looztra · June 10, 2024 13:46
diff --git a/01-docker-tls.sh b/01-docker-tls.sh
 #!/bin/env bash
 # Configuration
 export PUBLIC_DNS=<public hostname>
 export PUBLIC_IP=<public host IP>
 export PRIVATE_IP=<private host IP>

 mkdir docker-ca
 chmod 0700 docker-ca/
 cd docker-ca/

 # CA key
 openssl genrsa -aes256 -out ca-key.pem 2048
 # CA certificate
 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

 # Server key
 openssl genrsa -out server-key.pem 2048
 # Server CSR on DNS name
 openssl req -subj "/CN=${PUBLIC_DNS}" -new -key server-key.pem -out server.csr
 # Alts on IPs
 echo "subjectAltName = IP:${PUBLIC_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf
 # Server certificate
 openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

 # Client key
 openssl genrsa -out client-key.pem 2048
 # Client CSR
 openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
 # clientAuth
 echo extendedKeyUsage = clientAuth > extfile.cnf
 # Client certificate
 openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf

 # Securing
 chmod -v 0400 *-key.pem
 chmod -v 0444 ca.pem *-cert.pem

 # Moving
 sudo mkdir -p /etc/docker
 sudo chown root:docker /etc/docker
 sudo chmod 700 /etc/docker
 sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker
diff --git a/02-configure-docker-systemd-socket.sh b/02-configure-docker-systemd-socket.sh
 # Configuring Docker to use TLS **WITH** systemd socket
 # https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file

 echo '{
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsverify": true
 }' | sudo tee /etc/docker/daemon.json

 # Configuring systemd socket to listen on TCP
 # https://github.com/docker/docker/issues/25471#issuecomment-238076313
 sudo mkdir -p /etc/systemd/system/docker.socket.d
 echo '[Socket]
 ListenStream= # If you want to disable default unix socket
 ListenStream=0.0.0.0:2376' | sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf
 sudo systemctl daemon-reload
 sudo service docker restart
diff --git a/03-configure-docker-NO-systemd-socket.sh b/03-configure-docker-NO-systemd-socket.sh
 # Configuring Docker to use TLS **WITHOUT** systemd socket
 # https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file

 echo '{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsverify": true
 }' | sudo tee /etc/docker/daemon.json

 # Disable systemd docker host configuration
 sudo mkdir -p /etc/systemd/system/docker.service.d
 echo '[Service]
 ExecStart=
 ExecStart=/usr/bin/dockerd' | sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf
 sudo systemctl daemon-reload
 sudo service docker restart
diff --git a/04-tls-local-test.sh b/04-tls-local-test.sh
 docker \
  --host tcp://localhost:2376 \
  --tlsverify \
  --tlscacert=~/docker-ca/ca.pem \
  --tlscert=~/docker-ca/client-cert.pem \
  --tlskey=~/docker-ca/client-key.pem \
  container ls

 # Simplification
 export DOCKER_HOST=tcp://localhost:2376
 export DOCKER_TLS_VERIFY=1
 mkdir -p ~/.docker
 cp ~/docker-ca/ca.pem ~/.docker/
 cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem
 cp ~/docker-ca/client-key.pem ~/.docker/key.pem

 docker container ls
diff --git a/05-tl-remote-test.sh b/05-tl-remote-test.sh
 # On another node than master
 export MASTER_PRIVATE_IP=10.X.Y.Z

 export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376
 export DOCKER_TLS_VERIFY=1
 scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/

 docker container ls
diff --git a/10-insecure-registry.sh b/10-insecure-registry.sh
 # On another node than the registry

 export REGISTRY_PRIVATE_IP=10.X.Y.Z

 # Configure unsecure registries
 echo "{
  \"insecure-registries\": [
    \"${REGISTRY_PRIVATE_IP}:5000\"
  ]
 }" | sudo tee /etc/docker/daemon.json

 # Reload docker config
 sudo service docker reload

 # Pull from insecure registry
 docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0
diff --git a/20-dockercoins-build-ship.sh b/20-dockercoins-build-ship.sh
 export DOCKERHUB_USERNAME=...

 docker login --username ${DOCKERHUB_USERNAME}

 # Build & publish
 cd ~/orchestration-workshop/dockercoins/
 for service in hasher rng worker webui; do
  docker-compose build ${service}
  docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
  docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
 done
diff --git a/21-dockercoins-run.sh b/21-dockercoins-run.sh
 # Create network
 docker network create --driver overlay dockercoins

 # Run
 docker service create --network dockercoins --name redis redis
 for service in hasher rng worker webui; do
  docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
 done

 docker service update webui --publish-add 8080:80
	#!/bin/env bash
	# Configuration
	export PUBLIC_DNS=<public hostname>
	export PUBLIC_IP=<public host IP>
	export PRIVATE_IP=<private host IP>

	mkdir docker-ca
	chmod 0700 docker-ca/
	cd docker-ca/

	# CA key
	openssl genrsa -aes256 -out ca-key.pem 2048
	# CA certificate
	openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

