support for MDM certificates restored

README.md

@@ -9,17 +9,36 @@ This image runs EMC ScaleIO as a container.
 The following environment variables are also honored for configuring your ScaleIO Gateway instance:
 * `-e GW_PASSWORD=` (Gateway password, defaults to `Scaleio123`)
 * `-e MDM1_IP_ADDRESS=` and `-e MDM2_IP_ADDRESS=` (MDM IP addresses)
+* `-e MDM1_CRT=` and `-e MDM2_CRT=` (manually add the MDM public certificates to the truststore)
 * `-e TRUST_MDM_CRT=` (if variable is set with a non empty value will the MDM certifates being trusted)
 * `-e GW_KEY=` and `-e GW_CRT=` (public certifcate and private key to be used)
 * `-e BYPASS_CRT_CHECK=` (if variable is set with a non empty value will the certificate check for the MDMs bypassed)
 
 ### Examples
 
-```docker run -d --name=scaleio-gw --restart=always -p 443:443 -e GW_PASSWORD=Scaleio123 -e BYPASS_CRT_CHECK=true -e MDM1_IP_ADDRESS=192.168.100.1 -e MDM2_IP_ADDRESS=192.168.100.2 vchrisb/scaleio-gw```
+```docker run -d --name=scaleio-gw --restart=always -p 443:443 -e GW_PASSWORD=Scaleio123 -e MDM1_IP_ADDRESS=192.168.100.1 -e MDM2_IP_ADDRESS=192.168.100.2 -e TRUST_MDM_CRT=true vchrisb/scaleio-gw```
 
-```docker run -d --name=scaleio-gw --restart=always -p 443:443 -e GW_PASSWORD=Scaleio123 -e MDM1_IP_ADDRESS=$MDM1_IP_ADDRESS -e MDM2_IP_ADDRESS=$MDM2_IP_ADDRESS -e MDM1_CRT="$MDM1_CRT" -e MDM2_CRT="$MDM2_CRT" vchrisb/scaleio-gw```
+```docker run -d --name scaleio-gw --restart=always -p 443:443 -e GW_PASSWORD=Scaleio123 -e MDM1_IP_ADDRESS=192.168.100.1 -e MDM2_IP_ADDRESS=192.168.100.2 -e TRUST_MDM_CRT=true -e GW_KEY="$GW_KEY" -e GW_CRT="$GW_CRT" vchrisb/scaleio-gw```
 
-```docker run -d --name scaleio-gw --restart=always -p 443:443 -e GW_PASSWORD=Scaleio123 -e MDM1_IP_ADDRESS=$MDM1_IP_ADDRESS -e MDM2_IP_ADDRESS=$MDM2_IP_ADDRESS -e MDM1_CRT="$MDM1_CRT" -e MDM2_CRT="$MDM2_CRT" -e GW_KEY="$GW_KEY" -e GW_CRT="$GW_CRT" -e ROOT_CRT="$ROOT_CRT" -e INTERMEDIATE_CRT="$INTERMEDIATE_CRT" vchrisb/scaleio-gw```
+## certificates
+
+### MDM certificates
+
+Following commands can be used to get the `MDM1`and `MDM2` certificates:
+```
+export MDM1_IP_ADDRESS=x.x.x.x
+export MDM2_IP_ADDRESS=x.x.x.x
+export MDM1_CRT=$(ssh -q $MDM1_IP_ADDRESS sudo cat /opt/emc/scaleio/mdm/cfg/mdm_management_certificate.pem | sed -n -e '/-----BEGIN CERTIFICATE-----/,$p' | sed ':a;N;$!ba;s/\n/\\n/g')
+export MDM2_CRT=$(ssh -q $MDM2_IP_ADDRESS sudo cat /opt/emc/scaleio/mdm/cfg/mdm_management_certificate.pem | sed -n -e '/-----BEGIN CERTIFICATE-----/,$p' | sed ':a;N;$!ba;s/\n/\\n/g')
+```
+
+If `requiretty` is not enabled in sudoers, please use following commands instead:
+```
+export MDM1_IP_ADDRESS=x.x.x.x  
+export MDM2_IP_ADDRESS=x.x.x.x  
+export MDM1_CRT=$(ssh -qt $MDM1_IP_ADDRESS sudo cat /opt/emc/scaleio/mdm/cfg/mdm_management_certificate.pem | sed -n -e '/-----BEGIN CERTIFICATE-----/,$p' | tr -d "\r" | sed ':a;N;$!ba;s/\n/\\n/g')
+export MDM2_CRT=$(ssh -qt $MDM2_IP_ADDRESS sudo cat /opt/emc/scaleio/mdm/cfg/mdm_management_certificate.pem | sed -n -e '/-----BEGIN CERTIFICATE-----/,$p' | tr -d "\r" | sed ':a;N;$!ba;s/\n/\\n/g')
+```
 
