-
Notifications
You must be signed in to change notification settings - Fork 5
/
setup_docker_remote.sh
593 lines (519 loc) · 22.1 KB
/
setup_docker_remote.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
#!/bin/bash
# ******************************************************************************
# © Copyright IBM Corp. 2017-2018.
# LICENSE: MIT https://opensource.org/licenses/MIT
#
# MIT License
#
# Copyright (C) IBM Corporation 2018
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# Reference:
# * Protect the Docker daemon socket:
# - URL: https://docs.docker.com/engine/security/https/
# * Securing Docker with TLS certificates:
# - URL: http://tech.paulcz.net/2016/01/secure-docker-with-tls/
# *******************************************************************************
# Global VARs
HOSTS=( )
USER="root"
USER_DOCKERHOME=~/.docker
CLNT_CERTPATH_ROOT=""
HOST="`hostname -s`"
HOST_FQDN="`hostname -f`"
HOST_IP="`hostname -i`"
[[ "`whoami`" == "$USER" ]] || { echo "Execute `basename $0` tool as the $USER user." && exit 1; }
do_usage() {
cat <<EOF
Usage: `basename $0` [parameters]
* parameters
[--cert-path pathname] The location in which to save the client SSL
certificates during setup. Use a shared file system so that these
certificates can be accessed from any host in the Db2 Warehouse cluster.
[--host hostname] A host name or an IP address that is allowed to
authenticate with the Docker engine. By default, this script enables
authentication from localhost and 127.0.0.1 and from the fully qualified
domain name, short host name, or IP address of the host by using the TLS
certificates that are generated by this script. However, you can specify
one or more additional host names or IP addresses, such as an internal
(fabric network) IP address, to be enabled for authenticating with the
Docker engine by using TLS. If you have more than one host name or IP
address, specify them as a comma-separated list.
[-h|--help] Display help text for this script.
EOF
}
parse_cmd_line_args()
{
while [[ $# -gt 0 ]]; do
case "$1" in
### Options
--cert-path)
shift
CLNT_CERTPATH_ROOT=${1%/}
[[ -z "$CLNT_CERTPATH_ROOT" ]] && { echo "The client certificate save path is not specified." && exit 1; }
[[ -d "$CLNT_CERTPATH_ROOT" ]] || { echo "The client certificate save path ${CLNT_CERTPATH_ROOT} does not exist." && exit 1; }
;;
--host)
shift
HOSTS=( `echo "$1" | sed 's/,/ /g'` )
;;
--user)
shift
USER=$1
[[ -z "$USER" ]] && { echo "The user ID is not specified." && exit 1; }
id $USER &> /dev/null || { echo "The user ID $USER does not exist." && exit 1; }
USER_DOCKERHOME="`getent passwd ${USER} | cut -d: -f6`/.docker"
;;
### Actions
-h|--help)
do_usage
exit 0
;;
*)
echo "Error: unrecognized argument $1"
do_usage
exit 1
;;
esac
shift
done
}
parse_cmd_line_args $*
### Global VARs ###
SRV_CERTPATH=/etc/docker/ssl
CA_KEY=${USER_DOCKERHOME}/ca-key.pem
CA_CERT=${SRV_CERTPATH}/ca.pem
SRV_KEY=${SRV_CERTPATH}/key.pem
SRV_CERT=${SRV_CERTPATH}/cert.pem
SRV_CSR=${SRV_CERTPATH}/cert.csr
SRV_EXTCFG=${SRV_CERTPATH}/openssl.cnf
CERT_PERIOD=3650 # Cert valid for 10 years
KEY_LENGTH=4096
CLNT_CERTPATH="${CLNT_CERTPATH_ROOT}/certs/${USER}/${HOST}"
CLNT_KEY=${CLNT_CERTPATH}/key.pem
CLNT_CERT=${CLNT_CERTPATH}/cert.pem
CLNT_CSR=${CLNT_CERTPATH}/cert.csr
CLNT_EXTCFG=${CLNT_CERTPATH}/openssl.cnf
#
### Functions ###
#
# Create docker default config directory, and cert paths
crt_cert_and_cfg_dirs() {
echo " => 1. Ensuring Docker config and client certificate directories exists"
[[ -d ${CLNT_CERTPATH} ]] || mkdir -p ${CLNT_CERTPATH}
[[ -d ${SRV_CERTPATH} ]] || mkdir -p ${SRV_CERTPATH}
[[ -d ${USER_DOCKERHOME} ]] || mkdir -p ${USER_DOCKERHOME}
local h
for h in localhost 127.0.0.1 $HOST_IP ; do
ln -sf ${CLNT_CERTPATH} "${CLNT_CERTPATH_ROOT}/certs/${USER}/${HOST}:${h}"
done
echo -e "\n"
