satlab: TLS dockerd
Start Docker daemon on TLS secure tcp socket. Generate certs/keys on
boot time and put client's versions on a docker volume.
Redundant definitions across repos were removed - all variables are in
os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
BUG=b:197875817
TEST=Manually verified with Satlab with changes from all related CLs
Change-Id: Ife9837e5503b15d10f238e7f53279e0d5c0fd98b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/moblab/+/5490442
Tested-by: Jacek Klimkowicz <klimkowicz@google.com>
Reviewed-by: Michal Matyjek <mmatyjek@google.com>
Commit-Queue: Jacek Klimkowicz <klimkowicz@google.com>
diff --git a/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf b/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
index 1216ee7..f31c62d 100644
--- a/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
+++ b/os-dependent/chromeos/upstart-scripts/moblab-dockerd.conf
@@ -14,6 +14,8 @@
normal exit 0
+env DOCKER_CERT_PATH=/etc/docker/certs
+
script
mkdir -p /var/log/bootup/
exec >>/var/log/bootup/${UPSTART_JOB}.log 2>&1
@@ -44,9 +46,78 @@
EXTRA_ARGS=""
- if [ "${APP_KEY}" = "satlab" ]
- then
- EXTRA_ARGS="-H tcp://192.168.231.1:2375 -H unix:///var/run/docker.sock"
+ if [ "${APP_KEY}" = "satlab" ]; then
+ DOCKER_IP=192.168.231.1
+ DOCKER_PORT=2376
+ DOCKER_HOST=tcp://${DOCKER_IP}:${DOCKER_PORT}
+ mkdir -p ${DOCKER_CERT_PATH}
+ openssl genrsa \
+ -aes256 \
+ -out ${DOCKER_CERT_PATH}/ca-key.pem \
+ -passout pass:pass 4096
+ openssl rsa \
+ -in ${DOCKER_CERT_PATH}/ca-key.pem \
+ -passin pass:pass \
+ -out ${DOCKER_CERT_PATH}/ca-key.pem
+ openssl req \
+ -new \
+ -x509 \
+ -days 365 \
+ -key ${DOCKER_CERT_PATH}/ca-key.pem \
+ -sha256 -out ${DOCKER_CERT_PATH}/ca.pem \
+ -passin pass:pass \
+ -subj "/C=US/ST=CA/L=SJC/O=Google/OU=DFP/CN=${DOCKER_IP}/emailAddress=email"
+ openssl genrsa -out ${DOCKER_CERT_PATH}/server-key.pem 4096
+ openssl req \
+ -subj "/CN=${DOCKER_IP}" \
+ -sha256 \
+ -new \
+ -key ${DOCKER_CERT_PATH}/server-key.pem \
+ -out ${DOCKER_CERT_PATH}/server.csr
+ echo subjectAltName = IP:${DOCKER_IP} > ${DOCKER_CERT_PATH}/extfile.cnf
+ echo extendedKeyUsage = serverAuth >> ${DOCKER_CERT_PATH}/extfile.cnf
+ openssl x509 \
+ -req \
+ -days 365 \
+ -sha256 \
+ -in ${DOCKER_CERT_PATH}/server.csr \
+ -CA ${DOCKER_CERT_PATH}/ca.pem \
+ -CAkey ${DOCKER_CERT_PATH}/ca-key.pem \
+ -CAcreateserial \
+ -out ${DOCKER_CERT_PATH}/server-cert.pem \
+ -extfile ${DOCKER_CERT_PATH}/extfile.cnf \
+ -passin pass:pass
+ openssl genrsa -out ${DOCKER_CERT_PATH}/key.pem 4096
+ openssl req \
+ -subj '/CN=client' \
+ -new \
+ -key ${DOCKER_CERT_PATH}/key.pem \
+ -out ${DOCKER_CERT_PATH}/client.csr
+ echo extendedKeyUsage = clientAuth > ${DOCKER_CERT_PATH}/extfile-client.cnf
+ openssl x509 \
+ -req -days 365 \
+ -sha256 \
+ -in ${DOCKER_CERT_PATH}/client.csr \
+ -CA ${DOCKER_CERT_PATH}/ca.pem \
+ -CAkey ${DOCKER_CERT_PATH}/ca-key.pem \
+ -CAcreateserial \
+ -out ${DOCKER_CERT_PATH}/cert.pem \
+ -extfile ${DOCKER_CERT_PATH}/extfile-client.cnf \
+ -passin pass:pass
+ rm ${DOCKER_CERT_PATH}/*.csr ${DOCKER_CERT_PATH}/*.cnf
+ chmod -v 0400 ${DOCKER_CERT_PATH}/ca-key.pem ${DOCKER_CERT_PATH}/key.pem ${DOCKER_CERT_PATH}/server-key.pem
+ chmod -v 0444 ${DOCKER_CERT_PATH}/ca.pem ${DOCKER_CERT_PATH}/server-cert.pem ${DOCKER_CERT_PATH}/cert.pem
+
+ EXTRA_ARGS="--tlsverify \
+ --tlscacert=${DOCKER_CERT_PATH}/ca.pem \
+ --tlscert=${DOCKER_CERT_PATH}/server-cert.pem \
+ --tlskey=${DOCKER_CERT_PATH}/server-key.pem \
+ -H ${DOCKER_HOST} \
+ -H unix:///var/run/docker.sock"
+ mkdir -p /etc/satlab
+ echo "export DOCKER_CERT_PATH=${DOCKER_CERT_PATH}" > /etc/satlab/dockerd.env
+ echo "export DOCKER_HOST=${DOCKER_HOST}" >> /etc/satlab/dockerd.env
+ echo "export DOCKER_TLS_VERIFY=true" >> /etc/satlab/dockerd.env
fi
/usr/bin/dockerd --data-root "${DOCKER_DATA_ROOT}" ${EXTRA_ARGS}
@@ -55,4 +126,12 @@
# check that docker is actually running before the started event is emitted
post-start script
while ! docker info ; do sleep 1 ; done
+
+ # Use hello-world container to create a volume to store tls certs.
+ id=$(docker container create -v docker_tls:/docker_tls hello-world)
+ PEMS="ca cert key"
+ for p in ${PEMS}; do
+ docker cp ${DOCKER_CERT_PATH}/$p.pem $id:/docker_tls
+ done
+ docker rm $id
end script