From eef7d1ce16cc4f26dc005d55cda4eeabf68237e9 Mon Sep 17 00:00:00 2001 From: Tibor Vass Date: Fri, 7 Nov 2014 17:44:02 -0500 Subject: [PATCH] If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, serve TLS. This is done by setting GUNICORN_OPTS to some default value, expecting the following files to be present: * /ssl/ca.crt * /ssl/registry.cert * /ssl/registry.key Signed-off-by: Tibor Vass --- docker_registry/run.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docker_registry/run.py b/docker_registry/run.py index fb9fe3996..6085c3ce5 100644 --- a/docker_registry/run.py +++ b/docker_registry/run.py @@ -8,6 +8,7 @@ import getpass import logging import os +import ssl import sys from .server import env @@ -84,7 +85,20 @@ def run_gunicorn(): else: logger.warn('You asked we drop priviledges, but we are not root!') - args += env.source('GUNICORN_OPTS') + gunicorn_opts = env.source('GUNICORN_OPTS') + if not gunicorn_opts and env.source('REGISTRY_TLS_VERIFY'): + gunicorn_opts = ['--ssl-version', ssl.PROTOCOL_TLSv1] + for k, v in { + '--certfile': '/ssl/registry.cert', + '--keyfile': '/ssl/registry.key', + '--ca-certs': '/ssl/ca.crt' + }.iteritems(): + if not os.path.isfile(v): + print("could not find %s" % (v)) + sys.exit(1) + gunicorn_opts.append(k, v) + + args += gunicorn_opts args.append('docker_registry.wsgi:application') # Stringify all args and call os.execl(*[str(v) for v in args])