Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: improve TLS config #53906

Merged
merged 8 commits into from
Mar 17, 2019
Merged

docker: improve TLS config #53906

merged 8 commits into from
Mar 17, 2019

Conversation

felixfontein
Copy link
Contributor

SUMMARY

This PR does several things:

  • unify TLS setup for inventory plugin and docker modules (not done yet)
  • make tls and tls_verify options no longer mutually exclusive, and let tls_verify (host verification) take precedence over tls (no host verification) in case both are set to yes.

This also fixes #15614 and makes #51271 no longer necessary.

ISSUE TYPE
  • Bugfix Pull Request
  • Feature Pull Request
COMPONENT NAME

lib/ansible/module_utils/docker/common.py
lib/ansible/plugins/doc_fragments/docker.py
lib/ansible/plugins/inventory/docker_swarm.py

@felixfontein felixfontein mentioned this pull request Mar 16, 2019
Closed
@ansibot
Copy link
Contributor

ansibot commented Mar 16, 2019

cc @DBendit @WojciechowskiPiotr @akshay196 @chouseknecht @cove @danihodovic @dariko @dusdanig @joshuaconner @jwitko @kassiansun @softzilla @tbouvet @zfil
click here for bot help

@ansibot ansibot added WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. affects_2.8 This issue/PR affects Ansible v2.8 bug This issue/PR relates to a bug. cloud docker inventory Inventory category module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. labels Mar 16, 2019
@felixfontein
Copy link
Contributor Author

bot_status

@felixfontein felixfontein mentioned this pull request Mar 16, 2019
Merged
@ansibot
Copy link
Contributor

ansibot commented Mar 16, 2019

Components

lib/ansible/module_utils/docker/common.py
support: community
maintainers: DBendit WojciechowskiPiotr akshay196 danihodovic dariko felixfontein jwitko kassiansun tbouvet

lib/ansible/modules/cloud/docker/docker_container.py
support: community
maintainers: DBendit WojciechowskiPiotr akshay196 chouseknecht cove danihodovic dariko dusdanig felixfontein joshuaconner jwitko kassiansun softzilla tbouvet zfil

lib/ansible/plugins/doc_fragments/docker.py
support: community
maintainers: DBendit WojciechowskiPiotr akshay196 danihodovic dariko felixfontein jwitko kassiansun tbouvet

lib/ansible/plugins/inventory/docker_swarm.py
support: community
maintainers: DBendit WojciechowskiPiotr akshay196 danihodovic dariko felixfontein jwitko kassiansun tbouvet

Metadata

waiting_on: maintainer
changes_requested_by: null
needs_info: False
needs_revision: False
needs_rebase: False
merge_commits: []
too many files or commits: False
mergeable_state: unstable
shippable_status: pending
maintainer_shipits (module maintainers): False
community_shipits (namespace maintainers): False
ansible_shipits (core team members): False
shipit_actors (maintainer or core team member): None
shipit_actors_other:
automerge: automerge shipit test failed

click here for bot help

@felixfontein felixfontein mentioned this pull request Mar 16, 2019
Closed
@felixfontein
Copy link
Contributor Author

Looks like either ansibot didn't update its metadata, or something else doesn't work so that @morph027 isn't notified.

@morph027
Copy link
Contributor

Hah, now i'am ;) Will look into it.

@felixfontein felixfontein changed the title [WIP] docker: improve TLS config docker: improve TLS config Mar 16, 2019
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. labels Mar 16, 2019
@ansibot ansibot added needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Mar 17, 2019
@ansibot ansibot added community_review In order to be merged, this PR must follow the community review workflow. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Mar 17, 2019
@morph027
Copy link
Contributor

Besides my 2 little findings, i just tested successfully w/ and w/o TLS 🎉

morph027
morph027 suggested changes Mar 17, 2019
View reviewed changes
lib/ansible/plugins/inventory/docker_swarm.py Outdated
@@ -29,7 +29,9 @@
required: true
choices: docker_swarm
host:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs to be renamed to docker_host or we'll get this warning:

 [WARNING]:  * Failed to parse /home/morph/ansible/docker_swarm.yml with auto plugin: 'Requested entry (plugin_type:
inventory plugin: docker_swarm setting: docker_host ) was not defined in configuration.'