	# Server key
	openssl genrsa -out server-key.pem 2048
	# Server CSR on DNS name
	openssl req -subj "/CN=${PUBLIC_DNS}" -new -key server-key.pem -out server.csr
	# Alts on IPs
	echo "subjectAltName = IP:${PUBLIC_IP},IP:${PRIVATE_IP},IP:127.0.0.1" > extfile.cnf
	# Server certificate
	openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

	# Client key
	openssl genrsa -out client-key.pem 2048
	# Client CSR
	openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
	# clientAuth
	echo extendedKeyUsage = clientAuth > extfile.cnf
	# Client certificate
	openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf

	# Securing
	chmod -v 0400 *-key.pem
	chmod -v 0444 ca.pem *-cert.pem

	# Moving
	sudo mkdir -p /etc/docker
	sudo chown root:docker /etc/docker
	sudo chmod 700 /etc/docker
	sudo cp ~/docker-ca/{ca,server-*}.pem /etc/docker
	# Configuring Docker to use TLS WITH systemd socket
	# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file

	echo '{
	"tls": true,
	"tlscacert": "/etc/docker/ca.pem",
	"tlscert": "/etc/docker/server-cert.pem",
	"tlskey": "/etc/docker/server-key.pem",
	"tlsverify": true
	}' \| sudo tee /etc/docker/daemon.json

	# Configuring systemd socket to listen on TCP
	# https://github.com/docker/docker/issues/25471#issuecomment-238076313
	sudo mkdir -p /etc/systemd/system/docker.socket.d
	echo '[Socket]
	ListenStream= # If you want to disable default unix socket
	ListenStream=0.0.0.0:2376' \| sudo tee /etc/systemd/system/docker.socket.d/tcp_secure.conf
	sudo systemctl daemon-reload
	sudo service docker restart
	# Configuring Docker to use TLS WITHOUT systemd socket
	# https://docs.docker.com/engine/reference/commandline/dockerd//#daemon-configuration-file

	echo '{
	"hosts": [
	"unix:///var/run/docker.sock",
	"tcp://0.0.0.0:2376"
	],
	"tls": true,
	"tlscacert": "/etc/docker/ca.pem",
	"tlscert": "/etc/docker/server-cert.pem",
	"tlskey": "/etc/docker/server-key.pem",
	"tlsverify": true
	}' \| sudo tee /etc/docker/daemon.json

	# Disable systemd docker host configuration
	sudo mkdir -p /etc/systemd/system/docker.service.d
	echo '[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd' \| sudo tee /etc/systemd/system/docker.service.d/simple_dockerd.conf
	sudo systemctl daemon-reload
	sudo service docker restart
	docker \
	--host tcp://localhost:2376 \
	--tlsverify \
	--tlscacert=~/docker-ca/ca.pem \
	--tlscert=~/docker-ca/client-cert.pem \
	--tlskey=~/docker-ca/client-key.pem \
	container ls

	# Simplification
	export DOCKER_HOST=tcp://localhost:2376
	export DOCKER_TLS_VERIFY=1
	mkdir -p ~/.docker
	cp ~/docker-ca/ca.pem ~/.docker/
	cp ~/docker-ca/client-cert.pem ~/.docker/cert.pem
	cp ~/docker-ca/client-key.pem ~/.docker/key.pem

	docker container ls
	# On another node than master
	export MASTER_PRIVATE_IP=10.X.Y.Z

	export DOCKER_HOST=tcp://${MASTER_PRIVATE_IP}:2376
	export DOCKER_TLS_VERIFY=1
	scp -r ${MASTER_PRIVATE_IP}:~/.docker ~/

	docker container ls
	# On another node than the registry

	export REGISTRY_PRIVATE_IP=10.X.Y.Z

	# Configure unsecure registries
	echo "{
	\"insecure-registries\": [
	\"${REGISTRY_PRIVATE_IP}:5000\"
	]
	}" \| sudo tee /etc/docker/daemon.json

	# Reload docker config
	sudo service docker reload

	# Pull from insecure registry
	docker pull ${REGISTRY_PRIVATE_IP}:5000/johnnytu/busybox:1.0
	export DOCKERHUB_USERNAME=...

	docker login --username ${DOCKERHUB_USERNAME}

	# Build & publish
	cd ~/orchestration-workshop/dockercoins/
	for service in hasher rng worker webui; do
	docker-compose build ${service}
	docker image tag dockercoins_${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
	docker push ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
	done
	# Create network
	docker network create --driver overlay dockercoins

	# Run
	docker service create --network dockercoins --name redis redis
	for service in hasher rng worker webui; do
	docker service create --network dockercoins --name ${service} ${DOCKERHUB_USERNAME}/dockercoins_${service}:1.0
	done

	docker service update webui --publish-add 8080:80