 ## DC/OS with RexRay
 

docker-entrypoint.sh

@@ -59,17 +59,24 @@ if [ -v MDM1_IP_ADDRESS ] && [ -v MDM2_IP_ADDRESS ]; then
 	TOKEN=$(curl --silent --insecure --user admin:$GW_PASSWORD https://localhost/api/gatewayLogin  | sed 's:^.\(.*\).$:\1:')
 	if [ -v TRUST_MDM_CRT ]; then
 		echo "trust MDM1 host certificate"
-		curl --silent --insecure  --user :$TOKEN -X GET https://localhost/api/getHostCertificate/Mdm?host=$MDM1_IP_ADDRESS > /tmp/mdm.cer
-		curl --silent --insecure --user :$TOKEN -X POST -H "Content-Type: multipart/form-data" -F "file=@/tmp/mdm.cer" https://localhost/api/trustHostCertificate/Mdm
+		curl --silent --show-error --insecure --user :$TOKEN -X GET https://localhost/api/getHostCertificate/Mdm?host=$MDM1_IP_ADDRESS > /tmp/mdm.cer
+		curl --silent --show-error --insecure --user :$TOKEN -X POST -H "Content-Type: multipart/form-data" -F "file=@/tmp/mdm.cer" https://localhost/api/trustHostCertificate/Mdm
 		echo "trust MDM2 host certificate"
-		curl --silent --insecure  --user :$TOKEN -X GET https://localhost/api/getHostCertificate/Mdm?host=$MDM2_IP_ADDRESS> /tmp/mdm.cer
-		curl --silent --insecure --user :$TOKEN -X POST -H "Content-Type: multipart/form-data" -F "file=@/tmp/mdm.cer" https://localhost/api/trustHostCertificate/Mdm
+		curl --silent --show-error --insecure --user :$TOKEN -X GET https://localhost/api/getHostCertificate/Mdm?host=$MDM2_IP_ADDRESS> /tmp/mdm.cer
+		curl --silent --show-error --insecure --user :$TOKEN -X POST -H "Content-Type: multipart/form-data" -F "file=@/tmp/mdm.cer" https://localhost/api/trustHostCertificate/Mdm
+	elif [ -v MDM1_CRT ] && [ -v MDM2_CRT ]; then
+		echo "trust provided MDM1 host certificate"
+		echo -e "$MDM1_CRT" > /tmp/mdm.cer
+		curl --silent --show-error --insecure --user :$TOKEN -X POST -H "Content-Type: multipart/form-data" -F "file=@/tmp/mdm.cer" https://localhost/api/trustHostCertificate/Mdm
+		echo "trust provided MDM2 host certificate"
+		echo -e "$MDM2_CRT" > /tmp/mdm.cer
+		curl --silent --show-error --insecure --user :$TOKEN -X POST -H "Content-Type: multipart/form-data" -F "file=@/tmp/mdm.cer" https://localhost/api/trustHostCertificate/Mdm
 	fi
 	echo "Adding MDM1 and MDM2 IP addresses to gateway configuration"
 	CONTENT='{"mdmAddresses":["'$MDM1_IP_ADDRESS'", "'$MDM2_IP_ADDRESS'"]}'
-	curl --silent --insecure --user :$TOKEN -X POST -H "Content-Type: application/json" -d "${CONTENT}" https://localhost/api/updateConfiguration
+	curl --silent --show-error --insecure --user :$TOKEN -X POST -H "Content-Type: application/json" -d "${CONTENT}" https://localhost/api/updateConfiguration
 	#logout
-	curl --silent --insecure --user :$TOKEN https://localhost/api/gatewayLogout
+	curl --silent --show-error --insecure --user :$TOKEN https://localhost/api/gatewayLogout
 fi
 
 wait $PID