Automate the generation, setup, check, copy site, host and user docker TLS certificates; Setup and manage dockerd configuration for Ubuntu 16.04 Systemd & Ubuntu 14.04 Upstart. Check ssh permissions
License: MIT License
check-host-tls.sh Change echo or print DEBUG INFO WARNING ERROR
May need to add code near the end of setup-dockerd.sh script because it calls systemctl daemon-reload and that may error on Ubuntu 14.04, it has not yet but needs more testing
docker-TLS/copy-host-2-remote-host-tls.sh add code so localhost does not use scp & ssh
create-host-tls.sh add support for environment variable USERHOME
create docker-TLS/create-registry-tls.sh
create docker-TLS/check-registry-tls.sh
./copy-user-2-remote-host.sh - should also work on local host it does it is just not pretty and that may be good enough
add user message about cert expires and keep log WARN message
$ sudo check-host-tls.sh
[sudo] password for uthree:
2019-05-07T17:20:29.206597-05:00 (CDT) three.cptx86.com /usr/local/bin/check-host-tls.sh[24711] 3.213.648 104 root 0:0 [INFO] Started...
2019-05-07T17:20:29.214027-05:00 (CDT) three.cptx86.com /usr/local/bin/check-host-tls.sh[24711] 3.213.648 134 root 0:0 [INFO] Checking TLS certifications and directory permissions.
Certificate on three.cptx86.com, /etc/docker/certs.d/daemon//ca.pem, is GOOD until Dec 5 22:34:44 2020 GMT
2019-05-07T17:20:29.230869-05:00 (CDT) three.cptx86.com /usr/local/bin/check-host-tls.sh[24711] 3.213.648 171 root 0:0 [WARN] Certificate on three.cptx86.com, /etc/docker/certs.d/daemon//cert.pem, EXPIRES on May 31 15:27:33 2019 GMT
Use script create-host-tls.sh to update expired host TLS.
View dockerd daemon certificate issuer data of the ca.pem file:
issuer= /C=US/ST=Texas/L=Cedar Park/O=Company Name/OU=IT/CN=two.cptx86.com
View dockerd daemon certificate issuer data of the cert.pem file:
issuer= /C=US/ST=Texas/L=Cedar Park/O=Company Name/OU=IT/CN=two.cptx86.com
Verify that dockerd daemon certificate was issued by the CA:
/etc/docker/certs.d/daemon/cert.pem: OK
Verify and correct file permissions.
Use script create-host-tls.sh to update host TLS if host TLS certificate has expired.
2019-05-07T17:20:29.254263-05:00 (CDT) three.cptx86.com /usr/local/bin/check-host-tls.sh[24711] 3.213.648 227 root 0:0 [INFO] Operation finished.
create-site-private-public-tls.sh Change echo or print DEBUG INFO WARNING ERROR
check-user-ssh.sh add check for matched public & private keys
diff -qs <(ssh-keygen -y -f ${USERHOME}${SSHUSER}/.ssh/id_rsa) <(cut -d ' ' -f 1,2 ${USERHOME}${SSHUSER}/.ssh/id_rsa.pub)
create-new-openssl.cnf-tls.sh Change echo or print DEBUG INFO WARNING ERROR
I had a similar challenge. When I started looking to begin moving some systems from Ubuntu 14.04 to Ubuntu 16.04. My goal was to use one dockerd configuration file with dockerd flags (DOCKER_OPTS) for both Ubuntu 16.04 (systemd) and Ubuntu 14.04 (Upstart) other than /etc/docker/daemon.json. I chose not to use /etc/docker/daemon.json for docker daemon configuration because json does not support comments.
I wanted a systemd design to use an override file, which only modifies dockerd flags. It uses the default Docker systemd configuration file (/lib/systemd/system/docker.service) for other Docker settings. Another objective was to customise systemd on each system after each change or boot.
It solves my challenge. It may help you.
git clone https://github.com/BradleyA/docker-scripts
cd docker-scripts/dockerd-configuration-options
add code to create-site-private-public-tls.sh ...
if entering passphrass and they do not match || generate error message
$ ./check-user-tls.sh
View /home/uadmin/.docker certificate expiration date of ca.pem file.
Error opening Certificate /home/uadmin/.docker/ca.pem
1995424976:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/uadmin/.docker/ca.pem','r')
1995424976:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
View /home/uadmin/.docker certificate expiration date of cert.pem file
Error opening Certificate /home/uadmin/.docker/cert.pem
1995470032:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/uadmin/.docker/cert.pem','r')
1995470032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
View /home/uadmin/.docker certificate issuer data of the ca.pem file.
Error opening Certificate /home/uadmin/.docker/ca.pem
1995437264:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/uadmin/.docker/ca.pem','r')
1995437264:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
View /home/uadmin/.docker certificate issuer data of the cert.pem file.
Error opening Certificate /home/uadmin/.docker/cert.pem
1995695312:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/uadmin/.docker/cert.pem','r')
1995695312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Verify that user public key in your certificate matches the public portion of your private key.
Error opening Certificate cert.pem
1995756752:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('cert.pem','r')
1995756752:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
(stdin)= d41d8cd98f00b204e9800998ecf8427e
Error opening Private Key key.pem
1995670736:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('key.pem','r')
1995670736:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
If only one line of output is returned then the public key matches the public portion of your private key.
Verify that user certificate was issued by the CA.
Error loading file /home/uadmin/.docker/ca.pem
1995486416:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/home/uadmin/.docker/ca.pem','r')
1995486416:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:178:
1995486416:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:253:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
timestampsign Time Stamp signing
stat: cannot stat '/home/uadmin/.docker/ca.pem': No such file or directory
./check-user-tls.sh: line 78: [: !=: unary operator expected
stat: cannot stat '/home/uadmin/.docker/cert.pem': No such file or directory
./check-user-tls.sh: line 83: [: !=: unary operator expected
stat: cannot stat '/home/uadmin/.docker/key.pem': No such file or directory
./check-user-tls.sh: line 88: [: !=: unary operator expected
uninstall-dockerd-scripts.sh Change echo or print DEBUG INFO WARNING ERROR
create-user-tls.sh add support for environment variable USERHOME
Hi,
I ran
$ ./setup-dockerd.sh
./setup-dockerd.sh 49 [INFO]: Changes made to
/etc/docker/dockerd-configuration-file will be added to Upstart and
Systemd configuration files for dockerd.
./setup-dockerd.sh 76 [INFO]: Update files for dockerd (Upstart and SysVinit
configuration file) for Ubuntu 14.04.
./setup-dockerd.sh 89 [INFO]: Copy /etc/docker/docker.org to
/etc/docker/docker without Custom_dockerd_Configuration_File section.
./setup-dockerd.sh 92 [INFO]: Append /etc/docker/dockerd-configuration-file
onto /etc/docker/docker.
./setup-dockerd.sh 95 [INFO]: Move /etc/docker/docker to /etc/default/docker
./setup-dockerd.sh 98 [INFO]: dockerd (Upstart and SysVinit configuration
file) for Ubuntu 14.04 has been updated.
./setup-dockerd.sh 99 [INFO]: If you are using upstart, Run
'sudo service docker restart' for dockerd to read /etc/default/docker.
./setup-dockerd.sh 106 [INFO]: Update files for dockerd (systemd configuration
file) on Ubuntu 16.04.
/etc/docker/start-dockerd-with-systemd.sh 113 [INFO]: Creating
/etc/docker/10-override.conf file.
/etc/docker/start-dockerd-with-systemd.sh 121 [INFO]: 10-override.conf move
to /etc/systemd/system/docker.service.d.
/etc/docker/start-dockerd-with-systemd.sh 127 [INFO]: Done
./setup-dockerd.sh 116 [INFO]: If you are using systemd, Run
'sudo systemctl enable dockerd-configuration-file.service'
to start on boot.
./setup-dockerd.sh 117 [INFO]: Run 'sudo systemctl enable docker'
to start on boot.
