westberliner/enabledockerapi.sh

## enabledockerapi.sh
#!/bin/bash

showmanual()
{
    echo "
Define the following:
-h|--help (this page)
-n|--hostname (hostname of docker server)
-i|--ip (ip address (either v4 or v6) of docker server)
-l|--location (path to place a tarball for client pki)
-d|--days (days before certificates will expire)

example: ./enabledockerapi.sh --hostname somehostname.de --ip 0.0.0.0 --location $HOME --days 365
"
}

###
# Create CA and enable docker api via tcp
# @see https://docs.docker.com/engine/security/https/
# Creating CA
###

TLSFOLDER=/etc/docker/tls
SYSTEMDFOLDER=/etc/systemd/system/docker.service.d
SYSTEMDFILE=override.conf

DAYS=365
HOSTFQDN=""
HOSTIP=""
TARLOCATION=""
HELP="0"

POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"

case $key in
    -n|--hostname)
    HOSTFQDN="$2"
    shift # past argument
    shift # past value
    ;;
    -i|--ip)
    HOSTIP="$2"
    shift # past argument
    shift # past value
    ;;
    -l|--location)
    TARLOCATION="$2"
    shift # past argument
    shift # past value
    ;;
    -d|--days)
    DAYS="$2"
    shift # past argument
    ;;
    -h|--help)
    HELP="1"
    shift # past argument
    ;;
    *)    # unknown option
    POSITIONAL+=("$1") # save it in an array for later
    shift # past argument
    ;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters

if [ "$HELP" == "1" ]; then
    showmanual
    exit 1
fi

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root"
   exit 1
fi

if [ -z "$HOSTFQDN" ] || [ -z "$HOSTIP" ]; then
   echo "Missing arguments. Set hostname an ip."
   showmanual
   exit 1
fi

if [ ! -d "$TLSFOLDER" ]; then
    echo "Create TLS Folder in $TLSFOLDER."
    mkdir -p $TLSFOLDER
fi

if [ ! -f "$TLSFOLDER/ca-key.pem" ]; then
    echo "Create ca-key.pem in $TLSFOLDER."
    openssl genrsa -out $TLSFOLDER/ca-key.pem 4096
fi

if [ ! -f "$TLSFOLDER/ca.pem" ]; then
    echo "Create ca.pem in $TLSFOLDER."
    openssl req -subj "/C=DE/ST=Berlin/L=Berlin/O=DK/OU=Dev/CN=$HOSTFQDN" -new -x509 -days $DAYS -key $TLSFOLDER/ca-key.pem -sha256 -out $TLSFOLDER/ca.pem
fi

if [ ! -f "$TLSFOLDER/server-key.pem" ]; then
    echo "Create server-key.pem in $TLSFOLDER."
    openssl genrsa -out $TLSFOLDER/server-key.pem 4096
fi

if [ ! -f "$TLSFOLDER/server.csr" ]; then
    echo "Create server.csr in $TLSFOLDER."
    openssl req -subj "/CN=$HOSTFQDN" -sha256 -new -key $TLSFOLDER/server-key.pem -out $TLSFOLDER/server.csr
fi

# allow localhost, public ip, domainname
if [ ! -f "$TLSFOLDER/extfile.cnf" ] || ! grep -Fq "subjectAltName" $TLSFOLDER/extfile.cnf; then
    echo "Add subjectAltName to extfile.cnf in $TLSFOLDER with $HOSTFQDN and $HOSTIP."
    echo subjectAltName = DNS:$HOSTFQDN,IP:$HOSTIP,IP:127.0.0.1 >> $TLSFOLDER/extfile.cnf
fi

if [ ! -f "$TLSFOLDER/extfile.cnf" ] || ! grep -Fq "extendedKeyUsage" $TLSFOLDER/extfile.cnf; then
    echo "Add extendedKeyUsage to extfile.cnf in $TLSFOLDER."
    echo extendedKeyUsage = serverAuth >> $TLSFOLDER/extfile.cnf
fi

if [ ! -f "$TLSFOLDER/server-cert.pem" ]; then
    echo "Create server-cert.pem for $DAYS days in $TLSFOLDER."
    openssl x509 -req -days $DAYS -sha256 -in $TLSFOLDER/server.csr -CA $TLSFOLDER/ca.pem -CAkey $TLSFOLDER/ca-key.pem \
        -CAcreateserial -out $TLSFOLDER/server-cert.pem -extfile $TLSFOLDER/extfile.cnf
fi