}
# Common function to test if SSL certificate or private key was created and
# display proper error message.
chk_certkey() {
local certkey=$1
[[ -s $certkey ]] || { echo "Failed to generate ${certkey}, exiting now ..." && exit 1; }
}
# Generate CA (private) key and CA (public) certificate
gen_cacerts() {
# local passphrase="$(openssl rand -base64 32)"
# Generate a passphrase file
local passphrase_file=/tmp/passphrase.txt
local capasskey=/tmp/server.pass.key
printf "`date +%s | sha256sum | base64 | head -c 32`\n" > ${passphrase_file}
# openssl rand -base64 32 > ${passphrase_file}
echo -e " => 2. Generating CA key\n"
# Generate a Private Key with passphrase
openssl genrsa -aes256 -passout file:${passphrase_file} -out ${capasskey} ${KEY_LENGTH}
# Remove passphrase from Key
openssl rsa -passin file:${passphrase_file} -in ${capasskey} -out ${CA_KEY}
chk_certkey ${CA_KEY}
# Cleanup
rm -f ${capasskey} ${passphrase_file}
echo -e "\n"
# Generate the CA certificate using the private key
echo " => 3. Generating CA certificate"
openssl req -new -x509 -nodes -days ${CERT_PERIOD} -key ${CA_KEY} -sha256 -out ${CA_CERT} -subj '/CN=docker-CA'
chk_certkey ${CA_CERT}
\cp -fp ${CA_CERT} ${CLNT_CERTPATH}
echo -e "\n"
}
# Create server and client extensions config files
crt_ssl_extcfg_files() {
# Set the Docker daemon keys 'extendedKeyUsage' attributes to both
# server and client authentication in all extensions config files
echo " => 4. Creating SSL-extensions config files"
# Allow connections over all hostnames and IPs in the server extensions cfg file
cat <<EOF > ${SRV_EXTCFG}
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = $HOST
DNS.3 = $HOST_FQDN
IP.1 = 127.0.0.1
IP.2 = $HOST_IP
EOF
# Update the server SSL extensions config file with user-supplied IP/host list
if [[ ${#HOSTS[@]} -gt 0 ]]; then
local dns=4 ip=3 host=""
for host in "${HOSTS[@]}"; do
[[ ( "$host" == "`hostname -f`" ) || ( "$host" == "`hostname -s`" ) || ( "$host" == "`hostname -i`" ) || ( $host =~ localhost|127.0.0.1 ) ]] && \
{ echo "Script will add this $host entry by default. IE. not required to be specified." && continue; }
$(echo "${host}" | egrep -q -o '^([0-9]+\.){3}[0-9]+$')
if [[ $? -eq 0 ]]; then # Its an IP address
ip a s | grep -qE "${host}" || \
{ echo "The IP address specified using --host is not assigned or any of the network interfaces found on this host." && continue; }
echo "IP.${ip} = ${host}" >> ${SRV_EXTCFG}
((ip++))
else # its a hostname
grep -iq ${host} /etc/hosts || \
{ echo "The hostname specified using --host is not found in the local /etc/hosts file on this host." && continue; }
echo "DNS.${dns} = ${host}" >> ${SRV_EXTCFG}
((dns++))
fi
# Also create sym-link to certdir that reference this user-supplied hostname/IP
ln -sf ${CLNT_CERTPATH} "${CLNT_CERTPATH_ROOT}/certs/${USER}/${HOST}:${host}"
done
fi
cat <<EOF > ${CLNT_EXTCFG}
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF
echo -e "\n"
}
# Create a server key and certificate signing request (CSR)
gen_server_key_and_csr() {
echo -e " => 5. Generating server key\n"
openssl genrsa -out ${SRV_KEY} ${KEY_LENGTH}
chk_certkey ${SRV_KEY}
echo -e "\n"
echo " => 6. Generating server CSR"
openssl req -sha256 -new -key ${SRV_KEY} -out ${SRV_CSR} -subj '/CN=docker-server' -config ${SRV_EXTCFG}
echo -e "\n"
}
# Create a client key and certificate signing request (CSR)
gen_client_key_and_csr() {
echo -e " => 7. Generating client key\n"
openssl genrsa -out ${CLNT_KEY} ${KEY_LENGTH}
chk_certkey ${CLNT_KEY}
echo -e "\n"
echo " => 8. Generating client CSR"
openssl req -new -key ${CLNT_KEY} -out ${CLNT_CSR} -subj '/CN=docker-client' -config ${CLNT_EXTCFG}
echo -e "\n"
}
# Sign client and server keys with CA
sign_keys_with_ca() {
# Sign the (public) server key with the CA
echo -e " => 9. Signing server CSR with CA\n"
openssl x509 -req -sha256 -in ${SRV_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} \
-CAcreateserial -out ${SRV_CERT} -days ${CERT_PERIOD} \
-extensions v3_req -extfile ${SRV_EXTCFG}
chk_certkey ${SRV_CERT}
echo -e "\n"
# Sign the (private) client key with the CA
echo -e " => 10. Signing client CSR with CA\n"
openssl x509 -req -sha256 -in ${CLNT_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} \
-out ${CLNT_CERT} -CAcreateserial -days ${CERT_PERIOD} \
-extensions v3_req -extfile ${CLNT_EXTCFG}
chk_certkey ${CLNT_CERT}
# Cleanup
# rm -v ${CLNT_CSR} ${SRV_CSR}
echo -e "\n"
}
merge_docker_daemon_json_files() {
local override_file=/tmp/daemon.json
local default_file=/etc/docker/daemon.json
local default_file_bkp=${default_file}_`date +"%Y-%m-%d-%H:%M"`
[[ -s $override_file ]] || return 1
[[ -s $default_file ]] || return 1
cat <<EOF
An existing Docker ${daemon_json} file found.
Backing up the existing ${default_file} as ${default_file_bkp}
Updating the exisiting ${default_file} file with Docker TLS parameters ...
EOF
\cp -fp $default_file $default_file_bkp
sed -i -e '/^[ \t]*\"tls.*/d' -e '/^[ \t]*\"hosts.*/d' -e '/^\}$/d' $default_file
tail -1 $default_file | grep -qE "^{$|,$" || sed -i '$ s/$/,/g' $default_file
sed -i '/{/d' $override_file
cat $override_file >> $default_file
[[ $(grep -E "(hosts|tls)" $default_file | wc -l) -eq 5 ]] || \
{ echo "Failed to update the Docker ${default_file}. Restoring the backed up copy" && \
echo "Manually merge in the contents in $override_file with $default_file." && \
\cp -fp $default_file_bkp $default_file && return; }
echo -e "Successfully updated the default Docker ${default_file} file with TLS parameters.\n"
}
# Set permissions for certificates and private keys
set_cert_permissions() {
echo " => 11. Secure all certificates and private keys"
chmod 0400 ${CA_KEY} ${CLNT_KEY} ${SRV_KEY}
chmod 0444 ${CA_CERT} ${SRV_CERT} ${CLNT_CERT}
[[ "$USER" != "root" ]] && chown -R ${USER}:${USER} ${CLNT_CERTPATH} ${USER_DOCKERHOME}
echo -e "\n"
}
# Generate the docker daemon.json file with the TLS options
gen_docker_daemon_json_tls() {
echo -e " => 12. Generating Docker configuration (daemon.json) JSON file\n"
# Default Docker daemon.json
local daemon_json=/etc/docker/daemon.json
local daemon_json_tmp=/tmp/daemon.json
local systemd_unit_conf=/etc/systemd/system/docker.service.d/docker.conf
local SETUP_DOCKERD_JSON_MSG1="
A new Docker ${daemon_json} has been generated and placed in the correct location.\n
"
local SETUP_DOCKERD_JSON_MSG2="
An existing Docker Systemd Unit configuration ${systemd_unit_conf} file found.\n
Merge all the settings except for HTTP proxy settings (if any) into the new \n
${daemon_json} file and then remove the ${systemd_unit_conf} file.\n
If you are using a HTTP proxy refer to the Docker documentation topic Control\n
and configure Docker with systemd: \n
URL: https://docs.docker.com/engine/admin/systemd/ \n
"
# Create the template Docker daemon.json file
cat <<EOF > $daemon_json_tmp
{
"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"],
"tlsverify": true,
"tlscacert": "$CA_CERT",
"tlscert": "$SRV_CERT",
"tlskey": "$SRV_KEY"
}
EOF
if [[ -f $daemon_json ]]; then
merge_docker_daemon_json_files
else
echo -e ${SETUP_DOCKERD_JSON_MSG1}
\cp -p ${daemon_json_tmp} ${daemon_json}
fi
rm -f $daemon_json_tmp
[[ -s ${systemd_unit_conf} ]] && echo -e $SETUP_DOCKERD_JSON_MSG2
echo "The contents of Docker ${daemon_json} file:"
cat ${daemon_json}
echo -e "\nIn order to complete configuring the docker engine to use TLS over TCP/IP restart the docker engine.\n\tsystemctl restart docker.service\n"
}
# Show subject, SHA-fingerprint, start/end dates and the associated public key
# for CA, client and server certificates.
show_certs() {
echo -e " => 14. Display SSL certificate summary\n"
local cert=""
for cert in ${CA_CERT} ${SRV_CERT} ${CLNT_CERT}; do
echo "SSL Certificate: ${cert}"
openssl x509 -noout -in $cert -subject -fingerprint -dates -pubkey
echo "****************************************************************"
done
echo -e "\n"
}
install_docker_remote_wrapper() {
echo " => 13. Installing Docker remote command (/usr/bin/docker_remote) tool"
cat <<'EOF' > /usr/bin/docker_remote
#!/bin/bash
# ******************************************************************************
#
# © Copyright IBM Corp. 2016, 2017 All Rights Reserved.
#
# COPYRIGHT LICENSE: This information contains sample code provided in source
# code form. You may copy, modify, and distribute these sample programs in any
# form without payment to IBM® for the purposes of developing, using, marketing
# or distributing application programs conforming to the application programming
# interface for the operating platform for which the sample code is written.
#
# Notwithstanding anything to the contrary, IBM PROVIDES THE SAMPLE SOURCE CODE
# ON AN "AS IS" BASIS AND IBM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
# INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OR CONDITIONS OF
# MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE,
# TITLE, AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM SHALL NOT BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES
# ARISING OUT OF THE USE OR OPERATION OF THE SAMPLE SOURCE CODE. IBM HAS NO
# OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS OR
# MODIFICATIONS TO THE SAMPLE SOURCE CODE.
#
# *******************************************************************************
do_usage() {
cat <<USAGE
Usage: `basename $0` [parameters]
* parameters
[-n|--node hostname|IP address] A remote Docker host name or an IP address
enclosed by double quotation marks (""). If you want to run the same
Docker command on more than one host name or IP address, specify them
as a comma-separated list.
[-c|--command docker-command] The Docker command that you want to execute
on the remote Docker host.
[-h|--help] Display help text for this script.
USAGE
}
# Global VARs
COMMAND=""
DOCKER_CMD=""
NODES=( )
# USER=`whoami`
USER=root
HOST=`hostname -s`
CLNT_CERTPATH_ROOT=%CLNT_CERTPATH_ROOT%
RC=0
is_quiet=false
parse_cmd_line_args()
{
while [[ $# -gt 0 ]]; do
case "$1" in
### Options
-n|--node)
shift
NODES=( `echo "$1" | sed 's/,/ /g'` )
;;
### Actions
-c|--command)
shift
DOCKER_CMD="$*"
COMMAND="run-cmd"
;;
### Suppress extra output text
-q|--quiet)
is_quiet=true
;;
-h|--help)
do_usage
exit 0
;;
*)
echo "Error: unrecognized argument $1"
do_usage
exit 1
;;
esac
shift
done
}
parse_cmd_line_args "$@"
run-cmd() {
local certdir=""
local node=""
[[ "$is_quiet" != true ]] && echo "Running the Docker command ${DOCKER_CMD} on the remote host(s) as ${USER} user ..."