Applies to examples too

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. It would also be enough to fix line 151, but I think docker_host is somewhat better than host since it's the same name for the docker_* modules.

lib/ansible/plugins/inventory/docker_swarm.py Outdated
raise AnsibleError('Argument to timeout function must be an integer')
update_tls_hostname(raw_params)
connect_params = get_connect_params(raw_params, fail_function=self._fail)
self.client = docker.DockerClient(**get_connect_params)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not self.client = docker.DockerClient(**connect_params) ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, good spot! Fixed.

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed community_review In order to be merged, this PR must follow the community review workflow. labels Mar 17, 2019
@WojciechowskiPiotr
Copy link
Contributor

  • make tls and tls_verify options no longer mutually exclusive, and let tls_verify (host verification) take precedence over tls (no host verification) in case both are set to yes.

Just to confirm - if you provide only the tls_verify or both the tls_verify and tls it will run in tls_verify mode?

@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Mar 17, 2019
WojciechowskiPiotr
WojciechowskiPiotr reviewed Mar 17, 2019
View reviewed changes
lib/ansible/module_utils/docker/common.py

def get_connect_params(auth, fail_function):
if auth['tls'] or auth['tls_verify']:
auth['docker_host'] = auth['docker_host'].replace('tcp://', 'https://')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would drop it. Let the docker library handle this if tcp:// is provided. The kwargs_from_env from docker.utils handles that, also parse_host method.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep it for this PR, and remove it in another PR, so that this refactoring doesn't change any behavior. Just in case this has some impact somewhere, it can be undone quickly without reverting everything from this PR :)

(Also, we're not using kwargs_from_env.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem, if then all integration tests are still good we may leave it to docker library to change it or not

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All failing integration tests are unrelated (installing packages for Fedora fails a lot), at least so far. So it probably is fine :) Could you test whether you can still connect to your swarm with TLS both with the inventory plugin and some of the docker_* modules? If yes, I'd like to get this merged soon (especially since every CI run takes foreeeever and has so many unrelated problems :) ).

@felixfontein
Copy link
Contributor Author

Just to confirm - if you provide only the tls_verify or both the tls_verify and tls it will run in tls_verify mode?

Yes (assuming they are set to yes). If any one of them is set to yes, TLS is enabled, and if tls_verify is set to yes, verification will be used.

@felixfontein
Copy link
Contributor Author

Did you test both the inventory plugin and the regular docker_* modules (I guess one suffices, since they all use the same setup code) with TLS?

@morph027
Copy link
Contributor

I only tested the inventory plugin....did not yet used the others.

@WojciechowskiPiotr
Copy link
Contributor

I will test later today the modules

@WojciechowskiPiotr
Copy link
Contributor

Tested docker_swarm_facts and docker_node_facts - both working fine but I use only the tls parameter at the moment

@felixfontein
Copy link
Contributor Author

Does one of you have a chance to test this with TLS verification? If not, we can probably just merge now. The part of the code which decides between verification and not looks "harmless" enough so that should still work (assuming it ever worked, that is :) ).

@morph027
Copy link
Contributor

Will do.

@morph027
Copy link
Contributor

TLS with client cert auth works 👍

@felixfontein
Copy link
Contributor Author

Awesome! I'll try to get this merged soon. Once the tests pass...

@felixfontein
Copy link
Contributor Author

shipit

1 similar comment
@WojciechowskiPiotr
Copy link
Contributor

shipit

@felixfontein
Copy link
Contributor Author

ansibot is busy processing old issues/PRs, it will take some more time until it will reprocess this PR...

@ansibot ansibot added automerge This PR was automatically merged by ansibot. shipit This PR is ready to be merged by Core and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Mar 17, 2019
@ansibot ansibot merged commit 29d6418 into ansible:devel Mar 17, 2019
@felixfontein
Copy link
Contributor Author

That was faster than I hoped. Good for us :D

@WojciechowskiPiotr @morph027 thanks a lot for reviewing and testing!

@felixfontein felixfontein deleted the docker-tls-config branch March 17, 2019 21:12
@ansible ansible locked and limited conversation to collaborators Jul 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@WojciechowskiPiotr WojciechowskiPiotr WojciechowskiPiotr left review comments

@morph027 morph027 morph027 requested changes

Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 automerge This PR was automatically merged by ansibot. bug This issue/PR relates to a bug. cloud docker inventory Inventory category module This issue/PR relates to a module. shipit This PR is ready to be merged by Core support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

docker_common TLS and TLS_Verify not mutually exclusive.
4 participants
@felixfontein @ansibot @morph027 @WojciechowskiPiotr