Last active
September 4, 2019 19:28
-
-
Save RomkeVdMeulen/c04464b9730a7f01d27a to your computer and use it in GitHub Desktop.
Script for setting up secure public connection for a Docker daemon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ $# -lt 2 ]; then | |
| echo "Usage: $0 [domain to connect] [password]" | |
| exit 1 | |
| fi | |
| set -e | |
| red='\033[0;31m' | |
| green='\033[0;32m' | |
| orange='\033[0;33m' | |
| blue='\033[0;34m' | |
| nocolor='\033[0m' | |
| if [ -d /etc/docker ] && [ -f /etc/docker/ca-key.pem ]; then | |
| echo -ne "${orange}Docker security config already exists: overwrite? [Y/n] ${nocolor}" | |
| read answer | |
| if [ "x${answer}" == "xn" ]; then exit; fi | |
| fi | |
| echo -e "${blue}Creating secure public connection for Docker daemon${nocolor}" | |
| [ -d /etc/docker ] || sudo mkdir /etc/docker | |
| cd /etc/docker | |
| sudo rm -v * | |
| echo -e "${blue}Generating Certificate Authority${nocolor}" | |
| sudo openssl genrsa -aes256 -passout pass:$2 -out ca-key.pem 2048 | |
| sudo openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$2 -sha256 -out ca.pem \ | |
| -subj '/C=NL/ST=./L=./O=./CN=$1' | |
| echo -e "${blue}Generating and signing server key${nocolor}" | |
| sudo openssl genrsa -out server-key.pem 2048 | |
| sudo openssl req -subj "/CN=$1" -new -key server-key.pem -out server.csr | |
| sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \ | |
| -CAcreateserial -out server-cert.pem | |
| echo -e "${blue}Generating and signing client key${nocolor}" | |
| sudo openssl genrsa -out key.pem 2048 | |
| sudo openssl req -subj '/CN=client' -new -key key.pem -out client.csr | |
| sudo sh -c 'echo "extendedKeyUsage = clientAuth" > extfile.cnf' | |
| sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \ | |
| -CAcreateserial -out cert.pem -extfile extfile.cnf | |
| sudo rm client.csr server.csr | |
| sudo chmod 0400 ca-key.pem key.pem server-key.pem | |
| sudo chmod 0444 ca.pem server-cert.pem cert.pem | |
| echo -e "${blue}Configuring Docker${nocolor}" | |
| echo 'DOCKER_OPTS="--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"' >> /etc/default/docker | |
| sudo service docker restart | |
| echo -e "${green}Secure Docker daemon connection now available on port 4243${nocolor}" | |
| echo "Let's test the connection by running:" | |
| echo "docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version" | |
| echo | |
| docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment