MrCoffey · January 2, 2020 23:35
diff --git a/Setup_Docker_TLS.sh b/Setup_Docker_TLS.sh
 #!/usr/bin/env bash
 # Modified from https://gist.github.com/Stono/7e6fed13cfd79598eb15
 #
 # MIT License applies to this script. I don't accept any responsibility for
 # damage you may cause using it.

 set -ex

 if [[ $EUID -ne 0 ]]; then
  echo "* This script needs to be run as root"
  exit 1
 fi

 DOCKER_CONFIG_PATH="/etc/docker"
 CURRENT_DIRECTORY="$(pwd)"

 if [ "$#" -eq 1 ]; then
  HOSTNAME="$1"
 else
  echo "Usage: ./Setup_Docker_TLS.sh HOSTNAME"
  exit 1
 fi

 echo "* Using Hostname: $HOSTNAME"
 echo "* You MUST connect to docker using this host !"

 echo "* Ensuring config directory exists..."
 mkdir -p "$DOCKER_CONFIG_PATH"
 cd "$DOCKER_CONFIG_PATH"

 if [ ! -f "ca.src" ]; then
  echo " => Creating ca.srl"
  echo 01 > ca.srl
 fi

 echo "* Create extfile.cnf."
 echo subjectAltName = DNS:$HOSTNAME,IP:0.0.0.0,IP:127.0.0.1 > extfile.cnf
 echo extendedKeyUsage = serverAuth >> extfile.cnf

 echo "* Create extfile-client.cnf."
 echo extendedKeyUsage = clientAuth > extfile-client.cnf

 echo "* Generate ca-key.pem."
 openssl genrsa -out ca-key.pem 4096

 echo "* Generate ca.pem."
 openssl req -new -x509 -subj "/CN=$HOSTNAME" -nodes -days 3650 -key ca-key.pem -out ca.pem

 echo "* Generate server-key.pem."
 openssl genrsa -out server-key.pem 4096

 echo "* Generate server.csr."
 openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr

 echo "* Generate server-cert.pem."
 openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf

 echo "* Generate key.pem."
 openssl genrsa -out key.pem 4096

 echo "* Generate client.csr."
 openssl req -subj '/CN=docker.client' -new -key key.pem -out client.csr

 echo "* Generate cert.pem."
 openssl x509 -req -days 3650 -in client.csr -CA ca.pem \
        -CAkey ca-key.pem -out cert.pem -extfile extfile-client.cnf

 rm -v client.csr server.csr extfile.cnf extfile-client.cnf
 chmod -v 0400 ca-key.pem key.pem server-key.pem
 chmod -v 0444 ca.pem server-cert.pem cert.pem

 if [ -d "/etc/profile.d" ]; then
  echo "* Creating profile.d/docker"

  cat > "/etc/profile.d/docker.sh" << EOL
 #!/bin/bash
 export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH
 export DOCKER_HOST=tcp://$HOSTNAME:2376
 export DOCKER_TLS_VERIFY=1
 EOL

  chmod +x /etc/profile.d/docker.sh
  source /etc/profile.d/docker.sh

 else
  echo "* WARNING: No /etc/profile.d directoy on your system."
  echo "*   You will need to set the following environment variables before running the docker client:"
  echo "*   export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH"
  echo "*   export DOCKER_HOST=tcp://$HOSTNAME:2376"
  echo "*   export DOCKER_TLS_VERIFY=1"
 fi


 echo "* Configuring /etc/docker/daemon.json"
 cat > "/etc/docker/daemon.json" << EOL
 {
  "tlsverify": true,
  "tls": true,
  "tlscacert": "$DOCKER_CONFIG_PATH/ca.pem",
  "tlscert": "$DOCKER_CONFIG_PATH/server-cert.pem",
  "tlskey": "$DOCKER_CONFIG_PATH/server-key.pem",
  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
 }
 EOL

 echo "* Fix systemd starting script to avoid conflict with /etc/docker/daemon.json."
 cat > "/etc/systemd/system/docker.service.d/override.conf" << EOL
 [Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd
 EOL
 systemctl daemon-reload

 echo "* Compress client TLS files and copy to current directory."
 tar cvzf "certs.tar.gz" key.pem ca.pem cert.pem
 mv "certs.tar.gz" "$CURRENT_DIRECTORY/certs.tar.gz"
 chmod 777 "$CURRENT_DIRECTORY/certs.tar.gz"

 echo "* Setp correct permissions."
 chgrp -R docker "$DOCKER_CONFIG_PATH"
 chmod -R g+xr "$DOCKER_CONFIG_PATH"

 echo "* Restarting the docker daemon."
 sudo service docker restart

 echo "* You will need to set the following environment variables before running the docker client:"
 cat /etc/profile.d/docker.sh
	#!/usr/bin/env bash
	# Modified from https://gist.github.com/Stono/7e6fed13cfd79598eb15
	#
	# MIT License applies to this script. I don't accept any responsibility for
	# damage you may cause using it.

	set -ex

	if [[ $EUID -ne 0 ]]; then
	echo "* This script needs to be run as root"
	exit 1
	fi

	DOCKER_CONFIG_PATH="/etc/docker"
	CURRENT_DIRECTORY="$(pwd)"

	if [ "$#" -eq 1 ]; then
	HOSTNAME="$1"
	else
	echo "Usage: ./Setup_Docker_TLS.sh HOSTNAME"
	exit 1
	fi

	echo "* Using Hostname: $HOSTNAME"
	echo "* You MUST connect to docker using this host !"

	echo "* Ensuring config directory exists..."
	mkdir -p "$DOCKER_CONFIG_PATH"
	cd "$DOCKER_CONFIG_PATH"

	if [ ! -f "ca.src" ]; then
	echo " => Creating ca.srl"
	echo 01 > ca.srl
	fi

	echo "* Create extfile.cnf."
	echo subjectAltName = DNS:$HOSTNAME,IP:0.0.0.0,IP:127.0.0.1 > extfile.cnf
	echo extendedKeyUsage = serverAuth >> extfile.cnf

	echo "* Create extfile-client.cnf."
	echo extendedKeyUsage = clientAuth > extfile-client.cnf

	echo "* Generate ca-key.pem."
	openssl genrsa -out ca-key.pem 4096

	echo "* Generate ca.pem."
	openssl req -new -x509 -subj "/CN=$HOSTNAME" -nodes -days 3650 -key ca-key.pem -out ca.pem

	echo "* Generate server-key.pem."
	openssl genrsa -out server-key.pem 4096

	echo "* Generate server.csr."
	openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr

	echo "* Generate server-cert.pem."
	openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf

	echo "* Generate key.pem."
	openssl genrsa -out key.pem 4096

	echo "* Generate client.csr."
	openssl req -subj '/CN=docker.client' -new -key key.pem -out client.csr

	echo "* Generate cert.pem."
	openssl x509 -req -days 3650 -in client.csr -CA ca.pem \
	-CAkey ca-key.pem -out cert.pem -extfile extfile-client.cnf

	rm -v client.csr server.csr extfile.cnf extfile-client.cnf
	chmod -v 0400 ca-key.pem key.pem server-key.pem
	chmod -v 0444 ca.pem server-cert.pem cert.pem

	if [ -d "/etc/profile.d" ]; then
	echo "* Creating profile.d/docker"

	cat > "/etc/profile.d/docker.sh" << EOL
	#!/bin/bash
	export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH
	export DOCKER_HOST=tcp://$HOSTNAME:2376
	export DOCKER_TLS_VERIFY=1
	EOL

	chmod +x /etc/profile.d/docker.sh
	source /etc/profile.d/docker.sh

	else
	echo "* WARNING: No /etc/profile.d directoy on your system."
	echo "* You will need to set the following environment variables before running the docker client:"
	echo "* export DOCKER_CERT_PATH=$DOCKER_CONFIG_PATH"
	echo "* export DOCKER_HOST=tcp://$HOSTNAME:2376"
	echo "* export DOCKER_TLS_VERIFY=1"
	fi


	echo "* Configuring /etc/docker/daemon.json"
	cat > "/etc/docker/daemon.json" << EOL
	{
	"tlsverify": true,
	"tls": true,
	"tlscacert": "$DOCKER_CONFIG_PATH/ca.pem",
	"tlscert": "$DOCKER_CONFIG_PATH/server-cert.pem",
	"tlskey": "$DOCKER_CONFIG_PATH/server-key.pem",
	"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
	}
	EOL

	echo "* Fix systemd starting script to avoid conflict with /etc/docker/daemon.json."
	cat > "/etc/systemd/system/docker.service.d/override.conf" << EOL
	[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd
	EOL
	systemctl daemon-reload

	echo "* Compress client TLS files and copy to current directory."
	tar cvzf "certs.tar.gz" key.pem ca.pem cert.pem
	mv "certs.tar.gz" "$CURRENT_DIRECTORY/certs.tar.gz"
	chmod 777 "$CURRENT_DIRECTORY/certs.tar.gz"

	echo "* Setp correct permissions."
	chgrp -R docker "$DOCKER_CONFIG_PATH"
	chmod -R g+xr "$DOCKER_CONFIG_PATH"

	echo "* Restarting the docker daemon."
	sudo service docker restart

	echo "* You will need to set the following environment variables before running the docker client:"
	cat /etc/profile.d/docker.sh