca-key.pem -out cert.pem -extfile extfile-client.cnf

	rm -v client.csr server.csr extfile.cnf extfile-client.cnf
	chmod -v 0400 ca-key.pem key.pem server-key.pem
	chmod -v 0444 ca.pem server-cert.pem cert.pem

	if [ -d "/etc/profile.d" ]; then
	echo "* Creating profile.d/docker"

	cat > "/etc/profile.d/docker.sh" << EOL
	#!/bin/bash
	export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH
	export DOCKER_HOST=tcp://$HOSTNAME:2376
	export DOCKER_TLS_VERIFY=1
	EOL

	chmod +x /etc/profile.d/docker.sh
	source /etc/profile.d/docker.sh

	else
	echo "* WARNING: No /etc/profile.d directoy on your system."
	echo "* You will need to set the following environment variables before running the docker client:"
	echo "* export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH"
	echo "* export DOCKER_HOST=tcp://$HOSTNAME:2376"
	echo "* export DOCKER_TLS_VERIFY=1"
	fi


	echo "* Configuring /etc/docker/daemon.json"
	cat > "/etc/docker/daemon.json" << EOL
	{
	"tlsverify": true,
	"tls": true,
	"tlscacert": "$DOCKER_CONFIG_PATH/ca.pem",
	"tlscert": "$DOCKER_CONFIG_PATH/server-cert.pem",
	"tlskey": "$DOCKER_CONFIG_PATH/server-key.pem",
	"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
	}
	EOL

	echo "* Fix systemd starting script to avoid conflict with /etc/docker/daemon.json."
	cat > "/etc/systemd/system/docker.service.d/override.conf" << EOL
	[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd
	EOL
	systemctl daemon-reload

	echo "* Compress client TLS files and copy to current directory."
	tar cvzf "certs.tar.gz" key.pem ca.pem cert.pem
	mv "certs.tar.gz" "$CURRENT_DIRECTORY/certs.tar.gz"
	chmod 777 "$CURRENT_DIRECTORY/certs.tar.gz"

	echo "* Setp correct permissions."
	chgrp -R docker "$DOCKER_CONFIG_PATH"
	chmod -R g+xr "$DOCKER_CONFIG_PATH"

	echo "* Restarting the docker daemon."
	sudo service docker restart

	echo "* You will need to set the following environment variables before running the docker client:"
	cat /etc/profile.d/docker.sh