From 3a6cc86578da7ea459dac38965692bad6a649ec9 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Thu, 12 Mar 2015 12:53:48 -0700 Subject: [PATCH] Fix for problems found by @dguerri * TLSConfig['verify'] has to be set to False if we're only encrypting the connection, not verifying the host. * tls_hostname was not set if tls_ca_cert was not present https://github.com/ansible/ansible-modules-core/pull/926#issuecomment-78573877 --- cloud/docker/docker.py | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/cloud/docker/docker.py b/cloud/docker/docker.py index 2815f5802fa..802ecbb8c8b 100644 --- a/cloud/docker/docker.py +++ b/cloud/docker/docker.py @@ -567,19 +567,18 @@ class DockerManager(object): if not tls_ca_cert and env_cert_path: tls_ca_cert = os.path.join(env_cert_path, 'ca.pem') - if tls_ca_cert: - tls_hostname = module.params.get('tls_hostname') - if tls_hostname is None: - if env_docker_hostname: - tls_hostname = env_docker_hostname + tls_hostname = module.params.get('tls_hostname') + if tls_hostname is None: + if env_docker_hostname: + tls_hostname = env_docker_hostname + else: + parsed_url = urlparse(docker_url) + if ':' in parsed_url.netloc: + tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')] else: - parsed_url = urlparse(docker_url) - if ':' in parsed_url.netloc: - tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')] - else: - tls_hostname = parsed_url - if not tls_hostname: - tls_hostname = True + tls_hostname = parsed_url + if not tls_hostname: + tls_hostname = True # use_tls can be one of four values: # no: Do not use tls @@ -610,8 +609,10 @@ class DockerManager(object): else: params['verify'] = True params['assert_hostname'] = tls_hostname + elif use_tls == 'encrpyt': + params['verify'] = False - if params or use_tls == 'encrypt': + if params: # See https://github.com/docker/docker-py/blob/d39da11/docker/utils/utils.py#L279-L296 docker_url = docker_url.replace('tcp://', 'https://') tls_config = docker.tls.TLSConfig(**params)