Rework TLS support, remove unsupported options

pull/26/head
Ross Cadogan 8 years ago
parent 69db640b98
commit 42fea79860

@ -39,18 +39,6 @@ docker run -d \
centurylink/watchtower centurylink/watchtower
``` ```
For private images:
```
docker run -d \
--name watchtower \
-e REPO_USER="username" -e REPO_PASS="pass" -e REPO_EMAIL="email" \
-v /var/run/docker.sock:/var/run/docker.sock \
drud/watchtower container_to_watch \
--registry private.registry.net:port \
--debug
```
### Arguments ### Arguments
By default, watchtower will monitor all containers running within the Docker daemon to which it is pointed (in most cases this will be the local Docker daemon, but you can override it with the `--host` option described in the next section). However, you can restrict watchtower to monitoring a subset of the running containers by specifying the container names as arguments when launching watchtower. By default, watchtower will monitor all containers running within the Docker daemon to which it is pointed (in most cases this will be the local Docker daemon, but you can override it with the `--host` option described in the next section). However, you can restrict watchtower to monitoring a subset of the running containers by specifying the container names as arguments when launching watchtower.
@ -75,15 +63,11 @@ docker run --rm centurylink/watchtower --help
``` ```
* `--host, -h` Docker daemon socket to connect to. Defaults to "unix:///var/run/docker.sock" but can be pointed at a remote Docker host by specifying a TCP endpoint as "tcp://hostname:port". The host value can also be provided by setting the `DOCKER_HOST` environment variable. * `--host, -h` Docker daemon socket to connect to. Defaults to "unix:///var/run/docker.sock" but can be pointed at a remote Docker host by specifying a TCP endpoint as "tcp://hostname:port". The host value can also be provided by setting the `DOCKER_HOST` environment variable.
* `--registry` The private Docker registry from which to pull images, if different from `host`.
* `--interval, -i` Poll interval (in seconds). This value controls how frequently watchtower will poll for new images. Defaults to 300 seconds (5 minutes). * `--interval, -i` Poll interval (in seconds). This value controls how frequently watchtower will poll for new images. Defaults to 300 seconds (5 minutes).
* `--no-pull` Do not pull new images. When this flag is specified, watchtower will not attempt to pull new images from the registry. Instead it will only monitor the local image cache for changes. Use this option if you are building new images directly on the Docker host without pushing them to a registry. * `--no-pull` Do not pull new images. When this flag is specified, watchtower will not attempt to pull new images from the registry. Instead it will only monitor the local image cache for changes. Use this option if you are building new images directly on the Docker host without pushing them to a registry.
* `--cleanup` Remove old images after updating. When this flag is specified, watchtower will remove the old image after restarting a container with a new image. Use this option to prevent the accumulation of orphaned images on your system as containers are updated. * `--cleanup` Remove old images after updating. When this flag is specified, watchtower will remove the old image after restarting a container with a new image. Use this option to prevent the accumulation of orphaned images on your system as containers are updated.
* `--tls` Use TLS when connecting to the Docker socket but do NOT verify the server's certificate. If you are connecting a TCP Docker socket protected by TLS you'll need to use either this flag or the `--tlsverify` flag (described below). The `--tlsverify` flag is preferred as it will cause the server's certificate to be verified before a connection is made. * `--tlsverify` Use TLS when connecting to the Docker socket and verify the server's certificate.
* `--tlsverify` Use TLS when connecting to the Docker socket and verify the server's certificate. If you are connecting a TCP Docker socket protected by TLS you'll need to use either this flag or the `--tls` flag (describe above). * `--apiversion` Specify the minimum docker api version. watchtower will only communicate with docker servers running this api version or later.
* `--tlscacert` Trust only certificates signed by this CA. Used in conjunction with the `--tlsverify` flag to identify the CA certificate which should be used to verify the identity of the server. The value for this flag can be either the fully-qualified path to the *.pem* file containing the CA certificate or a string containing the CA certificate itself. Defaults to "/etc/ssl/docker/ca.pem".
