Created
November 28, 2018 22:52
-
-
Save westberliner/573beb95e216cd1fc6b58bb26ab0e791 to your computer and use it in GitHub Desktop.
Create Docker API Auth CA with Client Cert and enable Docker API via TCP on systemd based os.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
showmanual() | |
{ | |
echo " | |
Define the following: | |
-h|--help (this page) | |
-n|--hostname (hostname of docker server) | |
-i|--ip (ip address (either v4 or v6) of docker server) | |
-l|--location (path to place a tarball for client pki) | |
-d|--days (days before certificates will expire) | |
example: ./enabledockerapi.sh --hostname somehostname.de --ip 0.0.0.0 --location $HOME --days 365 | |
" | |
} | |
### | |
# Create CA and enable docker api via tcp | |
# @see https://docs.docker.com/engine/security/https/ | |
# Creating CA | |
### | |
TLSFOLDER=/etc/docker/tls | |
SYSTEMDFOLDER=/etc/systemd/system/docker.service.d | |
SYSTEMDFILE=override.conf | |
DAYS=365 | |
HOSTFQDN="" | |
HOSTIP="" | |
TARLOCATION="" | |
HELP="0" | |
POSITIONAL=() | |
while [[ $# -gt 0 ]] | |
do | |
key="$1" | |
case $key in | |
-n|--hostname) | |
HOSTFQDN="$2" | |
shift # past argument | |
shift # past value | |
;; | |
-i|--ip) | |
HOSTIP="$2" | |
shift # past argument | |
shift # past value | |
;; | |
-l|--location) | |
TARLOCATION="$2" | |
shift # past argument | |
shift # past value | |
;; | |
-d|--days) | |
DAYS="$2" | |
shift # past argument | |
;; | |
-h|--help) | |
HELP="1" | |
shift # past argument | |
;; | |
*) # unknown option | |
POSITIONAL+=("$1") # save it in an array for later | |
shift # past argument | |
;; | |
esac | |
done | |
set -- "${POSITIONAL[@]}" # restore positional parameters | |
if [ "$HELP" == "1" ]; then | |
showmanual | |
exit 1 | |
fi | |
if [[ $EUID -ne 0 ]]; then | |
echo "This script must be run as root" | |
exit 1 | |
fi | |
if [ -z "$HOSTFQDN" ] || [ -z "$HOSTIP" ]; then | |
echo "Missing arguments. Set hostname an ip." | |
showmanual | |
exit 1 | |
fi | |
if [ ! -d "$TLSFOLDER" ]; then | |
echo "Create TLS Folder in $TLSFOLDER." | |
mkdir -p $TLSFOLDER | |
fi | |
if [ ! -f "$TLSFOLDER/ca-key.pem" ]; then | |
echo "Create ca-key.pem in $TLSFOLDER." | |
openssl genrsa -out $TLSFOLDER/ca-key.pem 4096 | |
fi | |
if [ ! -f "$TLSFOLDER/ca.pem" ]; then | |
echo "Create ca.pem in $TLSFOLDER." | |
openssl req -subj "/C=DE/ST=Berlin/L=Berlin/O=DK/OU=Dev/CN=$HOSTFQDN" -new -x509 -days $DAYS -key $TLSFOLDER/ca-key.pem -sha256 -out $TLSFOLDER/ca.pem | |
fi | |
if [ ! -f "$TLSFOLDER/server-key.pem" ]; then | |
echo "Create server-key.pem in $TLSFOLDER." | |
openssl genrsa -out $TLSFOLDER/server-key.pem 4096 | |
fi | |
if [ ! -f "$TLSFOLDER/server.csr" ]; then | |
echo "Create server.csr in $TLSFOLDER." | |
openssl req -subj "/CN=$HOSTFQDN" -sha256 -new -key $TLSFOLDER/server-key.pem -out $TLSFOLDER/server.csr | |