#Creating Client
if [ ! -f "$TLSFOLDER/key.pem" ]; then
    echo "Create client key.pem in $TLSFOLDER."
    openssl genrsa -out $TLSFOLDER/key.pem 4096
fi

if [ ! -f "$TLSFOLDER/client.csr" ]; then
    echo "Create client.csr in $TLSFOLDER."
    openssl req -subj '/CN=client' -new -key $TLSFOLDER/key.pem -out $TLSFOLDER/client.csr
fi

if [ ! -f "$TLSFOLDER/extfile.cnf" ] || ! grep -Fq "clientAuth" $TLSFOLDER/extfile.cnf; then
    echo "Add extendedKeyUsage clientAuth to extfile.cnf in $TLSFOLDER."
    echo extendedKeyUsage = clientAuth >> $TLSFOLDER/extfile.cnf
fi

if [ ! -f "$TLSFOLDER/cert.pem" ]; then
    echo "Create client cert.pem for $DAYS days in $TLSFOLDER."
    openssl x509 -req -days $DAYS -sha256 -in $TLSFOLDER/client.csr -CA $TLSFOLDER/ca.pem -CAkey $TLSFOLDER/ca-key.pem \
        -CAcreateserial -out $TLSFOLDER/cert.pem -extfile $TLSFOLDER/extfile.cnf
fi

if [ ! -z $TARLOCATION ]; then
    echo "Provide tarball pki in $TARLOCATION."
    tar -C $TLSFOLDER -cvzf $TARLOCATION/dockerclientcert.tar.gz cert.pem key.pem ca.pem
fi

# @see https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd
# in /etc/systemd/system/docker.service.d/startup_options.conf
if [ ! -d "$SYSTEMDFOLDER" ]; then
    echo "Create $SYSTEMDFOLDER."
    mkdir -p $SYSTEMDFOLDER
fi

if [ ! -f "$SYSTEMDFOLDER/$SYSTEMDFILE" ]; then
    echo "Create $SYSTEMDFILE to enable api over tcp on port 2376."
    echo "
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=$TLSFOLDER/ca.pem --tlscert=$TLSFOLDER/server-cert.pem --tlskey=$TLSFOLDER/server-key.pem
" > "$SYSTEMDFOLDER/$SYSTEMDFILE"
    # reload
    echo "Reload systemd conf."
    systemctl daemon-reload
    # run
    echo "Restart docker."
    systemctl restart docker.service
fi
	#!/bin/bash

	showmanual()
	{
	echo "
	Define the following:
	-h\|--help (this page)
	-n\|--hostname (hostname of docker server)
	-i\|--ip (ip address (either v4 or v6) of docker server)
	-l\|--location (path to place a tarball for client pki)
	-d\|--days (days before certificates will expire)

	example: ./enabledockerapi.sh --hostname somehostname.de --ip 0.0.0.0 --location $HOME --days 365
	"
	}

	###
	# Create CA and enable docker api via tcp
	# @see https://docs.docker.com/engine/security/https/
	# Creating CA
	###

	TLSFOLDER=/etc/docker/tls
	SYSTEMDFOLDER=/etc/systemd/system/docker.service.d
	SYSTEMDFILE=override.conf

	DAYS=365
	HOSTFQDN=""
	HOSTIP=""
	TARLOCATION=""
	HELP="0"

	POSITIONAL=()
	while [[ $# -gt 0 ]]
	do
	key="$1"

	case $key in
	-n\|--hostname)
	HOSTFQDN="$2"
	shift # past argument
	shift # past value
	;;
	-i\|--ip)
	HOSTIP="$2"
	shift # past argument
	shift # past value
	;;
	-l\|--location)
	TARLOCATION="$2"
	shift # past argument
	shift # past value
	;;
	-d\|--days)
	DAYS="$2"
	shift # past argument
	;;
	-h\|--help)
	HELP="1"
	shift # past argument
	;;
	*) # unknown option
	POSITIONAL+=("$1") # save it in an array for later
	shift # past argument
	;;
	esac
	done
	set -- "${POSITIONAL[@]}" # restore positional parameters

	if [ "$HELP" == "1" ]; then
	showmanual
	exit 1
	fi

	if [[ $EUID -ne 0 ]]; then
	echo "This script must be run as root"
	exit 1
	fi

	if [ -z "$HOSTFQDN" ] \|\| [ -z "$HOSTIP" ]; then
	echo "Missing arguments. Set hostname an ip."
	showmanual
	exit 1
	fi

	if [ ! -d "$TLSFOLDER" ]; then
	echo "Create TLS Folder in $TLSFOLDER."
	mkdir -p $TLSFOLDER
	fi

	if [ ! -f "$TLSFOLDER/ca-key.pem" ]; then
	echo "Create ca-key.pem in $TLSFOLDER."
	openssl genrsa -out $TLSFOLDER/ca-key.pem 4096
	fi

	if [ ! -f "$TLSFOLDER/ca.pem" ]; then
	echo "Create ca.pem in $TLSFOLDER."
	openssl req -subj "/C=DE/ST=Berlin/L=Berlin/O=DK/OU=Dev/CN=$HOSTFQDN" -new -x509 -days $DAYS -key $TLSFOLDER/ca-key.pem -sha256 -out $TLSFOLDER/ca.pem
	fi

	if [ ! -f "$TLSFOLDER/server-key.pem" ]; then
	echo "Create server-key.pem in $TLSFOLDER."
	openssl genrsa -out $TLSFOLDER/server-key.pem 4096
	fi

	if [ ! -f "$TLSFOLDER/server.csr" ]; then
	echo "Create server.csr in $TLSFOLDER."
	openssl req -subj "/CN=$HOSTFQDN" -sha256 -new -key $TLSFOLDER/server-key.pem -out $TLSFOLDER/server.csr
	fi

	# allow localhost, public ip, domainname
	if [ ! -f "$TLSFOLDER/extfile.cnf" ] \|\| ! grep -Fq "subjectAltName" $TLSFOLDER/extfile.cnf; then
	echo "Add subjectAltName to extfile.cnf in $TLSFOLDER with $HOSTFQDN and $HOSTIP."
	echo subjectAltName = DNS:$HOSTFQDN,IP:$HOSTIP,IP:127.0.0.1 >> $TLSFOLDER/extfile.cnf
	fi

	if [ ! -f "$TLSFOLDER/extfile.cnf" ] \|\| ! grep -Fq "extendedKeyUsage" $TLSFOLDER/extfile.cnf; then
	echo "Add extendedKeyUsage to extfile.cnf in $TLSFOLDER."
	echo extendedKeyUsage = serverAuth >> $TLSFOLDER/extfile.cnf
	fi

	if [ ! -f "$TLSFOLDER/server-cert.pem" ]; then
	echo "Create server-cert.pem for $DAYS days in $TLSFOLDER."
	openssl x509 -req -days $DAYS -sha256 -in $TLSFOLDER/server.csr -CA $TLSFOLDER/ca.pem -CAkey $TLSFOLDER/ca-key.pem \
	-CAcreateserial -out $TLSFOLDER/server-cert.pem -extfile $TLSFOLDER/extfile.cnf
	fi

	#Creating Client
	if [ ! -f "$TLSFOLDER/key.pem" ]; then
	echo "Create client key.pem in $TLSFOLDER."
	openssl genrsa -out $TLSFOLDER/key.pem 4096
	fi

	if [ ! -f "$TLSFOLDER/client.csr" ]; then
	echo "Create client.csr in $TLSFOLDER."
	openssl req -subj '/CN=client' -new -key $TLSFOLDER/key.pem -out $TLSFOLDER/client.csr
	fi

	if [ ! -f "$TLSFOLDER/extfile.cnf" ] \|\| ! grep -Fq "clientAuth" $TLSFOLDER/extfile.cnf; then
	echo "Add extendedKeyUsage clientAuth to extfile.cnf in $TLSFOLDER."
	echo extendedKeyUsage = clientAuth >> $TLSFOLDER/extfile.cnf
	fi

	if [ ! -f "$TLSFOLDER/cert.pem" ]; then
	echo "Create client cert.pem for $DAYS days in $TLSFOLDER."
	openssl x509 -req -days $DAYS -sha256 -in $TLSFOLDER/client.csr -CA $TLSFOLDER/ca.pem -CAkey $TLSFOLDER/ca-key.pem \
	-CAcreateserial -out $TLSFOLDER/cert.pem -extfile $TLSFOLDER/extfile.cnf
	fi

	if [ ! -z $TARLOCATION ]; then
	echo "Provide tarball pki in $TARLOCATION."
	tar -C $TLSFOLDER -cvzf $TARLOCATION/dockerclientcert.tar.gz cert.pem key.pem ca.pem
	fi

	# @see https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd
	# in /etc/systemd/system/docker.service.d/startup_options.conf
	if [ ! -d "$SYSTEMDFOLDER" ]; then
	echo "Create $SYSTEMDFOLDER."
	mkdir -p $SYSTEMDFOLDER
	fi

	if [ ! -f "$SYSTEMDFOLDER/$SYSTEMDFILE" ]; then
	echo "Create $SYSTEMDFILE to enable api over tcp on port 2376."
	echo "
	[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=$TLSFOLDER/ca.pem --tlscert=$TLSFOLDER/server-cert.pem --tlskey=$TLSFOLDER/server-key.pem
	" > "$SYSTEMDFOLDER/$SYSTEMDFILE"
	# reload
	echo "Reload systemd conf."
	systemctl daemon-reload
	# run
	echo "Restart docker."
	systemctl restart docker.service
	fi