* `--tlscert` Client certificate for TLS authentication. Used in conjunction with the `--tls` or `--tlsverify` flags to identify the certificate to use for client authentication. The value for this flag can be either the fully-qualified path to the *.pem* file containing the client certificate or a string containing the certificate itself. Defaults to "/etc/ssl/docker/cert.pem".
* `--tlskey` Client key for TLS authentication. Used in conjunction with the `--tls` or `--tlsverify` flags to identify the key to use for client authentication. The value for this flag can be either the fully-qualified path to the *.pem* file containing the client key or a string containing the key itself. Defaults to "/etc/ssl/docker/key.pem".
* `--debug` Enable debug mode. When this option is specified you'll see more verbose logging in the watchtower log file. * `--debug` Enable debug mode. When this option is specified you'll see more verbose logging in the watchtower log file.
* `--help` Show documentation about the supported flags. * `--help` Show documentation about the supported flags.
@ -133,11 +117,11 @@ Note in both of the examples above that it is unnecessary to mount the */var/run
### Secure Connections ### Secure Connections
Watchtower is also capable of connecting to Docker endpoints which are protected by SSL/TLS. If you've used *docker-machine* to provision your remote Docker host, you simply need to volume mount the certificates generated by *docker-machine* into the watchtower container and specify either the `--tls` or `--tlsverify` flags. Watchtower is also capable of connecting to Docker endpoints which are protected by SSL/TLS. If you've used *docker-machine* to provision your remote Docker host, you simply need to volume mount the certificates generated by *docker-machine* into the watchtower container and optionally specify `--tlsverify` flag.
The *docker-machine* certificates for a particular host can be located by executing the `docker-machine env` command for the desired host (note the values for the `DOCKER_HOST` and `DOCKER_CERT_PATH` environment variables that are returned from this command). The directory containing the certificates for the remote host needs to be mounted into the watchtower container at */etc/ssl/docker*. The *docker-machine* certificates for a particular host can be located by executing the `docker-machine env` command for the desired host (note the values for the `DOCKER_HOST` and `DOCKER_CERT_PATH` environment variables that are returned from this command). The directory containing the certificates for the remote host needs to be mounted into the watchtower container at */etc/ssl/docker*.
With the certificates mounted into the watchtower container you simply need to specify either the `--tls` or `--tlsverify` flags to enable the TLS connection to the remote host: With the certificates mounted into the watchtower container you need to specify the `--tlsverify` flag to enable verification of the certificate:
``` ```
docker run -d \ docker run -d \

@ -2,7 +2,6 @@ package container
import ( import (
"fmt" "fmt"
"os"
"time" "time"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
@ -15,11 +14,6 @@ const (
defaultStopSignal = "SIGTERM" defaultStopSignal = "SIGTERM"
) )
var username = os.Getenv("REPO_USER")
var password = os.Getenv("REPO_PASS")
var email = os.Getenv("REPO_EMAIL")
var api_version = "1.24"
// A Filter is a prototype for a function that can be used to filter the // A Filter is a prototype for a function that can be used to filter the
// results from a call to the ListContainers() method on the Client. // results from a call to the ListContainers() method on the Client.
type Filter func(Container) bool type Filter func(Container) bool
@ -33,13 +27,16 @@ type Client interface {
RenameContainer(Container, string) error RenameContainer(Container, string) error
IsContainerStale(Container) (bool, error) IsContainerStale(Container) (bool, error)
RemoveImage(Container) error RemoveImage(Container) error
RegistryLogin(string) error
} }
// NewClient returns a new Client instance which can be used to interact with // NewClient returns a new Client instance which can be used to interact with
// the Docker API. // the Docker API.