fi | |
# allow localhost, public ip, domainname | |
if [ ! -f "$TLSFOLDER/extfile.cnf" ] || ! grep -Fq "subjectAltName" $TLSFOLDER/extfile.cnf; then | |
echo "Add subjectAltName to extfile.cnf in $TLSFOLDER with $HOSTFQDN and $HOSTIP." | |
echo subjectAltName = DNS:$HOSTFQDN,IP:$HOSTIP,IP:127.0.0.1 >> $TLSFOLDER/extfile.cnf | |
fi | |
if [ ! -f "$TLSFOLDER/extfile.cnf" ] || ! grep -Fq "extendedKeyUsage" $TLSFOLDER/extfile.cnf; then | |
echo "Add extendedKeyUsage to extfile.cnf in $TLSFOLDER." | |
echo extendedKeyUsage = serverAuth >> $TLSFOLDER/extfile.cnf | |
fi | |
if [ ! -f "$TLSFOLDER/server-cert.pem" ]; then | |
echo "Create server-cert.pem for $DAYS days in $TLSFOLDER." | |
openssl x509 -req -days $DAYS -sha256 -in $TLSFOLDER/server.csr -CA $TLSFOLDER/ca.pem -CAkey $TLSFOLDER/ca-key.pem \ | |
-CAcreateserial -out $TLSFOLDER/server-cert.pem -extfile $TLSFOLDER/extfile.cnf | |
fi | |
#Creating Client | |
if [ ! -f "$TLSFOLDER/key.pem" ]; then | |
echo "Create client key.pem in $TLSFOLDER." | |
openssl genrsa -out $TLSFOLDER/key.pem 4096 | |
fi | |
if [ ! -f "$TLSFOLDER/client.csr" ]; then | |
echo "Create client.csr in $TLSFOLDER." | |
openssl req -subj '/CN=client' -new -key $TLSFOLDER/key.pem -out $TLSFOLDER/client.csr | |
fi | |
if [ ! -f "$TLSFOLDER/extfile.cnf" ] || ! grep -Fq "clientAuth" $TLSFOLDER/extfile.cnf; then | |
echo "Add extendedKeyUsage clientAuth to extfile.cnf in $TLSFOLDER." | |
echo extendedKeyUsage = clientAuth >> $TLSFOLDER/extfile.cnf | |
fi | |
if [ ! -f "$TLSFOLDER/cert.pem" ]; then | |
echo "Create client cert.pem for $DAYS days in $TLSFOLDER." | |
openssl x509 -req -days $DAYS -sha256 -in $TLSFOLDER/client.csr -CA $TLSFOLDER/ca.pem -CAkey $TLSFOLDER/ca-key.pem \ | |
-CAcreateserial -out $TLSFOLDER/cert.pem -extfile $TLSFOLDER/extfile.cnf | |
fi | |
if [ ! -z $TARLOCATION ]; then | |
echo "Provide tarball pki in $TARLOCATION." | |
tar -C $TLSFOLDER -cvzf $TARLOCATION/dockerclientcert.tar.gz cert.pem key.pem ca.pem | |
fi | |
# @see https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd | |
# in /etc/systemd/system/docker.service.d/startup_options.conf | |
if [ ! -d "$SYSTEMDFOLDER" ]; then | |
echo "Create $SYSTEMDFOLDER." | |
mkdir -p $SYSTEMDFOLDER | |
fi | |
if [ ! -f "$SYSTEMDFOLDER/$SYSTEMDFILE" ]; then | |
echo "Create $SYSTEMDFILE to enable api over tcp on port 2376." | |
echo " | |
[Service] | |
ExecStart= | |
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=$TLSFOLDER/ca.pem --tlscert=$TLSFOLDER/server-cert.pem --tlskey=$TLSFOLDER/server-key.pem | |
" > "$SYSTEMDFOLDER/$SYSTEMDFILE" | |
# reload | |
echo "Reload systemd conf." | |
systemctl daemon-reload | |
# run | |
echo "Restart docker." | |
systemctl restart docker.service | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment