Import docker-host
This commit is contained in:
parent
07a24c8438
commit
fdcc465172
|
@ -0,0 +1,35 @@
|
|||
# docker-host
|
||||
- Author: Gabriel Périard-Tremblay <gperiardtremblay@evolix.ca>
|
||||
- Date: August 2016
|
||||
|
||||
## What docker-host Affects
|
||||
|
||||
This playbook will install a docker-engine on the target host.
|
||||
|
||||
## Role Variables
|
||||
|
||||
These variables are needed when the docker-engine needs to be exposed.
|
||||
|
||||
- docker_remote_access_enabled: True
|
||||
- docker_daemon_port: 2376
|
||||
- docker_daemon_listening_ip: 0.0.0.0
|
||||
|
||||
When the docker-engine is reachable from another host, it's important
|
||||
to configure TLS. Those are the basic settings for TLS and it should not be
|
||||
modified.
|
||||
|
||||
- docker_tls_enabled: True
|
||||
- docker_tls_path: /home/docker/tls
|
||||
- docker_tls_ca: ca/ca.pem
|
||||
- docker_tls_ca_key: ca/ca-key.pem
|
||||
- docker_tls_cert: server/cert.pem
|
||||
- docker_tls_key: server/key.pem
|
||||
- docker_tls_csr: server/server.csr
|
||||
|
||||
## Example
|
||||
|
||||
`$ ansible-playbook -i inventory docker-host.yml`
|
||||
|
||||
## License
|
||||
|
||||
GPLv3
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
docker_tmpdir: /home/docker/tmp
|
||||
|
||||
docker_remote_access_enabled: True
|
||||
docker_daemon_port: 2376
|
||||
docker_daemon_listening_ip: 0.0.0.0
|
||||
|
||||
docker_tls_enabled: True
|
||||
docker_tls_path: /home/docker/tls
|
||||
docker_tls_ca: ca/ca.pem
|
||||
docker_tls_ca_key: ca/ca-key.pem
|
||||
docker_tls_cert: server/cert.pem
|
||||
docker_tls_key: server/key.pem
|
||||
docker_tls_csr: server/server.csr
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
|
||||
- name: restart docker
|
||||
service:
|
||||
name: docker
|
||||
state: restarted
|
||||
enabled: yes
|
|
@ -0,0 +1,69 @@
|
|||
# This role installs the docker daemon
|
||||
---
|
||||
- name: Install apt-transport-https
|
||||
apt:
|
||||
name: apt-transport-https
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: Enable Docker repositories
|
||||
apt_repository:
|
||||
repo: 'deb https://apt.dockerproject.org/repo debian-{{ ansible_distribution_release }} main'
|
||||
state: present
|
||||
update_cache: no
|
||||
|
||||
- name: Enable backports repository for docker-py
|
||||
apt_repository:
|
||||
repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main'
|
||||
state: present
|
||||
|
||||
- name: Install Docker repo keys
|
||||
apt_key:
|
||||
keyserver: pgp.mit.edu
|
||||
id: 58118E89F3A912897C070ADBF76221572C52609D
|
||||
|
||||
- name: Install docker and docker-py
|
||||
apt:
|
||||
name: {{ item }}
|
||||
state: latest
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- docker-engine
|
||||
- python-docker
|
||||
|
||||
- name: Configure docker service
|
||||
template:
|
||||
src: docker.service.j2
|
||||
dest: /lib/systemd/system/docker.service
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart docker
|
||||
|
||||
- name: Creating Docker tmp directory
|
||||
file:
|
||||
path: "{{ docker_tmpdir }}"
|
||||
state: directory
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
||||
- name: Creating Docker TLS directory
|
||||
file:
|
||||
path: "{{ docker_tls_path }}"
|
||||
state: directory
|
||||
mode: "0644"
|
||||
owner: root
|
||||
when: "{{ docker_tls_enabled }}"
|
||||
|
||||
- name: Copy shellpki utility to Docker TLS directory
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "{{ docker_tls_path }}/{{ item }}"
|
||||
mode: "0744"
|
||||
with_items:
|
||||
- shellpki.sh
|
||||
- openssl.cnf
|
||||
when: "{{ docker_tls_enabled }}"
|
||||
|
||||
- name: Creating a CA, server key
|
||||
command: "{{ docker_tls_path }}/shellpki.sh init"
|
||||
when: "{{ docker_tls_enabled }}"
|
|
@ -0,0 +1,27 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=Docker Application Container Engine
|
||||
Documentation=https://docs.docker.com
|
||||
After=network.target docker.socket
|
||||
Requires=docker.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/docker daemon -H fd:// \
|
||||
{% if docker_tls_enabled %}
|
||||
--tlsverify \
|
||||
--tlscacert={{ docker_tls_path }}/{{ docker_tls_ca }} \
|
||||
--tlscert={{ docker_tls_path }}/{{ docker_tls_cert }} \
|
||||
--tlskey={{ docker_tls_path }}/{{ docker_tls_key }} \
|
||||
{% endif %}
|
||||
{% if docker_remote_access_enabled %}
|
||||
-H tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}
|
||||
{% endif %}
|
||||
MountFlags=slave
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=1048576
|
||||
LimitCORE=infinity
|
||||
Environment="TMPDIR={{ docker_tmpdir }}"
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,50 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
dir = {{ docker_tls_path }}/ca
|
||||
certs = {{ docker_tls_path }}/certs
|
||||
new_certs_dir = {{ docker_tls_path }}/ca/tmp
|
||||
database = $dir/index.txt
|
||||
certificate = $dir/cacert.pem
|
||||
serial = $dir/serial
|
||||
crl = {{ docker_tls_path }}crl.pem
|
||||
private_key = $dir/private.key
|
||||
RANDFILE = $dir/.rand
|
||||
default_days = 365
|
||||
default_crl_days= 365
|
||||
default_md = sha256
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
|
||||
[ policy_match ]
|
||||
countryName = supplied
|
||||
stateOrProvinceName = supplied
|
||||
organizationName = supplied
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = supplied
|
||||
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = FR
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
stateOrProvinceName = State or Province
|
||||
stateOrProvinceName_default = 13
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = Marseille
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Evolix
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = security@evolix.net
|
||||
emailAddress_max = 40
|
|
@ -0,0 +1,121 @@
|
|||
#!/bin/sh
|
||||
# {{ ansible_managed }}
|
||||
# Simplified ShellPKI for Docker with TLS
|
||||
|
||||
PREFIX={{ docker_tls_path }}
|
||||
CONFFILE=$PREFIX/openssl.cnf
|
||||
OPENSSL=`which openssl`
|
||||
|
||||
init() {
|
||||
|
||||
if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi
|
||||
if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi
|
||||
if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi
|
||||
if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi
|
||||
if [ ! -d $PREFIX/server ]; then mkdir -p $PREFIX/server; fi
|
||||
|
||||
echo "Generating CA Key...\n"
|
||||
$OPENSSL genrsa -out $PREFIX/ca/ca-key.pem 4096
|
||||
|
||||
echo "Generating CA cert...\n"
|
||||
$OPENSSL req \
|
||||
-new -x509 -days 3650 -sha256 \
|
||||
-key $PREFIX/{{ docker_tls_ca_key }} \
|
||||
-out $PREFIX/{{ docker_tls_ca }} \
|
||||
-subj "/CN={{ ansible_hostname }}/C=FR"
|
||||
|
||||
echo "Generating server key...\n"
|
||||
$OPENSSL genrsa -out $PREFIX/{{ docker_tls_key }} 4096
|
||||
|
||||
echo "Generating server cert...\n"
|
||||
$OPENSSL req \
|
||||
-new -days 3650 -sha256 \
|
||||
-key $PREFIX/{{ docker_tls_key }} \
|
||||
-out $PREFIX/{{ docker_tls_csr }} \
|
||||
-subj "/CN={{ ansible_hostname }}/C=FR"
|
||||
|
||||
echo "subjectAltName = {% for ip in ansible_all_ipv4_addresses %}IP:{{ ip }},{% endfor %}IP:127.0.0.1" > $PREFIX/extfile.cnf
|
||||
|
||||
echo "Signing server...\n"
|
||||
$OPENSSL x509 \
|
||||
-req -sha256 -days 3650 \
|
||||
-in $PREFIX/{{ docker_tls_csr }} \
|
||||
-CA $PREFIX/{{ docker_tls_ca }} \
|
||||
-CAkey $PREFIX/{{ docker_tls_ca_key }} \
|
||||
-CAcreateserial \
|
||||
-out $PREFIX/{{ docker_tls_cert }} \
|
||||
-extfile $PREFIX/extfile.cnf
|
||||
|
||||
rm $PREFIX/{{ docker_tls_csr }}
|
||||
}
|
||||
|
||||
|
||||
create() {
|
||||
echo "Please enter your CN (Common Name)"
|
||||
read cn
|
||||
echo
|
||||
echo "Your CN is '$cn'"
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
echo
|
||||
|
||||
DIR=$PREFIX/files/$cn
|
||||
mkdir $DIR
|
||||
|
||||
# generate private key
|
||||
$OPENSSL genrsa -out $DIR/$cn.key 4096
|
||||
|
||||
# generate csr req
|
||||
$OPENSSL req \
|
||||
-new \
|
||||
-key $DIR/$cn.key \
|
||||
-config $CONFFILE \
|
||||
-out $DIR/$cn.csr \
|
||||
-subj "/CN=$cn/C=FR"
|
||||
|
||||
# ca sign and generate cert
|
||||
echo extendedKeyUsage = clientAuth > $DIR/extfile.cnf
|
||||
$OPENSSL x509 \
|
||||
-req -sha256 \
|
||||
-in $DIR/$cn.csr \
|
||||
-CA $PREFIX/{{ docker_tls_ca }} \
|
||||
-CAkey $PREFIX/{{ docker_tls_ca_key }} \
|
||||
-CAcreateserial \
|
||||
-out $DIR/cert.pem \
|
||||
-extfile $DIR/extfile.cnf
|
||||
rm $DIR/$cn.csr
|
||||
cp $PREFIX/{{ docker_tls_ca }} $DIR/
|
||||
}
|
||||
|
||||
revoke() {
|
||||
echo "Please enter CN (Common Name) to revoke"
|
||||
read cn
|
||||
echo
|
||||
echo "CN '$cn' will be revoked"
|
||||
echo "Press return to continue..."
|
||||
read
|
||||
echo
|
||||
|
||||
$OPENSSL ca \
|
||||
-revoke $PREFIX/certs/$cn.crt
|
||||
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
init)
|
||||
init
|
||||
;;
|
||||
|
||||
create)
|
||||
create
|
||||
;;
|
||||
|
||||
revoke)
|
||||
revoke
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: shellpki.sh {init|create|revoke}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
Loading…
Reference in New Issue