./setup-dockerd.sh 118 [INFO]: Run 'sudo systemctl restart docker'
After that I tried removing the docker but it is throwing an error telling
$ sudo apt-get remove docker*
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package docker-scripts
Can you please let me know how can I resolve it. I want to remove the scripts and docker completely so that I can re install everything. Please help.
Thanks,
Shashi
create-site-private-public-tls.sh add support for environment variable USERHOME
Incident - docker-TLS/check-{host,user}-tls.sh - which one should check if the ca.pem match
ran docker version - host cert failed
ran check-host-tls.sh - passed
ran check-user-tls.sh - passed
created new cert, ran create-host-tls.sh - no incident
ran copy-host-2-remote-host-tls.sh - no incident
ran docker version - host cert failed
manual check user and host ca.pem and they were different
create copy-registry-tls.sh
docker-scripts/dockerd-configuration-options/
open a ticket to improve the output of check-host-tls.sh (check all the check commands) with cleaner text and include BOLD PASSED or BOLD FAILED instead of OK
need to test ./copy-user-2-remote-host.sh multiple times because it seems like after 2 or 3 times port 22 closes and I had to reboot two.cptx86.com
check-host-tls.sh
It works for local host.
add support for REMOTEHOST to check for certifications
check-user-ssh.sh Change echo or print DEBUG INFO WARNING ERROR
registry solve the incident requiring --disable-content-trust
docker-security-infrastructure-scripts/docker-TLS update process flow user information to all commands like:
copy-host-2-remote-host-tls.sh
create-host-tls.sh
production standard 4 Internationalizing display-help
swarm/{docker-enter,docker-swarm-clear} - need to test swarm script from 2016 clusters and upgrade
docker-scripts/docker-TLS; modify format of display_help
create-host-tls.sh Change echo or print DEBUG INFO WARNING ERROR
create-user-tls.sh Change echo or print DEBUG INFO WARNING ERROR
ufw/create-ufw.sh - Remove firewall Uncomplicated Firwwall (UFW)
Create a firewall script to:
pause x seconds, x minutes, x hours;
then remove existing port definitions
copy-user-2-remote-host-tls.sh add support for environment variable USERHOME
update command output in README for copy-*
Check on this incident:
change file names to use date format without : or _ close #17
modified: check-host-tls.sh
modified: check-user-tls.sh
modified: copy-host-2-remote-host-tls.sh
modified: copy-user-2-remote-host-tls.sh
modified: create-host-tls.sh
modified: create-new-openssl.cnf-tls.sh
modified: create-user-tls.sh
uninstall-dockerd-scripts.sh
docker-TLS/* add -v && --version
docker-scripts//dockerd-configuration-options; modify format of display_help
copy-user-2-remote-host-tls.sh Change echo or print DEBUG INFO WARNING ERROR
setup-dockerd.sh Change echo or print DEBUG INFO WARNING ERROR
copy-host-2-remote-host-tls.sh Change echo or print DEBUG INFO WARNING ERROR
check-user-tls add support for environment variable USERHOME
start-dockerd-with-systemd.end Change echo or print DEBUG INFO WARNING ERROR
check-user-tls.sh Change echo or print DEBUG INFO WARNING ERROR
change file names to use date format without : or _ only - because using : requires using \ before the ;
remove use of SSHPORT in script because script should get port of remote host from ~/.ssh/config file
new code
if
current code
/usr/local/bin/copy-host-2-remote-host-tls.sh:if
/usr/local/bin/copy-user-2-remote-host-tls.sh:if
ufw/copy-ufw.sh - copy firewall Uncomplicated Firwwall (UFW)
Create a firewall script to:
copy new port definitions;
allowing new port definitions with existing port definitions
pause x seconds, x minutes, x hours;
then remove existing port definitions
ufw/create-ufw.sh - create firewall Uncomplicated Firwwall (UFW)
Create a firewall script to:
create new port definitions;
allowing new port definitions with existing port definitions
pause x seconds, x minutes, x hours;
then remove existing port definitions
copy-host-2-remote-host-tls.sh add support for environment variable USERHOME
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.