satlab: TLS dockerd

Start Docker daemon on TLS secure tcp socket. Generate certs/keys on
boot time and put client's versions on a docker volume.

Redundant definitions across repos were removed - all variables are in
os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf

BUG=b:197875817
TEST=Manually verified with Satlab with changes from all related CLs

Change-Id: Ife9837e5503b15d10f238e7f53279e0d5c0fd98b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/moblab/+/5490442
Tested-by: Jacek Klimkowicz <klimkowicz@google.com>
Reviewed-by: Michal Matyjek <mmatyjek@google.com>
Commit-Queue: Jacek Klimkowicz <klimkowicz@google.com>
diff --git a/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf b/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
index 1216ee7..f31c62d 100644
--- a/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
+++ b/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
@@ -14,6 +14,8 @@
 
 normal exit 0
 
+env DOCKER_CERT_PATH=/etc/docker/certs
+
 script
   mkdir -p /var/log/bootup/
   exec >>/var/log/bootup/${UPSTART_JOB}.log 2>&1
@@ -44,9 +46,78 @@
 
   EXTRA_ARGS=""
 
-  if [ "${APP_KEY}" = "satlab" ]
-  then
-    EXTRA_ARGS="-H tcp://192.168.231.1:2375 -H unix:///var/run/docker.sock"
+  if [ "${APP_KEY}" = "satlab" ]; then
+    DOCKER_IP=192.168.231.1
+    DOCKER_PORT=2376
+    DOCKER_HOST=tcp://${DOCKER_IP}:${DOCKER_PORT}
+    mkdir -p ${DOCKER_CERT_PATH}
+    openssl genrsa \
+      -aes256 \
+      -out ${DOCKER_CERT_PATH}/ca-key.pem \
+      -passout pass:pass 4096
+    openssl rsa \
+      -in ${DOCKER_CERT_PATH}/ca-key.pem \
+      -passin pass:pass \
+      -out ${DOCKER_CERT_PATH}/ca-key.pem
+    openssl req \
+      -new \
+      -x509 \
+      -days 365 \
+      -key ${DOCKER_CERT_PATH}/ca-key.pem \
+      -sha256 -out ${DOCKER_CERT_PATH}/ca.pem \
+      -passin pass:pass \
+      -subj "/C=US/ST=CA/L=SJC/O=Google/OU=DFP/CN=${DOCKER_IP}/emailAddress=email"
+    openssl genrsa -out ${DOCKER_CERT_PATH}/server-key.pem 4096
+    openssl req \
+      -subj "/CN=${DOCKER_IP}" \
+      -sha256 \
+      -new \
+      -key ${DOCKER_CERT_PATH}/server-key.pem \
+      -out ${DOCKER_CERT_PATH}/server.csr
+    echo subjectAltName = IP:${DOCKER_IP} > ${DOCKER_CERT_PATH}/extfile.cnf
+    echo extendedKeyUsage = serverAuth >> ${DOCKER_CERT_PATH}/extfile.cnf
+    openssl x509 \
+      -req \
+      -days 365 \
+      -sha256 \
+      -in ${DOCKER_CERT_PATH}/server.csr \
+      -CA ${DOCKER_CERT_PATH}/ca.pem \
+      -CAkey ${DOCKER_CERT_PATH}/ca-key.pem \
+      -CAcreateserial \
+      -out ${DOCKER_CERT_PATH}/server-cert.pem \
+      -extfile ${DOCKER_CERT_PATH}/extfile.cnf \
+      -passin pass:pass
+    openssl genrsa -out ${DOCKER_CERT_PATH}/key.pem 4096
+    openssl req \
+      -subj '/CN=client' \
+      -new \
+      -key ${DOCKER_CERT_PATH}/key.pem \
+      -out ${DOCKER_CERT_PATH}/client.csr
+    echo extendedKeyUsage = clientAuth > ${DOCKER_CERT_PATH}/extfile-client.cnf
+    openssl x509 \
+      -req -days 365 \
+      -sha256 \
+      -in ${DOCKER_CERT_PATH}/client.csr \
+      -CA ${DOCKER_CERT_PATH}/ca.pem \
+      -CAkey ${DOCKER_CERT_PATH}/ca-key.pem \
+      -CAcreateserial \
+      -out ${DOCKER_CERT_PATH}/cert.pem \
+      -extfile ${DOCKER_CERT_PATH}/extfile-client.cnf \
+      -passin pass:pass
+    rm ${DOCKER_CERT_PATH}/*.csr ${DOCKER_CERT_PATH}/*.cnf
+    chmod -v 0400 ${DOCKER_CERT_PATH}/ca-key.pem ${DOCKER_CERT_PATH}/key.pem ${DOCKER_CERT_PATH}/server-key.pem
+    chmod -v 0444 ${DOCKER_CERT_PATH}/ca.pem ${DOCKER_CERT_PATH}/server-cert.pem ${DOCKER_CERT_PATH}/cert.pem
+
+    EXTRA_ARGS="--tlsverify \
+      --tlscacert=${DOCKER_CERT_PATH}/ca.pem \
+      --tlscert=${DOCKER_CERT_PATH}/server-cert.pem \
+      --tlskey=${DOCKER_CERT_PATH}/server-key.pem \
+      -H ${DOCKER_HOST} \
+      -H unix:///var/run/docker.sock"
+    mkdir -p /etc/satlab
+    echo "export DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" > /etc/satlab/dockerd.env
+    echo "export DOCKER_HOST=${DOCKER_HOST}" >> /etc/satlab/dockerd.env
+    echo "export DOCKER_TLS_VERIFY=true" >> /etc/satlab/dockerd.env
   fi
   /usr/bin/dockerd --data-root "${DOCKER_DATA_ROOT}" ${EXTRA_ARGS}
 
@@ -55,4 +126,12 @@
 # check that docker is actually running before the started event is emitted
 post-start script
   while ! docker info ; do sleep 1 ; done
+
+  # Use hello-world container to create a volume to store tls certs.
+  id=$(docker container create -v docker_tls:/docker_tls hello-world)
+  PEMS="ca cert key"
+  for p in ${PEMS}; do
+    docker cp ${DOCKER_CERT_PATH}/$p.pem $id:/docker_tls
+  done
+  docker rm $id
 end script