[[ "$is_quiet" != true ]] && echo "------------------------------------------------------------------"
for node in "${NODES[@]}"; do
# Check if value of node is a hostname or an IP address, and if
# hostname, strip domain name in case FQDN was used in --node option
$(echo "${node}" | egrep -q -o '^([0-9]+\.){3}[0-9]+$')
[[ $? -ne 0 ]] && node=${node%%.*}
# Determine the correct certificate directory to use
certdir=${CLNT_CERTPATH_ROOT}/certs/${USER}/${node}
if [[ $node =~ localhost|127.0.0.1 ]]; then
certdir="${CLNT_CERTPATH_ROOT}/certs/${USER}/${HOST}:${node}"
elif [[ ${node} != ${HOST} ]]; then
certdir=$(ls -1d ${CLNT_CERTPATH_ROOT}/certs/${USER}/* 2>/dev/null | grep -E "*$node$|:$node$")
fi
[[ -d ${certdir} ]] || { echo "ERROR: The certificate directory not found" && \
echo "Confirm that the setup_docker_remote.sh tool was run on ${node}, and the correct host name/IP address was specified for --node paramter." && exit 1; }
[[ "$is_quiet" != true ]] && echo " => HOST: ${node}"
DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=$certdir DOCKER_HOST=tcp://${node}:2376 /usr/bin/docker ${DOCKER_CMD}
RC=$?
[[ "$is_quiet" != true ]] && echo "------------------------------------------------------------------"
done
}
[[ "$COMMAND" == "run-cmd" ]] && run-cmd
exit $RC
EOF
sed -i "s|%CLNT_CERTPATH_ROOT%|${CLNT_CERTPATH_ROOT}|" /usr/bin/docker_remote
chmod 755 /usr/bin/docker_remote
echo -e "\n"
}
### Main ####
echo -e "\n => Executing `basename $0` script on host ${HOST} ...\n"
crt_cert_and_cfg_dirs
gen_cacerts
crt_ssl_extcfg_files
gen_server_key_and_csr
gen_client_key_and_csr
sign_keys_with_ca
set_cert_permissions
gen_docker_daemon_json_tls
install_docker_remote_wrapper
show_certs
cat <<'EOF'
################################################################################
### Successfully configured Docker TLS on this host ####
################################################################################
* The CA certificate and the server and client TLS certificates that are
required for secure Docker remote communication were set up.
* A /usr/bin/docker_remote wrapper was installed.
-----------
Next steps:
-----------
1. On the other nodes that you want to remotely execute Docker commands on, run
setup_docker_remote.sh with the --cert-path parameter, which specifies a
shared file system path.
2. Verify that the socket and TLS settings (hosts, tlsverify, tlscacert,
tlscert and tlskey) are defined in the Docker engine options file
(/etc/docker/daemon.json). If you already used a Docker systemd unit
configuration file (/etc/systemd/system/docker.service.d/docker.conf) on this
host, migrate all those parameters from the systemd unit into the
/etc/docker/daemon.json file and remove the unit file.
3. Restart the Docker engine by issuing the following command:
systemctl restart docker.service
4. Run a Docker command on a remote host in one of the following ways:
* To run a Docker command on a single remote host, issue the following
command:
docker_remote --node "<remote_host>" --command "<docker_command>"
where, remote_host can be a host name or an IP address.
For example, the following command runs the docker ps -a command on the
remote host myhost.mydomain.com:
docker_remote --node "myhost.mydomain.com" --command "ps -a"
* To run a Docker command on multiple remote hosts, set the hosts value to
a comma-separated list of remote hosts and pass the hosts value to the
--node parameter. An example follows:
hosts="myhost1,myhost2,myhost3"
docker_remote --node "$hosts" --command "<docker_command>"
5. To run a Docker command on any or all the hosts on which you set up TLS from
a host outside the Db2 Warehouse cluster (for example, your laptop):
(i) Copy the certs directory under the root of the directory that you
specified for the --cert-path parameter.
(ii) Issue the docker commands on the remote host by using the following
parameters:
DOCKER_TLS_VERIFY=1 \
DOCKER_CERT_PATH=<path in which the TLS certificates are saved> \
DOCKER_HOST=tcp://<remote_host>:2376 /usr/bin/docker <docker_command>
If the outside host is running on a Docker supported 64-bit Linux platform,
you can use the following steps instead of using step (ii) for simpler user
experience.
(i) Copy the /usr/bin/docker_remote script from one of the hosts on which
you ran the setup_docker_remote.sh script into the /usr/bin directory on the
outside host.
(ii) Make the script executable by executing the
chmod +x /usr/lib/docker_remote command.
(iii) Change the value of the CLNT_CERTPATH_ROOT variable in the
/usr/lib/docker_remote script to point to the root directory of the
location where you saved the remote host certificates. For example, if you
saved the certificates in the /home/myhome/certs, set the CLNT_CERTPATH_ROOT
variable to /home/myhome.
(iv) Use the docker_remote command as shown in Step 4.
EOF