From 2563480ddf9a8441e0a2dffc79b80e8149552797 Mon Sep 17 00:00:00 2001 From: Chris Bednarski Date: Fri, 20 Nov 2015 15:47:03 -0800 Subject: [PATCH 1/3] Added docker.tls config file options and docs --- client/driver/docker.go | 13 +++++++++++- website/source/docs/drivers/docker.html.md | 24 ++++++++++++++++++++-- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/client/driver/docker.go b/client/driver/docker.go index f09d0402181..35bc76a115a 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -90,9 +90,20 @@ func (d *DockerDriver) dockerClient() (*docker.Client, error) { // but also accept the standard ENV configs for dev and test. dockerEndpoint := d.config.Read("docker.endpoint") if dockerEndpoint != "" { - return docker.NewClient(dockerEndpoint) + cert := d.config.Read("docker.tls.cert") + key := d.config.Read("docker.tls.key") + ca := d.config.Read("docker.tls.ca") + + if cert+key+ca != "" { + d.logger.Println("[DEBUG] driver.docker: using TLS client connection to %s", dockerEndpoint) + return docker.NewTLSClient(dockerEndpoint, cert, key, ca) + } else { + d.logger.Println("[DEBUG] driver.docker: using standard client connection to %s", dockerEndpoint) + return docker.NewClient(dockerEndpoint) + } } + d.logger.Println("[DEBUG] driver.docker: using client connection initialized from environment %s", dockerEndpoint) return docker.NewClientFromEnv() } diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md index 42ebcc2f794..c9725d0a7ab 100644 --- a/website/source/docs/drivers/docker.html.md +++ b/website/source/docs/drivers/docker.html.md @@ -225,6 +225,21 @@ The `docker` driver has the following host-level configuration options: to customize this if you use a non-standard socket (http or another location). +* `docker.tls.cert` - Path to the server's certificate file (`.pem`). Specify + this along with `docker.tls.key` and `docker.tls.ca` to use a TLS client to + connect to the docker daemon. `docker.endpoint` must also be specified or + this setting will be ignored. + +* `docker.tls.key` - Path to the client's private key (`.pem`). Specify this + along with `docker.tls.cert` and `docker.tls.ca` to use a TLS client to + connect to the docker daemon. `docker.endpoint` must also be specified or + this setting will be ignored. + +* `docker.tls.ca` - Path to the server's CA file (`.pem`). Specify this along + with `docker.tls.cert` and `docker.tls.key` to use a TLS client to connect to + the docker daemon. `docker.endpoint` must also be specified or this setting + will be ignored. + * `docker.cleanup.container` Defaults to `true`. Changing this to `false` will prevent Nomad from removing containers from stopped tasks. @@ -236,9 +251,14 @@ The `docker` driver has the following host-level configuration options: access to the host's devices. Note that you must set a similar setting on the Docker daemon for this to work. + cert := d.config.Read("docker.tls.cert") + key := d.config.Read("docker.tls.key") + ca := d.config.Read("docker.tls.ca") + Note: When testing or using the `-dev` flag you can use `DOCKER_HOST`, -`DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. In -production Nomad will always read `docker.endpoint`. +`DOCKER_TLS_VERIFY`, and `DOCKER_CERT_PATH` to customize Nomad's behavior. If +`docker.endpoint` is set Nomad will **only** read client configuration from the +config filie. ## Agent Attributes From 30e7ef3eb9e634336cabef0aeddf8869bea778f4 Mon Sep 17 00:00:00 2001 From: Chris Bednarski Date: Fri, 20 Nov 2015 15:53:38 -0800 Subject: [PATCH 2/3] Don't show endpoint when we're not using it --- client/driver/docker.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/driver/docker.go b/client/driver/docker.go index 35bc76a115a..1893dcf39a2 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -103,7 +103,7 @@ func (d *DockerDriver) dockerClient() (*docker.Client, error) { } } - d.logger.Println("[DEBUG] driver.docker: using client connection initialized from environment %s", dockerEndpoint) + d.logger.Println("[DEBUG] driver.docker: using client connection initialized from environment") return docker.NewClientFromEnv() } From 29700064886deed2d43b476ef4f6a1a21b34aca4 Mon Sep 17 00:00:00 2001 From: Chris Bednarski Date: Fri, 20 Nov 2015 16:00:58 -0800 Subject: [PATCH 3/3] Change println to printf --- client/driver/docker.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/driver/docker.go b/client/driver/docker.go index 1893dcf39a2..edacd0421fd 100644 --- a/client/driver/docker.go +++ b/client/driver/docker.go @@ -95,10 +95,10 @@ func (d *DockerDriver) dockerClient() (*docker.Client, error) { ca := d.config.Read("docker.tls.ca") if cert+key+ca != "" { - d.logger.Println("[DEBUG] driver.docker: using TLS client connection to %s", dockerEndpoint) + d.logger.Printf("[DEBUG] driver.docker: using TLS client connection to %s", dockerEndpoint) return docker.NewTLSClient(dockerEndpoint, cert, key, ca) } else { - d.logger.Println("[DEBUG] driver.docker: using standard client connection to %s", dockerEndpoint) + d.logger.Printf("[DEBUG] driver.docker: using standard client connection to %s", dockerEndpoint) return docker.NewClient(dockerEndpoint) } }