kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Add unlock key rotation

Browse source 
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This commit is contained in:
Aaron Lehmann 2016-10-28 16:35:49 -07:00
parent 0f9fc54df9
commit a6030a50c9
4 changed files with 38 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
api/server/router/swarm/cluster_routes.go
View file

@ -87,6 +87,15 @@ func (sr *swarmRouter) updateCluster(ctx context.Context, w http.ResponseWriter,
flags.RotateManagerToken = rot flags.RotateManagerToken = rot
} }
if value := r.URL.Query().Get("rotateManagerUnlockKey"); value != "" {
rot, err := strconv.ParseBool(value)
if err != nil {
return fmt.Errorf("invalid value for rotateManagerUnlockKey: %s", value)
}
flags.RotateManagerUnlockKey = rot
}
if err := sr.backend.Update(version, swarm, flags); err != nil { if err := sr.backend.Update(version, swarm, flags); err != nil {
logrus.Errorf("Error configuring swarm: %v", err) logrus.Errorf("Error configuring swarm: %v", err)
return err return err

24
cli/command/swarm/unlock_key.go
View file

@ -5,6 +5,7 @@ import (
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/docker/docker/api/types/swarm"
"github.com/docker/docker/cli" "github.com/docker/docker/cli"
"github.com/docker/docker/cli/command" "github.com/docker/docker/cli/command"
"github.com/pkg/errors" "github.com/pkg/errors"
@ -23,7 +24,24 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
ctx := context.Background() ctx := context.Background()
if rotate { if rotate {
// FIXME(aaronl) flags := swarm.UpdateFlags{RotateManagerUnlockKey: true}
swarm, err := client.SwarmInspect(ctx)
if err != nil {
return err
}
if !swarm.Spec.EncryptionConfig.AutoLockManagers {
return errors.New("cannot rotate because autolock is not turned on")
}
err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec, flags)
if err != nil {
return err
}
if !quiet {
fmt.Fprintf(dockerCli.Out(), "Successfully rotated manager unlock key.\n\n")
}
} }
unlockKeyResp, err := client.SwarmGetUnlockKey(ctx) unlockKeyResp, err := client.SwarmGetUnlockKey(ctx)
@ -31,6 +49,10 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
return errors.Wrap(err, "could not fetch unlock key") return errors.Wrap(err, "could not fetch unlock key")
} }
if unlockKeyResp.UnlockKey == "" {
return errors.New("no unlock key is set")
}
if quiet { if quiet {
fmt.Fprintln(dockerCli.Out(), unlockKeyResp.UnlockKey) fmt.Fprintln(dockerCli.Out(), unlockKeyResp.UnlockKey)
} else { } else {

1
client/swarm_update.go
View file

@ -15,6 +15,7 @@ func (cli *Client) SwarmUpdate(ctx context.Context, version swarm.Version, swarm
query.Set("version", strconv.FormatUint(version.Index, 10)) query.Set("version", strconv.FormatUint(version.Index, 10))
query.Set("rotateWorkerToken", fmt.Sprintf("%v", flags.RotateWorkerToken)) query.Set("rotateWorkerToken", fmt.Sprintf("%v", flags.RotateWorkerToken))
query.Set("rotateManagerToken", fmt.Sprintf("%v", flags.RotateManagerToken)) query.Set("rotateManagerToken", fmt.Sprintf("%v", flags.RotateManagerToken))
query.Set("rotateManagerUnlockKey", fmt.Sprintf("%v", flags.RotateManagerUnlockKey))
resp, err := cli.post(ctx, "/swarm/update", query, swarm, nil) resp, err := cli.post(ctx, "/swarm/update", query, swarm, nil)
ensureReaderClosed(resp) ensureReaderClosed(resp)
return err return err

5
daemon/cluster/cluster.go
View file

@ -558,6 +558,11 @@ func (c *Cluster) GetUnlockKey() (string, error) {
return "", err return "", err
} }
if len(r.UnlockKey) == 0 {
// no key
return "", nil
}
return encryption.HumanReadableKey(r.UnlockKey), nil return encryption.HumanReadableKey(r.UnlockKey), nil
} }