docker_image TLS

Check commit enables using tls when using the docker_image module. It
also removes the default for docker_url which doesn't allow us to check
for DOCKER_HOST which is a more sane default. This allows you to use
docker_image on OSX but more documentation is needed.
This commit is contained in:
Michael Schuett 2015-06-30 02:25:28 -04:00 committed by Matt Clay
parent c8a7c25468
commit 75a61ae6e1

View file

@ -118,6 +118,7 @@ Remove image from local docker storage:
''' '''
import re import re
import os
from urlparse import urlparse from urlparse import urlparse
try: try:
@ -161,11 +162,90 @@ class DockerImageManager:
self.name = self.module.params.get('name') self.name = self.module.params.get('name')
self.tag = self.module.params.get('tag') self.tag = self.module.params.get('tag')
self.nocache = self.module.params.get('nocache') self.nocache = self.module.params.get('nocache')
docker_url = urlparse(module.params.get('docker_url'))
# Connect to the docker server using any configured host and TLS settings.
env_host = os.getenv('DOCKER_HOST')
env_docker_verify = os.getenv('DOCKER_TLS_VERIFY')
env_cert_path = os.getenv('DOCKER_CERT_PATH')
env_docker_hostname = os.getenv('DOCKER_TLS_HOSTNAME')
docker_url = module.params.get('docker_url')
if not docker_url:
if env_host:
docker_url = env_host
else:
docker_url = 'unix://var/run/docker.sock'
docker_api_version = module.params.get('docker_api_version')
tls_client_cert = module.params.get('tls_client_cert', None)
if not tls_client_cert and env_cert_path:
tls_client_cert = os.path.join(env_cert_path, 'cert.pem')
tls_client_key = module.params.get('tls_client_key', None)
if not tls_client_key and env_cert_path:
tls_client_key = os.path.join(env_cert_path, 'key.pem')
tls_ca_cert = module.params.get('tls_ca_cert')
if not tls_ca_cert and env_cert_path:
tls_ca_cert = os.path.join(env_cert_path, 'ca.pem')
tls_hostname = module.params.get('tls_hostname')
if tls_hostname is None:
if env_docker_hostname:
tls_hostname = env_docker_hostname
else:
parsed_url = urlparse(docker_url)
if ':' in parsed_url.netloc:
tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')]
else:
tls_hostname = parsed_url
if not tls_hostname:
tls_hostname = True
# use_tls can be one of four values:
# no: Do not use tls
# encrypt: Use tls. We may do client auth. We will not verify the server
# verify: Use tls. We may do client auth. We will verify the server
# None: Only use tls if the parameters for client auth were specified
# or tls_ca_cert (which requests verifying the server with
# a specific ca certificate)
use_tls = module.params.get('use_tls')
if use_tls is None and env_docker_verify is not None:
use_tls = 'verify'
tls_config = None
if use_tls != 'no':
params = {}
# Setup client auth
if tls_client_cert and tls_client_key:
params['client_cert'] = (tls_client_cert, tls_client_key)
# We're allowed to verify the connection to the server
if use_tls == 'verify' or (use_tls is None and tls_ca_cert):
if tls_ca_cert:
params['ca_cert'] = tls_ca_cert
params['verify'] = True
params['assert_hostname'] = tls_hostname
else:
params['verify'] = True
params['assert_hostname'] = tls_hostname
elif use_tls == 'encrypt':
params['verify'] = False
if params:
# See https://github.com/docker/docker-py/blob/d39da11/docker/utils/utils.py#L279-L296
docker_url = docker_url.replace('tcp://', 'https://')
tls_config = docker.tls.TLSConfig(**params)
self.client = docker.Client( self.client = docker.Client(
base_url=docker_url.geturl(), base_url=docker_url.geturl(),
version=module.params.get('docker_api_version'), version=module.params.get('docker_api_version'),
timeout=module.params.get('timeout')) timeout=module.params.get('timeout'),
tls=tls_config)
self.changed = False self.changed = False
self.log = [] self.log = []
self.error_msg = None self.error_msg = None
@ -244,7 +324,12 @@ def main():
tag = dict(required=False, default="latest"), tag = dict(required=False, default="latest"),
nocache = dict(default=False, type='bool'), nocache = dict(default=False, type='bool'),
state = dict(default='present', choices=['absent', 'present', 'build']), state = dict(default='present', choices=['absent', 'present', 'build']),
docker_url = dict(default='unix://var/run/docker.sock'), use_tls = dict(default=None, choices=['no', 'encrypt', 'verify']),
tls_client_cert = dict(required=False, default=None, type='str'),
tls_client_key = dict(required=False, default=None, type='str'),
tls_ca_cert = dict(required=False, default=None, type='str'),
tls_hostname = dict(required=False, type='str', default=None),
docker_url = dict(),
docker_api_version = dict(required=False, docker_api_version = dict(required=False,
default=DEFAULT_DOCKER_API_VERSION, default=DEFAULT_DOCKER_API_VERSION,
type='str'), type='str'),