kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Merge pull request #9259 from duglin/Issue9221 

Make --tlsverify enable tls regardless of value specified
This commit is contained in:
Michael Crosby 2014-11-20 17:41:31 -08:00
parent 5d67a3faea ae9bd580af
commit 532e502e9c
5 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docker/docker.go
View File

@ -83,9 +83,14 @@ func main() {
) )
tlsConfig.InsecureSkipVerify = true tlsConfig.InsecureSkipVerify = true
// Regardless of whether the user sets it to true or false, if they
// specify --tlsverify at all then we need to turn on tls
if flag.IsSet("-tlsverify") {
*flTls = true
}
// If we should verify the server, we need to load a trusted ca // If we should verify the server, we need to load a trusted ca
if *flTlsVerify { if *flTlsVerify {
*flTls = true
certPool := x509.NewCertPool() certPool := x509.NewCertPool()
file, err := ioutil.ReadFile(*flCa) file, err := ioutil.ReadFile(*flCa)
if err != nil { if err != nil {

2
docker/flags.go
View File

@ -35,7 +35,7 @@ var (
flSocketGroup = flag.String([]string{"G", "-group"}, "docker", "Group to assign the unix socket specified by -H when running in daemon mode\nuse '' (the empty string) to disable setting of a group") flSocketGroup = flag.String([]string{"G", "-group"}, "docker", "Group to assign the unix socket specified by -H when running in daemon mode\nuse '' (the empty string) to disable setting of a group")
flLogLevel = flag.String([]string{"l", "-log-level"}, "info", "Set the logging level") flLogLevel = flag.String([]string{"l", "-log-level"}, "info", "Set the logging level")
flEnableCors = flag.Bool([]string{"#api-enable-cors", "-api-enable-cors"}, false, "Enable CORS headers in the remote API") flEnableCors = flag.Bool([]string{"#api-enable-cors", "-api-enable-cors"}, false, "Enable CORS headers in the remote API")
flTls = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify=true") flTls = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify flag")
flTlsVerify = flag.Bool([]string{"-tlsverify"}, dockerTlsVerify, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)") flTlsVerify = flag.Bool([]string{"-tlsverify"}, dockerTlsVerify, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")
// these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs // these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs

2
docs/sources/reference/commandline/cli.md
View File

@ -84,7 +84,7 @@ expect an integer, and they can only be specified once.
-s, --storage-driver="" Force the Docker runtime to use a specific storage driver -s, --storage-driver="" Force the Docker runtime to use a specific storage driver
--selinux-enabled=false Enable selinux support. SELinux does not presently support the BTRFS storage driver --selinux-enabled=false Enable selinux support. SELinux does not presently support the BTRFS storage driver
--storage-opt=[] Set storage driver options --storage-opt=[] Set storage driver options
--tls=false Use TLS; implied by --tlsverify=true --tls=false Use TLS; implied by --tlsverify flag
--tlscacert="/home/sven/.docker/ca.pem" Trust only remotes providing a certificate signed by the CA given here --tlscacert="/home/sven/.docker/ca.pem" Trust only remotes providing a certificate signed by the CA given here
--tlscert="/home/sven/.docker/cert.pem" Path to TLS certificate file --tlscert="/home/sven/.docker/cert.pem" Path to TLS certificate file
--tlskey="/home/sven/.docker/key.pem" Path to TLS key file --tlskey="/home/sven/.docker/key.pem" Path to TLS key file

25
integration-cli/docker_cli_run_test.go
View File

@ -2687,3 +2687,28 @@ func TestContainerNetworkMode(t *testing.T) {
logDone("run - container shared network namespace") logDone("run - container shared network namespace")
} }
func TestRunTLSverify(t *testing.T) {
cmd := exec.Command(dockerBinary, "ps")
out, ec, err := runCommandWithOutput(cmd)
if err != nil || ec != 0 {
t.Fatalf("Should have worked: %v:\n%v", err, out)
}
// Regardless of whether we specify true or false we need to
// test to make sure tls is turned on if --tlsverify is specified at all
cmd = exec.Command(dockerBinary, "--tlsverify=false", "ps")
out, ec, err = runCommandWithOutput(cmd)
if err == nil || ec == 0 || !strings.Contains(out, "trying to connect") {
t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)
}
cmd = exec.Command(dockerBinary, "--tlsverify=true", "ps")
out, ec, err = runCommandWithOutput(cmd)
if err == nil || ec == 0 || !strings.Contains(out, "cert") {
t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)
}
logDone("run - verify tls is set for --tlsverify")
}

10
pkg/mflag/flag.go
View File

@ -394,12 +394,22 @@ func (f *FlagSet) Lookup(name string) *Flag {
return f.formal[name] return f.formal[name]
} }
// Indicates whether the specified flag was specified at all on the cmd line
func (f *FlagSet) IsSet(name string) bool {
return f.actual[name] != nil
}
// Lookup returns the Flag structure of the named command-line flag, // Lookup returns the Flag structure of the named command-line flag,
// returning nil if none exists. // returning nil if none exists.
func Lookup(name string) *Flag { func Lookup(name string) *Flag {
return CommandLine.formal[name] return CommandLine.formal[name]
} }
// Indicates whether the specified flag was specified at all on the cmd line
func IsSet(name string) bool {
return CommandLine.IsSet(name)
}
// Set sets the value of the named flag. // Set sets the value of the named flag.
func (f *FlagSet) Set(name, value string) error { func (f *FlagSet) Set(name, value string) error {
flag, ok := f.formal[name] flag, ok := f.formal[name]