2016-09-08 13:11:39 -04:00
|
|
|
package swarm
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/csv"
|
2017-04-25 18:40:46 -04:00
|
|
|
"encoding/pem"
|
2016-09-08 13:11:39 -04:00
|
|
|
"fmt"
|
2017-04-25 18:40:46 -04:00
|
|
|
"io/ioutil"
|
2016-09-08 13:11:39 -04:00
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
2017-05-15 08:45:19 -04:00
|
|
|
"github.com/docker/cli/opts"
|
2016-09-08 13:11:39 -04:00
|
|
|
"github.com/docker/docker/api/types/swarm"
|
2017-03-09 13:23:45 -05:00
|
|
|
"github.com/pkg/errors"
|
2016-09-08 13:11:39 -04:00
|
|
|
"github.com/spf13/pflag"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
defaultListenAddr = "0.0.0.0:2377"
|
|
|
|
|
2018-07-28 22:44:11 -04:00
|
|
|
flagCertExpiry = "cert-expiry"
|
|
|
|
flagDispatcherHeartbeat = "dispatcher-heartbeat"
|
|
|
|
flagListenAddr = "listen-addr"
|
|
|
|
flagAdvertiseAddr = "advertise-addr"
|
|
|
|
flagDataPathAddr = "data-path-addr"
|
|
|
|
flagDefaultAddrPool = "default-addr-pool"
|
|
|
|
flagDefaultAddrPoolMaskLength = "default-addr-pool-mask-length"
|
|
|
|
flagQuiet = "quiet"
|
|
|
|
flagRotate = "rotate"
|
|
|
|
flagToken = "token"
|
|
|
|
flagTaskHistoryLimit = "task-history-limit"
|
|
|
|
flagExternalCA = "external-ca"
|
|
|
|
flagMaxSnapshots = "max-snapshots"
|
|
|
|
flagSnapshotInterval = "snapshot-interval"
|
|
|
|
flagAutolock = "autolock"
|
|
|
|
flagAvailability = "availability"
|
|
|
|
flagCACert = "ca-cert"
|
|
|
|
flagCAKey = "ca-key"
|
2016-09-08 13:11:39 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
type swarmOptions struct {
|
2017-06-20 14:41:40 -04:00
|
|
|
swarmCAOptions
|
2016-09-08 13:11:39 -04:00
|
|
|
taskHistoryLimit int64
|
|
|
|
dispatcherHeartbeat time.Duration
|
2016-11-02 15:29:51 -04:00
|
|
|
maxSnapshots uint64
|
|
|
|
snapshotInterval uint64
|
2016-10-27 21:50:49 -04:00
|
|
|
autolock bool
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
2016-11-01 15:11:38 -04:00
|
|
|
// NodeAddrOption is a pflag.Value for listening addresses
|
2016-09-08 13:11:39 -04:00
|
|
|
type NodeAddrOption struct {
|
|
|
|
addr string
|
|
|
|
}
|
|
|
|
|
|
|
|
// String prints the representation of this flag
|
|
|
|
func (a *NodeAddrOption) String() string {
|
|
|
|
return a.Value()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the value for this flag
|
|
|
|
func (a *NodeAddrOption) Set(value string) error {
|
|
|
|
addr, err := opts.ParseTCPAddr(value, a.addr)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
a.addr = addr
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Type returns the type of this flag
|
|
|
|
func (a *NodeAddrOption) Type() string {
|
|
|
|
return "node-addr"
|
|
|
|
}
|
|
|
|
|
|
|
|
// Value returns the value of this option as addr:port
|
|
|
|
func (a *NodeAddrOption) Value() string {
|
|
|
|
return strings.TrimPrefix(a.addr, "tcp://")
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewNodeAddrOption returns a new node address option
|
|
|
|
func NewNodeAddrOption(addr string) NodeAddrOption {
|
|
|
|
return NodeAddrOption{addr}
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewListenAddrOption returns a NodeAddrOption with default values
|
|
|
|
func NewListenAddrOption() NodeAddrOption {
|
|
|
|
return NewNodeAddrOption(defaultListenAddr)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ExternalCAOption is a Value type for parsing external CA specifications.
|
|
|
|
type ExternalCAOption struct {
|
|
|
|
values []*swarm.ExternalCA
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set parses an external CA option.
|
|
|
|
func (m *ExternalCAOption) Set(value string) error {
|
|
|
|
parsed, err := parseExternalCA(value)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
m.values = append(m.values, parsed)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Type returns the type of this option.
