From 4b98193beab00bc6cf48762858570a1bd418c9ef Mon Sep 17 00:00:00 2001 From: David Calavera Date: Fri, 8 Jan 2016 12:36:31 -0500 Subject: [PATCH] Add support for syslog over TLS. Signed-off-by: David Calavera --- daemon/logger/syslog/syslog.go | 46 ++++++++++++++++++++++++------ docs/reference/logging/overview.md | 19 +++++++++++- 2 files changed, 56 insertions(+), 9 deletions(-) diff --git a/daemon/logger/syslog/syslog.go b/daemon/logger/syslog/syslog.go index 7d052a662f..f6861947a6 100644 --- a/daemon/logger/syslog/syslog.go +++ b/daemon/logger/syslog/syslog.go @@ -4,9 +4,9 @@ package syslog import ( + "crypto/tls" "errors" "fmt" - "log/syslog" "net" "net/url" "os" @@ -14,13 +14,19 @@ import ( "strconv" "strings" + syslog "github.com/RackSec/srslog" + "github.com/Sirupsen/logrus" "github.com/docker/docker/daemon/logger" "github.com/docker/docker/daemon/logger/loggerutils" "github.com/docker/docker/pkg/urlutil" + "github.com/docker/go-connections/tlsconfig" ) -const name = "syslog" +const ( + name = "syslog" + secureProto = "tcp+tls" +) var facilities = map[string]syslog.Priority{ "kern": syslog.LOG_KERN, @@ -77,12 +83,19 @@ func New(ctx logger.Context) (logger.Logger, error) { return nil, err } - log, err := syslog.Dial( - proto, - address, - facility, - path.Base(os.Args[0])+"/"+tag, - ) + logTag := path.Base(os.Args[0]) + "/" + tag + + var log *syslog.Writer + if proto == secureProto { + tlsConfig, tlsErr := parseTLSConfig(ctx.Config) + if tlsErr != nil { + return nil, tlsErr + } + log, err = syslog.DialWithTLSConfig(proto, address, facility, logTag, tlsConfig) + } else { + log, err = syslog.Dial(proto, address, facility, logTag) + } + if err != nil { return nil, err } @@ -147,6 +160,10 @@ func ValidateLogOpt(cfg map[string]string) error { case "syslog-address": case "syslog-facility": case "syslog-tag": + case "syslog-tls-ca-cert": + case "syslog-tls-cert": + case "syslog-tls-key": + case "syslog-tls-skip-verify": case "tag": default: return fmt.Errorf("unknown log opt '%s' for syslog log driver", key) @@ -177,3 +194,16 @@ func parseFacility(facility string) (syslog.Priority, error) { return syslog.Priority(0), errors.New("invalid syslog facility") } + +func parseTLSConfig(cfg map[string]string) (*tls.Config, error) { + _, skipVerify := cfg["syslog-tls-skip-verify"] + + opts := tlsconfig.Options{ + CAFile: cfg["syslog-tls-ca-cert"], + CertFile: cfg["syslog-tls-cert"], + KeyFile: cfg["syslog-tls-key"], + InsecureSkipVerify: skipVerify, + } + + return tlsconfig.Client(opts) +} diff --git a/docs/reference/logging/overview.md b/docs/reference/logging/overview.md index 8d91b0d1ad..4ef937b558 100644 --- a/docs/reference/logging/overview.md +++ b/docs/reference/logging/overview.md @@ -69,9 +69,13 @@ If `max-size` and `max-file` are set, `docker logs` only returns the log lines f The following logging options are supported for the `syslog` logging driver: - --log-opt syslog-address=[tcp|udp]://host:port + --log-opt syslog-address=[tcp|udp|tcp+tls]://host:port --log-opt syslog-address=unix://path --log-opt syslog-facility=daemon + --log-opt syslog-tls-ca-cert=/etc/ca-certificates/custom/ca.pem + --log-opt syslog-tls-cert=/etc/ca-certificates/custom/cert.pem + --log-opt syslog-tls-key=/etc/ca-certificates/custom/key.pem + --log-opt syslog-tls-skip-verify=true --log-opt tag="mailer" `syslog-address` specifies the remote syslog server address where the driver connects to. @@ -107,6 +111,19 @@ the following named facilities: * `local6` * `local7` +`syslog-tls-ca-cert` specifies the absolute path to the trust certificates +signed by the CA. This option is ignored if the address protocol is not `tcp+tls`. + +`syslog-tls-cert` specifies the absolute path to the TLS certificate file. +This option is ignored if the address protocol is not `tcp+tls`. + +`syslog-tls-key` specifies the absolute path to the TLS key file. +This option is ignored if the address protocol is not `tcp+tls`. + +`syslog-tls-skip-verify` configures the TLS verification. +This verification is enabled by default, but it can be overriden by setting +this option to `true`. This option is ignored if the address protocol is not `tcp+tls`. + By default, Docker uses the first 12 characters of the container ID to tag log messages. Refer to the [log tag option documentation](log_tags.md) for customizing the log tag format.