func NewClient(dockerHost string, pullImages bool) Client { // The client reads its configuration from the following environment variables:
cli, err := dockerclient.NewClient(dockerHost, api_version, nil, nil) // * DOCKER_HOST the docker-engine host to send api requests to
// * DOCKER_TLS_VERIFY whether to verify tls certificates
// * DOCKER_API_VERSION the minimum docker api version to work with
func NewClient(pullImages bool) Client {
cli, err := dockerclient.NewEnvClient()
if err != nil { if err != nil {
log.Fatalf("Error instantiating Docker client: %s", err) log.Fatalf("Error instantiating Docker client: %s", err)
@ -53,11 +50,6 @@ type dockerClient struct {
pullImages bool pullImages bool
} }
func (client dockerClient) RegistryLogin(registryURL string) error {
log.Debug("Login not implemented")
return nil
}
func (client dockerClient) ListContainers(fn Filter) ([]Container, error) { func (client dockerClient) ListContainers(fn Filter) ([]Container, error) {
cs := []Container{} cs := []Container{}
bg := context.Background() bg := context.Background()

@ -1,13 +1,9 @@
package main // import "github.com/CenturyLinkLabs/watchtower" package main // import "github.com/CenturyLinkLabs/watchtower"
import ( import (
"crypto/tls"
"crypto/x509"
"fmt" "fmt"
"io/ioutil"
"os" "os"
"os/signal" "os/signal"
"strings"
"sync" "sync"
"syscall" "syscall"
"time" "time"
@ -16,15 +12,11 @@ import (
"github.com/CenturyLinkLabs/watchtower/container" "github.com/CenturyLinkLabs/watchtower/container"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
"github.com/urfave/cli" "github.com/urfave/cli"
"github.com/docker/docker/api/types"
dockerclient "github.com/docker/docker/client"
"golang.org/x/net/context"
) )
var ( var (
wg sync.WaitGroup wg sync.WaitGroup
client container.Client client container.Client
registryClient container.Client
pollInterval time.Duration pollInterval time.Duration
cleanup bool cleanup bool
) )
@ -34,12 +26,6 @@ func init() {
} }
func main() { func main() {
rootCertPath := "/etc/ssl/docker"
if os.Getenv("DOCKER_CERT_PATH") != "" {
rootCertPath = os.Getenv("DOCKER_CERT_PATH")
}
app := cli.NewApp() app := cli.NewApp()
app.Name = "watchtower" app.Name = "watchtower"
app.Usage = "Automatically update running Docker containers" app.Usage = "Automatically update running Docker containers"
@ -52,12 +38,6 @@ func main() {
Value: "unix:///var/run/docker.sock", Value: "unix:///var/run/docker.sock",
EnvVar: "DOCKER_HOST", EnvVar: "DOCKER_HOST",
}, },
cli.StringFlag{
Name: "registry",
Usage: "docker registry from which to pull images",
Value: "unix:///var/run/docker.sock",
EnvVar: "DOCKER_REGISTRY",
},
cli.IntFlag{ cli.IntFlag{
Name: "interval, i", Name: "interval, i",
Usage: "poll interval (in seconds)", Usage: "poll interval (in seconds)",
@ -71,34 +51,20 @@ func main() {
Name: "cleanup", Name: "cleanup",
Usage: "remove old images after updating", Usage: "remove old images after updating",
}, },
cli.BoolFlag{
Name: "tls",
Usage: "use TLS; implied by --tlsverify",
},
cli.BoolFlag{ cli.BoolFlag{
Name: "tlsverify", Name: "tlsverify",
Usage: "use TLS and verify the remote", Usage: "use TLS and verify the remote",
EnvVar: "DOCKER_TLS_VERIFY", EnvVar: "DOCKER_TLS_VERIFY",
}, },
cli.StringFlag{
Name: "tlscacert",
Usage: "trust certs signed only by this CA",
Value: fmt.Sprintf("%s/ca.pem", rootCertPath),
},
cli.StringFlag{
Name: "tlscert",
Usage: "client certificate for TLS authentication",
Value: fmt.Sprintf("%s/cert.pem", rootCertPath),
},
cli.StringFlag{
Name: "tlskey",