|
|
|
|
func (m *ExternalCAOption) Type() string {
|
|
|
|
return "external-ca"
|
|
|
|
}
|
|
|
|
|
|
|
|
// String returns a string repr of this option.
|
|
|
|
func (m *ExternalCAOption) String() string {
|
|
|
|
externalCAs := []string{}
|
|
|
|
for _, externalCA := range m.values {
|
|
|
|
repr := fmt.Sprintf("%s: %s", externalCA.Protocol, externalCA.URL)
|
|
|
|
externalCAs = append(externalCAs, repr)
|
|
|
|
}
|
|
|
|
return strings.Join(externalCAs, ", ")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Value returns the external CAs
|
|
|
|
func (m *ExternalCAOption) Value() []*swarm.ExternalCA {
|
|
|
|
return m.values
|
|
|
|
}
|
|
|
|
|
2017-05-08 17:37:36 -04:00
|
|
|
// PEMFile represents the path to a pem-formatted file
|
|
|
|
type PEMFile struct {
|
|
|
|
path, contents string
|
|
|
|
}
|
|
|
|
|
|
|
|
// Type returns the type of this option.
|
|
|
|
func (p *PEMFile) Type() string {
|
|
|
|
return "pem-file"
|
|
|
|
}
|
|
|
|
|
|
|
|
// String returns the path to the pem file
|
|
|
|
func (p *PEMFile) String() string {
|
|
|
|
return p.path
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set parses a root rotation option
|
|
|
|
func (p *PEMFile) Set(value string) error {
|
|
|
|
contents, err := ioutil.ReadFile(value)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if pemBlock, _ := pem.Decode(contents); pemBlock == nil {
|
|
|
|
return errors.New("file contents must be in PEM format")
|
|
|
|
}
|
|
|
|
p.contents, p.path = string(contents), value
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Contents returns the contents of the PEM file
|
|
|
|
func (p *PEMFile) Contents() string {
|
|
|
|
return p.contents
|
|
|
|
}
|
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
// parseExternalCA parses an external CA specification from the command line,
|
|
|
|
// such as protocol=cfssl,url=https://example.com.
|
|
|
|
func parseExternalCA(caSpec string) (*swarm.ExternalCA, error) {
|
|
|
|
csvReader := csv.NewReader(strings.NewReader(caSpec))
|
|
|
|
fields, err := csvReader.Read()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
externalCA := swarm.ExternalCA{
|
|
|
|
Options: make(map[string]string),
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
hasProtocol bool
|
|
|
|
hasURL bool
|
|
|
|
)
|
|
|
|
|
|
|
|
for _, field := range fields {
|
|
|
|
parts := strings.SplitN(field, "=", 2)
|
|
|
|
|
|
|
|
if len(parts) != 2 {
|
2017-03-09 13:23:45 -05:00
|
|
|
return nil, errors.Errorf("invalid field '%s' must be a key=value pair", field)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
key, value := parts[0], parts[1]
|
|
|
|
|
|
|
|
switch strings.ToLower(key) {
|
|
|
|
case "protocol":
|
|
|
|
hasProtocol = true
|
|
|
|
if strings.ToLower(value) == string(swarm.ExternalCAProtocolCFSSL) {
|
|
|
|
externalCA.Protocol = swarm.ExternalCAProtocolCFSSL
|
|
|
|
} else {
|
2017-03-09 13:23:45 -05:00
|
|
|
return nil, errors.Errorf("unrecognized external CA protocol %s", value)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
case "url":
|
|
|
|
hasURL = true
|
|
|
|
externalCA.URL = value
|
2017-04-25 18:40:46 -04:00
|
|
|
case "cacert":
|
|
|
|
cacontents, err := ioutil.ReadFile(value)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "unable to read CA cert for external CA")
|
|
|
|
}
|
|
|
|
if pemBlock, _ := pem.Decode(cacontents); pemBlock == nil {
|
|
|
|
return nil, errors.New("CA cert for external CA must be in PEM format")
|
|
|
|
}
|
|
|
|
externalCA.CACert = string(cacontents)
|
2016-09-08 13:11:39 -04:00
|
|
|
default:
|
|
|
|
externalCA.Options[key] = value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !hasProtocol {
|
|
