Skip to content
This repository has been archived by the owner on Oct 30, 2018. It is now read-only.

Docker module TLS support #657

Closed
zxaos opened this issue Jan 18, 2015 · 4 comments
Closed

Docker module TLS support #657

zxaos opened this issue Jan 18, 2015 · 4 comments
Labels
feature_idea needs_info

Comments

@zxaos
Copy link

zxaos commented Jan 18, 2015

Issue Type:

Feature Idea

Ansible Version:

ansible 1.8.2
configured module search path = None

Environment:

Ansible running from OS X 10.10.1
Managing Linux / Boot2Docker 1.4.1

Summary:

Boot2Docker is a minimal install that doesn't have a python executable. Because of this, it's probably easier to manage docker images by using a separate docker install on an ansible-controllable host or a local_action.

By default, Boot2Docker supplies certificates needed for TLS secured control via the docker CLI. The docker-py python module supports this type of configuration but the docker ansible module is unable to make use of it.

The only way to support this configuration currently is to fall back to calling the docker CLI through a script or a command task.

Steps To Reproduce:

Expose the docker-py configuration attributes listed to the ansible module.

  • client_cert: Path to client cert, path to client key
  • ca_cert: Path to CA cert file
  • verify: This can be False or a path to a CA Cert file
  • ssl_version: A valid SSL version
  • assert_hostname: Verify hostname of docker daemon
@lorin
Copy link
Contributor

lorin commented Jan 26, 2015

I have a pull request to implement that here: #272

@smashwilson smashwilson mentioned this issue Mar 4, 2015
Merged
@abadger
Copy link
Contributor

abadger commented Mar 13, 2015

I believe this has been implemented for devel and 1.9rc2 now. Merged PR is here: #926

Would you care to test it out?

@lorin
Copy link
Contributor

lorin commented Mar 14, 2015

I tested TLS with boot2docker, and it was working, with a caveat. There's an upstream bug in (a dependency of) docker-py that causes problems for boot2docker. I get an error that looks like this:

failed: [localhost] => {"changed": false, "failed": true}
msg: SSLError(SSLError(CertificateError("hostname '192.168.59.103' doesn't match 'boot2docker'",),),)

FATAL: all hosts have already failed -- aborting

See docker/docker-py#406. There's a workaround documented at docker/docker-py#406 (comment)

@abadger
Copy link
Contributor

abadger commented Mar 15, 2015

I think that this was mentioned in the tls prs and we added tls_hostname to deal with it. If you specify

- docker: tls_hostname=boot2docker [...]

I believe that the code will validate the certificate and check that the hostname on the certificate is "boot2docker" rather than the host's real hostname. (As tested here: #926 (comment) )

@abadger abadger closed this as completed Mar 15, 2015
@iby iby mentioned this issue Jul 10, 2015
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature_idea needs_info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abadger @lorin @bcoca @zxaos