1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Add support for syslog over TLS.

Signed-off-by: David Calavera <david.calavera@gmail.com>
This commit is contained in:
David Calavera 2016-01-08 12:36:31 -05:00
parent 145f020122
commit 4b98193bea
2 changed files with 56 additions and 9 deletions

View file

@ -4,9 +4,9 @@
package syslog
import (
"crypto/tls"
"errors"
"fmt"
"log/syslog"
"net"
"net/url"
"os"
@ -14,13 +14,19 @@ import (
"strconv"
"strings"
syslog "github.com/RackSec/srslog"
"github.com/Sirupsen/logrus"
"github.com/docker/docker/daemon/logger"
"github.com/docker/docker/daemon/logger/loggerutils"
"github.com/docker/docker/pkg/urlutil"
"github.com/docker/go-connections/tlsconfig"
)
const name = "syslog"
const (
name = "syslog"
secureProto = "tcp+tls"
)
var facilities = map[string]syslog.Priority{
"kern": syslog.LOG_KERN,
@ -77,12 +83,19 @@ func New(ctx logger.Context) (logger.Logger, error) {
return nil, err
}
log, err := syslog.Dial(
proto,
address,
facility,
path.Base(os.Args[0])+"/"+tag,
)
logTag := path.Base(os.Args[0]) + "/" + tag
var log *syslog.Writer
if proto == secureProto {
tlsConfig, tlsErr := parseTLSConfig(ctx.Config)
if tlsErr != nil {
return nil, tlsErr
}
log, err = syslog.DialWithTLSConfig(proto, address, facility, logTag, tlsConfig)
} else {
log, err = syslog.Dial(proto, address, facility, logTag)
}
if err != nil {
return nil, err
}
@ -147,6 +160,10 @@ func ValidateLogOpt(cfg map[string]string) error {
case "syslog-address":
case "syslog-facility":
case "syslog-tag":
case "syslog-tls-ca-cert":
case "syslog-tls-cert":
case "syslog-tls-key":
case "syslog-tls-skip-verify":
case "tag":
default:
return fmt.Errorf("unknown log opt '%s' for syslog log driver", key)
@ -177,3 +194,16 @@ func parseFacility(facility string) (syslog.Priority, error) {
return syslog.Priority(0), errors.New("invalid syslog facility")
}
func parseTLSConfig(cfg map[string]string) (*tls.Config, error) {
_, skipVerify := cfg["syslog-tls-skip-verify"]
opts := tlsconfig.Options{
CAFile: cfg["syslog-tls-ca-cert"],
CertFile: cfg["syslog-tls-cert"],
KeyFile: cfg["syslog-tls-key"],
InsecureSkipVerify: skipVerify,
}
return tlsconfig.Client(opts)
}

View file

@ -69,9 +69,13 @@ If `max-size` and `max-file` are set, `docker logs` only returns the log lines f
The following logging options are supported for the `syslog` logging driver:
--log-opt syslog-address=[tcp|udp]://host:port
--log-opt syslog-address=[tcp|udp|tcp+tls]://host:port
--log-opt syslog-address=unix://path
--log-opt syslog-facility=daemon
--log-opt syslog-tls-ca-cert=/etc/ca-certificates/custom/ca.pem
--log-opt syslog-tls-cert=/etc/ca-certificates/custom/cert.pem
--log-opt syslog-tls-key=/etc/ca-certificates/custom/key.pem
--log-opt syslog-tls-skip-verify=true
--log-opt tag="mailer"
`syslog-address` specifies the remote syslog server address where the driver connects to.
@ -107,6 +111,19 @@ the following named facilities:
* `local6`
* `local7`
`syslog-tls-ca-cert` specifies the absolute path to the trust certificates
signed by the CA. This option is ignored if the address protocol is not `tcp+tls`.
`syslog-tls-cert` specifies the absolute path to the TLS certificate file.
This option is ignored if the address protocol is not `tcp+tls`.
`syslog-tls-key` specifies the absolute path to the TLS key file.
This option is ignored if the address protocol is not `tcp+tls`.
`syslog-tls-skip-verify` configures the TLS verification.
This verification is enabled by default, but it can be overriden by setting
this option to `true`. This option is ignored if the address protocol is not `tcp+tls`.
By default, Docker uses the first 12 characters of the container ID to tag log messages.
Refer to the [log tag option documentation](log_tags.md) for customizing
the log tag format.