|
|
return nil, errors.New("the external-ca option needs a protocol= parameter")
|
|
|
|
}
|
|
|
|
if !hasURL {
|
|
|
|
return nil, errors.New("the external-ca option needs a url= parameter")
|
|
|
|
}
|
|
|
|
|
|
|
|
return &externalCA, nil
|
|
|
|
}
|
|
|
|
|
2017-06-20 14:41:40 -04:00
|
|
|
func addSwarmCAFlags(flags *pflag.FlagSet, opts *swarmCAOptions) {
|
2017-06-09 16:41:53 -04:00
|
|
|
flags.DurationVar(&opts.nodeCertExpiry, flagCertExpiry, 90*24*time.Hour, "Validity period for node certificates (ns|us|ms|s|m|h)")
|
2017-05-08 17:37:36 -04:00
|
|
|
flags.Var(&opts.externalCA, flagExternalCA, "Specifications of one or more certificate signing endpoints")
|
|
|
|
}
|
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
func addSwarmFlags(flags *pflag.FlagSet, opts *swarmOptions) {
|
|
|
|
flags.Int64Var(&opts.taskHistoryLimit, flagTaskHistoryLimit, 5, "Task history retention limit")
|
2017-06-09 16:41:53 -04:00
|
|
|
flags.DurationVar(&opts.dispatcherHeartbeat, flagDispatcherHeartbeat, 5*time.Second, "Dispatcher heartbeat period (ns|us|ms|s|m|h)")
|
2016-11-02 15:29:51 -04:00
|
|
|
flags.Uint64Var(&opts.maxSnapshots, flagMaxSnapshots, 0, "Number of additional Raft snapshots to retain")
|
2017-01-16 11:57:26 -05:00
|
|
|
flags.SetAnnotation(flagMaxSnapshots, "version", []string{"1.25"})
|
2016-11-02 15:29:51 -04:00
|
|
|
flags.Uint64Var(&opts.snapshotInterval, flagSnapshotInterval, 10000, "Number of log entries between Raft snapshots")
|
2017-01-16 11:57:26 -05:00
|
|
|
flags.SetAnnotation(flagSnapshotInterval, "version", []string{"1.25"})
|
2017-06-20 14:41:40 -04:00
|
|
|
addSwarmCAFlags(flags, &opts.swarmCAOptions)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
func (opts *swarmOptions) mergeSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
|
2016-08-26 00:08:53 -04:00
|
|
|
if flags.Changed(flagTaskHistoryLimit) {
|
|
|
|
spec.Orchestration.TaskHistoryRetentionLimit = &opts.taskHistoryLimit
|
|
|
|
}
|
|
|
|
if flags.Changed(flagDispatcherHeartbeat) {
|
|
|
|
spec.Dispatcher.HeartbeatPeriod = opts.dispatcherHeartbeat
|
|
|
|
}
|
2016-11-02 15:29:51 -04:00
|
|
|
if flags.Changed(flagMaxSnapshots) {
|
|
|
|
spec.Raft.KeepOldSnapshots = &opts.maxSnapshots
|
|
|
|
}
|
|
|
|
if flags.Changed(flagSnapshotInterval) {
|
|
|
|
spec.Raft.SnapshotInterval = opts.snapshotInterval
|
|
|
|
}
|
2016-10-27 21:50:49 -04:00
|
|
|
if flags.Changed(flagAutolock) {
|
|
|
|
spec.EncryptionConfig.AutoLockManagers = opts.autolock
|
|
|
|
}
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
opts.mergeSwarmSpecCAFlags(spec, flags, caCert)
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
type swarmCAOptions struct {
|
|
|
|
nodeCertExpiry time.Duration
|
|
|
|
externalCA ExternalCAOption
|
|
|
|
}
|
|
|
|
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
func (opts *swarmCAOptions) mergeSwarmSpecCAFlags(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
|
2017-06-20 14:41:40 -04:00
|
|
|
if flags.Changed(flagCertExpiry) {
|
|
|
|
spec.CAConfig.NodeCertExpiry = opts.nodeCertExpiry
|
|
|
|
}
|
|
|
|
if flags.Changed(flagExternalCA) {
|
|
|
|
spec.CAConfig.ExternalCAs = opts.externalCA.Value()
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
for _, ca := range spec.CAConfig.ExternalCAs {
|
|
|
|
ca.CACert = caCert
|
|
|
|
}
|
2017-06-20 14:41:40 -04:00
|
|
|
}
|
2016-11-02 15:29:51 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func (opts *swarmOptions) ToSpec(flags *pflag.FlagSet) swarm.Spec {
|
|
|
|
var spec swarm.Spec
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
opts.mergeSwarmSpec(&spec, flags, "")
|
2016-09-08 13:11:39 -04:00
|
|
|
return spec
|
|
|
|
}
|