Usage: "client key for TLS authentication",
Value: fmt.Sprintf("%s/key.pem", rootCertPath),
},
cli.BoolFlag{ cli.BoolFlag{
Name: "debug", Name: "debug",
Usage: "enable debug mode with verbose logging", Usage: "enable debug mode with verbose logging",
}, },
cli.StringFlag{
Name: "apiversion",
Usage: "the version of the docker api",
EnvVar: "DOCKER_API_VERSION",
},
} }
if err := app.Run(os.Args); err != nil { if err := app.Run(os.Args); err != nil {
@ -114,40 +80,18 @@ func before(c *cli.Context) error {
pollInterval = time.Duration(c.Int("interval")) * time.Second pollInterval = time.Duration(c.Int("interval")) * time.Second
cleanup = c.GlobalBool("cleanup") cleanup = c.GlobalBool("cleanup")
// Set-up container client // configure environment vars for client
_, err := tlsConfig(c) err := envConfig(c)
if err != nil { if err != nil {
return err return err
} }
client = container.NewClient(c.GlobalString("host"), !c.GlobalBool("no-pull")) client = container.NewClient(!c.GlobalBool("no-pull"))
//login(c)
handleSignals() handleSignals()
return nil return nil
} }
func login(c *cli.Context) {
registry := c.GlobalString("registry")
if registry != "" && registry != c.GlobalString("host") {
log.Debug("Logging into registry")
clint, err := dockerclient.NewEnvClient()
if err != nil {
panic(err)
}
regAuth := types.AuthConfig{
Username: "testuser",
Password: "testpassword",
ServerAddress: registry,
}
resp, err := clint.RegistryLogin(context.Background(), regAuth)
if err != nil {
panic(err)
}
log.Debugf("Authenticated client with registry %s, %s", registry, resp)
}
}
func start(c *cli.Context) { func start(c *cli.Context) {
names := c.Args() names := c.Args()
@ -179,56 +123,31 @@ func handleSignals() {
}() }()
} }
// tlsConfig translates the command-line options into a tls.Config struct func setEnvOptStr(env string, opt string) error {
func tlsConfig(c *cli.Context) (*tls.Config, error) { if (opt != "" && opt != os.Getenv(env)) {
var tlsConfig *tls.Config err := os.Setenv(env, opt)
var err error if (err != nil) {
caCertFlag := c.GlobalString("tlscacert") return err
certFlag := c.GlobalString("tlscert")
keyFlag := c.GlobalString("tlskey")
if c.GlobalBool("tls") || c.GlobalBool("tlsverify") {
tlsConfig = &tls.Config{
InsecureSkipVerify: !c.GlobalBool("tlsverify"),
}
// Load CA cert
if caCertFlag != "" {
var caCert []byte
if strings.HasPrefix(caCertFlag, "/") {
caCert, err = ioutil.ReadFile(caCertFlag)
if err != nil {
return nil, err
} }
} else {
caCert = []byte(caCertFlag)
} }
return nil
}
caCertPool := x509.NewCertPool() func setEnvOptBool(env string, opt bool) error {
caCertPool.AppendCertsFromPEM(caCert) if (opt == true) {
return setEnvOptStr(env, "1")
tlsConfig.RootCAs = caCertPool
} }
return nil
}
// Load client certificate // envConfig translates the command-line options into environment variables
if certFlag != "" && keyFlag != "" { // that will initialize the api client
var cert tls.Certificate func envConfig(c *cli.Context) error {
var err error
if strings.HasPrefix(certFlag, "/") && strings.HasPrefix(keyFlag, "/") { err = setEnvOptStr("DOCKER_HOST", c.GlobalString("host"))
cert, err = tls.LoadX509KeyPair(certFlag, keyFlag) err = setEnvOptBool("DOCKER_TLS_VERIFY", c.GlobalBool("tlsverify"))
if err != nil { err = setEnvOptStr("DOCKER_API_VERSION", c.GlobalString("apiversion"))
return nil, err
}
} else {
cert, err = tls.X509KeyPair([]byte(certFlag), []byte(keyFlag))
if err != nil {
return nil, err
}
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
}
return tlsConfig, nil return err
} }

Loading…
Cancel
Save