Feature Request: Support for TLS #245
Comments
|
As i see docker client builder has support for tls, you should just enter ssl credential for connection. But i have no tls based installation under hand. Or if you can provide some instructions for reproducing based on boot2docker iso, then i will be able to fix it. |
|
+1 for this -- it seems like it would be required to use an 'out of the box' swarm of docker hosts provisioned with docker-machine (which seems to be the easiest way to get a bunch of commoditized "compute" for performing builds). boot2docker should enable TLS by default, so you should have it (unless the feature is newer than your b2d install, of course). Though not 100% reliable, the easiest sign is whether your DOCKER_HOST port is 2375 (= plaintext) or 2376 (= tls). Check out https://github.com/boot2docker/boot2docker#tls-support for more info |
|
I know this docs. Problem will be with CA that probably will be used from jvm... |
|
All the TLS parameters need to be configurable for each DOCKER_HOST as (from my understanding) they can all be different. What the JVM or even the host has for a ca.pem (e.g. in /etc/ssl/certs/) will probably not be correct. |
KostyaSha
added
bug
|
+1 |
|
there is a trick to make it work - put certs to ~jenkins/.docker folder: -rw-r--r-- 1 jenkins jenkins 1029 Sep 2 10:09 ca.pem This article https://docs.docker.com/articles/https/ says
So, don't you think that adding per-cloud "environment variables" configuration option will solve this issue? This way |
|
here is quick-n-dirty workaround: add build step that is executed before main build job; this build step will just overwrite certs in ~jenkins/.docker with certs for desired docker host. But, obviously, this approach will fail if there are several jobs running at the same time :) |
|
Docker Cloud doesn't need environment variables and it doesn't use binary 'docker' . It uses docker-java that handle TLS connection, plugin has support for Credentials type of passwords, it should work out-of-the box, but i have no time to verify. (Designing tests that should solve all problems testing hell). |
|
Trick with env files on jenkins master may work only if docker-java resolver picked it that is wrong. |
|
It works 100%
I would be extremely happy to know any other way to supply my (ca,key,cert).pem for every docker host registered as Docker Cloud in Jenkins. Especially if this approach is compatible with one that Otherwise other 'hacky' way would be to put the same certs on every server - which is obviously not the secure way. |
|
this workaround boot2docker/boot2docker#573 is not wokring: openssl pkcs12 -export \
-inkey key.pem \
-in cert.pem \
-name sbg-client-side \
-out sbg-client-side.p12 \
-password pass:$PASSlooks like remote docker 1.8.2 does not accept PKCS#12 certificates curl --insecure --cert ~/.docker/machine/machines/sbg/sbg-client-side.p12 --pass $PASS https://$HOST:2376/images/json
curl: (58) could not load PEM client certificate, OpenSSL error error:0906D06C:PEM routines:PEM_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?) |
|
|
|
PEMReader from bouncycastle should be the cure (as suggested here docker-java/docker-java#77) |
|
From this page docker-java/docker-java#78 there is a command to import .p12 keystore But where does Jenkins keep it's own keystore? Which one to use: /var/lib/jenkins/secrets# ls
filepath-filters.d master.key
hudson.console.AnnotatedLargeText.consoleAnnotator org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.mac
hudson.model.Job.serverCookie org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY
hudson.util.Secret slave-to-master-security-kill-switch
jenkins.security.ApiTokenProperty.seed whitelisted-callables.d
jenkins.slaves.JnlpSlaveAgentProtocol.secret |
|
@KostyaSha , any update on this? Or the only suggested solution is to run docker on non-protected 2375 port |
|
This claims to be an alternative with TLS support. |
|
I don't use TLS, so I can't diagnose it. But
see ClientConfigBuilderForPlugin.java) So I'm not sure what exactly would need to change. Provided Jenkins' If it doesn't, it'll need someone who does use/care about TLS and a On Mon, Nov 16, 2015 at 5:06 PM, Jesse Glick notifications@github.com
|
|
@n0mer working on it in my forked plugin version, will release when resolve (atm moment reworking Server credentials and registry auth). @jglick docker-client has the same support as docker-java and docker-plugin should work even if you just set docker cert path variable for jenkins daemon. As i'm docker-java co-maintainer i will merge basic functionality in upstream when it will be available docker-java/docker-java#367 PS ephemeral cloud is pure implementation for few features that possible to add in docker-plugin in a few lines and it will have no shading problems because there is no plugins that using docker-client. |
|
I've added a docker directory credentials type, so TLS is now supported. It would be better if the 'standard' jenkins credential type were extended to support non-pkcs12 credentials &| the truststore requirements, but it works for now. |
|
@magnayn and how to use that "docker directory credentials type"? |
E.g: if you're using docker-machine, it'll likely be something like On Thu, Nov 19, 2015 at 10:07 AM, Nikolay Gorylenko <
|
|
Of course, but 0.15 was released on Sept 28th. Is there any estimate when this "now available" functionality will become available? |
|
It's in the source repo now. I can't cut an (experimental) release for you You can get the HPI from the CI. E.G: I'll do a 'proper' release once I'm no longer behind a FW. On Thu, Nov 19, 2015 at 10:19 AM, Nikolay Gorylenko <
|
pjdarton
added
RFE
We use the tlsverify flag for access to our docker API. I am in the process of setting up our Jenkins CI server to use the Jenkins Docker plugin and it looks to only support HTTP. Is there any plan to support TLS connections?
Below is the method we use to connect to Docker:
$ docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem
-H=0.0.0.0:2376
The text was updated successfully, but these errors were encountered: