ansible-collections/community.docker
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.docker.git synced 2025-12-16 20:08:41 +00:00
Code Packages Projects Releases Wiki Activity

Fix bug when TLS is used (#432)

Browse Source 
* Fix bug when TLS is used.

* Add HTTP/HTTPS connection test.
This commit is contained in:
Felix Fontein 2022-07-26 08:25:53 +02:00 committed by GitHub
parent 6caaa3a90b
commit 9c5d562c0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 274 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/432-tls.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "modules and plugins communicating directly with the Docker daemon - prevent crash when TLS is used (https://github.com/ansible-collections/community.docker/pull/432)."

2
plugins/module_utils/common_api.py
View File

@ -71,7 +71,7 @@ def is_using_tls(auth_data):
def get_connect_params(auth_data, fail_function): def get_connect_params(auth_data, fail_function):
if is_using_tls(auth_data): if is_using_tls(auth_data):
auth['docker_host'] = auth_data['docker_host'].replace('tcp://', 'https://') auth_data['docker_host'] = auth_data['docker_host'].replace('tcp://', 'https://')
result = dict( result = dict(
base_url=auth_data['docker_host'], base_url=auth_data['docker_host'],

6
tests/integration/targets/generic_connection_tests/aliases Normal file
View File

@ -0,0 +1,6 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
shippable/posix/group4
destructive

50
tests/integration/targets/generic_connection_tests/files/nginx.conf Normal file
View File

@ -0,0 +1,50 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
user root;
events {
worker_connections 16;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
error_log /dev/stdout info;
access_log /dev/stdout;
server {
listen *:5000 ssl;
server_name daemon-tls.ansible.com;
server_name_in_redirect on;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256';
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/cert.key;
location / {
proxy_pass http://unix:/var/run/docker.sock:/;
client_max_body_size 0;
chunked_transfer_encoding on;
}
}
server {
listen *:6000;
server_name daemon.ansible.com;
server_name_in_redirect on;
location / {
proxy_pass http://unix:/var/run/docker.sock:/;
client_max_body_size 0;
chunked_transfer_encoding on;
}
}
}

20
tests/integration/targets/generic_connection_tests/filter_plugins/filter_attr.py Normal file
View File

@ -0,0 +1,20 @@
# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
def sanitize_host_info(data):
data = data.copy()
for key in ('SystemTime', 'NFd', 'NGoroutines', ):
data.pop(key, None)
return data
class FilterModule:
def filters(self):
return {
'sanitize_host_info': sanitize_host_info,
}

9
tests/integration/targets/generic_connection_tests/meta/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
dependencies:
- setup_docker
- setup_openssl
- setup_remote_tmp_dir

185
tests/integration/targets/generic_connection_tests/tasks/main.yml Normal file
View File

@ -0,0 +1,185 @@
---
# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
####################################################################
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
####################################################################
- name: Create random nginx frontend name
set_fact:
daemon_nginx_frontend: '{{ "ansible-docker-test-daemon-frontend-%0x" % ((2**32) | random) }}'
- block:
- name: Create volume for config files
docker_volume:
name: '{{ daemon_nginx_frontend }}'
state: present
- name: Create container for nginx frontend for daemon
docker_container:
state: stopped
name: '{{ daemon_nginx_frontend }}'
image: "{{ docker_test_image_registry_nginx }}"
volumes:
- '{{ daemon_nginx_frontend }}:/etc/nginx/'
- '/var/run/docker.sock:/var/run/docker.sock'
network_mode: '{{ current_container_network_ip | default(omit, true) }}'
networks: >-
{{
[dict([['name', current_container_network_ip]])]
if current_container_network_ip not in ['', 'bridge'] else omit
}}
register: nginx_container
- name: Copy config files
copy:
src: "{{ item }}"
dest: "{{ remote_tmp_dir }}/{{ item }}"
mode: "0644"
loop:
- nginx.conf
- name: Copy static files into volume
command: docker cp {{ remote_tmp_dir }}/{{ item }} {{ daemon_nginx_frontend }}:/etc/nginx/{{ item }}
loop:
- nginx.conf
register: can_copy_files
ignore_errors: yes
- when: can_copy_files is not failed
block:
- name: Create private keys
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item }}.key'
type: ECC
curve: secp256r1
force: yes
loop:
- cert
- ca
- name: Create CSR for CA certificate
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
- name: Create CA certificate
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/ca.pem'
csr_path: '{{ remote_tmp_dir }}/ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
provider: selfsigned
- name: Create CSR for frontend certificate
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/cert.csr'
privatekey_path: '{{ remote_tmp_dir }}/cert.key'
subject_alt_name:
- DNS:daemon-tls.ansible.com
- name: Create frontend certificate
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/cert.pem'
csr_path: '{{ remote_tmp_dir }}/cert.csr'
privatekey_path: '{{ remote_tmp_dir }}/cert.key'
ownca_path: '{{ remote_tmp_dir }}/ca.pem'
ownca_privatekey_path: '{{ remote_tmp_dir }}/ca.key'
provider: ownca
- name: Copy dynamic files into volume
command: docker cp {{ remote_tmp_dir }}/{{ item }} {{ daemon_nginx_frontend }}:/etc/nginx/{{ item }}
loop:
- ca.pem
- cert.pem
- cert.key
- name: Start nginx frontend for daemon
docker_container:
name: '{{ daemon_nginx_frontend }}'
state: started
register: nginx_container
- name: Output nginx container network settings
debug:
var: nginx_container.container.NetworkSettings
- name: Get proxied daemon URLs
set_fact:
docker_daemon_frontend_https: "https://{{ nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress if current_container_network_ip else nginx_container.container.NetworkSettings.IPAddress }}:5000"
docker_daemon_frontend_http: "http://{{ nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress if current_container_network_ip else nginx_container.container.NetworkSettings.IPAddress }}:6000"
- name: Wait for registry frontend
uri:
url: '{{ docker_daemon_frontend_http }}/version'
register: result
until: result is success
retries: 5
delay: 1
- name: Get docker daemon information directly
docker_host_info:
register: output_direct
- name: Show direct host info
debug:
var: output_direct.host_info | sanitize_host_info
- name: Get docker daemon information via HTTP
docker_host_info:
docker_host: '{{ docker_daemon_frontend_http }}'
register: output_http
- name: Show HTTP host info
debug:
var: output_http.host_info | sanitize_host_info
- name: Check that information matches
assert:
that:
- (output_direct.host_info | sanitize_host_info) == (output_http.host_info | sanitize_host_info)
- name: Get docker daemon information via HTTPS
docker_host_info:
docker_host: '{{ docker_daemon_frontend_https }}'
tls_hostname: daemon-tls.ansible.com
ca_cert: '{{ remote_tmp_dir }}/ca.pem'
tls: true
validate_certs: true
register: output_https
- name: Show HTTPS host info
debug:
var: output_https.host_info | sanitize_host_info
- name: Check that information matches
assert:
that:
- (output_direct.host_info | sanitize_host_info) == (output_https.host_info | sanitize_host_info)
always:
- command: docker logs {{ daemon_nginx_frontend }}
register: output
ignore_errors: true
- debug:
var: output.stdout_lines
ignore_errors: true
- name: Remove container
docker_container:
state: absent
name: '{{ daemon_nginx_frontend }}'
force_kill: true
ignore_errors: true
- name: Remove volume
docker_volume:
name: '{{ daemon_nginx_frontend }}'
state: absent
ignore_errors: true

1
tests/integration/targets/generic_connection_tests/vars/main.yml Symbolic link
View File

@ -0,0 +1 @@
../../setup_docker/vars/main.yml