docker related
This commit is contained in:
101
docker/scripts/setup-docker-tls.sh
Executable file
101
docker/scripts/setup-docker-tls.sh
Executable file
@@ -0,0 +1,101 @@
|
||||
#!/bin/bash
|
||||
# Docker TLS Setup Script
|
||||
# Configures Docker daemon with TLS certificates for secure API access
|
||||
|
||||
set -e
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
||||
CERTS_DIR="$PROJECT_ROOT/certs"
|
||||
|
||||
# Configuration
|
||||
DOCKER_HOST_IP="${DOCKER_HOST_IP:-127.0.0.1}"
|
||||
DOCKER_TLS_PORT="${DOCKER_TLS_PORT:-2376}"
|
||||
|
||||
echo "Setting up Docker TLS configuration..."
|
||||
echo "Certificates directory: $CERTS_DIR"
|
||||
echo "Docker host IP: $DOCKER_HOST_IP"
|
||||
echo "TLS port: $DOCKER_TLS_PORT"
|
||||
|
||||
# Check if certificates exist
|
||||
if [[ ! -f "$CERTS_DIR/ca.pem" || ! -f "$CERTS_DIR/server-cert.pem" || ! -f "$CERTS_DIR/server-key.pem" ]]; then
|
||||
echo "Error: TLS certificates not found. Run generate-certs.sh first."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create Docker daemon configuration
|
||||
DAEMON_CONFIG="/etc/docker/daemon.json"
|
||||
BACKUP_CONFIG="/etc/docker/daemon.json.backup.$(date +%Y%m%d_%H%M%S)"
|
||||
|
||||
echo "Configuring Docker daemon for TLS..."
|
||||
|
||||
# Backup existing configuration if it exists
|
||||
if [[ -f "$DAEMON_CONFIG" ]]; then
|
||||
echo "Backing up existing daemon.json to $BACKUP_CONFIG"
|
||||
sudo cp "$DAEMON_CONFIG" "$BACKUP_CONFIG"
|
||||
fi
|
||||
|
||||
# Create new daemon configuration
|
||||
sudo tee "$DAEMON_CONFIG" > /dev/null << EOF
|
||||
{
|
||||
"tls": true,
|
||||
"tlsverify": true,
|
||||
"tlscacert": "/etc/docker/certs/ca.pem",
|
||||
"tlscert": "/etc/docker/certs/server-cert.pem",
|
||||
"tlskey": "/etc/docker/certs/server-key.pem",
|
||||
"hosts": ["tcp://0.0.0.0:$DOCKER_TLS_PORT", "unix:///var/run/docker.sock"],
|
||||
"log-driver": "json-file",
|
||||
"log-opts": {
|
||||
"max-size": "10m",
|
||||
"max-file": "3"
|
||||
},
|
||||
"storage-driver": "overlay2",
|
||||
"iptables": false,
|
||||
"bridge": "none",
|
||||
"live-restore": true,
|
||||
"userland-proxy": false,
|
||||
"no-new-privileges": true,
|
||||
"userns-remap": "default"
|
||||
}
|
||||
EOF
|
||||
|
||||
# Create Docker certificates directory
|
||||
sudo mkdir -p /etc/docker/certs
|
||||
|
||||
# Copy certificates to Docker directory
|
||||
echo "Installing TLS certificates..."
|
||||
sudo cp "$CERTS_DIR/ca.pem" /etc/docker/certs/
|
||||
sudo cp "$CERTS_DIR/server-cert.pem" /etc/docker/certs/
|
||||
sudo cp "$CERTS_DIR/server-key.pem" /etc/docker/certs/
|
||||
sudo cp "$CERTS_DIR/client-cert.pem" /etc/docker/certs/
|
||||
sudo cp "$CERTS_DIR/client-key.pem" /etc/docker/certs/
|
||||
|
||||
# Set proper permissions
|
||||
sudo chmod 0444 /etc/docker/certs/ca.pem /etc/docker/certs/server-cert.pem /etc/docker/certs/client-cert.pem
|
||||
sudo chmod 0400 /etc/docker/certs/server-key.pem /etc/docker/certs/client-key.pem
|
||||
sudo chown root:root /etc/docker/certs/*
|
||||
|
||||
echo "Restarting Docker daemon..."
|
||||
sudo systemctl restart docker
|
||||
|
||||
# Wait for Docker to restart
|
||||
sleep 5
|
||||
|
||||
# Test TLS connection
|
||||
echo "Testing TLS connection..."
|
||||
if docker --tlsverify --tlscacert="$CERTS_DIR/ca.pem" --tlscert="$CERTS_DIR/client-cert.pem" --tlskey="$CERTS_DIR/client-key.pem" -H tcp://$DOCKER_HOST_IP:$DOCKER_TLS_PORT version > /dev/null 2>&1; then
|
||||
echo "✅ TLS connection successful!"
|
||||
else
|
||||
echo "❌ TLS connection failed!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "Docker TLS setup complete!"
|
||||
echo ""
|
||||
echo "Environment variables for applications:"
|
||||
echo " export DOCKER_TLS_VERIFY=1"
|
||||
echo " export DOCKER_CERT_PATH=$CERTS_DIR"
|
||||
echo " export DOCKER_HOST=tcp://$DOCKER_HOST_IP:$DOCKER_TLS_PORT"
|
||||
echo ""
|
||||
echo "For docker-compose, add these to your environment or .env file."
|
||||
Reference in New Issue
Block a user