Skip to content

Commit

Permalink
added BOLD and NORMAL with little testing
Browse files Browse the repository at this point in the history
  • Loading branch information
BradleyA committed Feb 28, 2018
1 parent 55b883a commit cb1dfa3
Show file tree
Hide file tree
Showing 9 changed files with 113 additions and 82 deletions.
18 changes: 11 additions & 7 deletions docker-TLS/check-host-tls.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
#!/bin/bash
# check-host-tls.sh 3.14.315 2018-02-27_21:01:40_CST https://github.com/BradleyA/docker-scripts uadmin four-rpi3b.cptx86.com 3.13
# added BOLD and NORMAL with little testing
# check-host-tls.sh 3.13.314 2018-02-27_19:55:54_CST https://github.com/BradleyA/docker-scripts uadmin four-rpi3b.cptx86.com 3.12
# added version
# check-host-tls.sh 3.7.291 2018-02-18_23:16:00_CST uadmin six-rpi3b.cptx86.com 3.7
Expand Down Expand Up @@ -43,6 +45,8 @@ fi
# REMOTEHOST=${1:-`hostname -f`}
REMOTEHOST=`hostname -f`
CERTDIR=${1:-/etc/docker/certs.d/daemon/}
BOLD=$(tput bold)
NORMAL=$(tput sgr0)
# >>> REMOTEHOST: check if ${REMOTEHOST} -eq ${HOSTS} if true check for root on local host
# >>> REMOTEHOST: if NOT EQUAL because no need for local hosts root <<<
# >>> REMOTEHOST: NOTE: scp & ssh does not work as root <<<<<<<<
Expand All @@ -52,17 +56,17 @@ CERTDIR=${1:-/etc/docker/certs.d/daemon/}
# Must be root to run this script
if ! [ $(id -u) = 0 ] ; then
display_help
echo "${0} ${LINENO} [ERROR]: Use sudo ${0}" 1>&2
echo "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: Use sudo ${0}" 1>&2
echo -e "\n>> SCRIPT MUST BE RUN AS ROOT <<" 1>&2
exit 1
fi
# Check for ${CERTDIR} directory
if [ ! -d ${CERTDIR} ] ; then
display_help
echo -e "${0} ${LINENO} [ERROR]: ${CERTDIR} does not exist" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${CERTDIR} does not exist" 1>&2
exit 1
fi
echo -e "${0} ${LINENO} [INFO]: Checking ${REMOTEHOST} TLS\n\tcertifications and directory permissions." 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}INFO${NORMAL}]: Checking ${REMOTEHOST} TLS\n\tcertifications and directory permissions." 1>&2
# View dockerd daemon certificate expiration date of ca.pem file
echo -e "\nView dockerd daemon certificate expiration date of ca.pem file."
openssl x509 -in ${CERTDIR}ca.pem -noout -enddate
Expand All @@ -80,22 +84,22 @@ echo -e "\nVerify that dockerd daemon certificate was issued by the CA."
openssl verify -verbose -CAfile ${CERTDIR}ca.pem ${CERTDIR}cert.pem
# Verify and correct file permissions for ${CERTDIR}ca.pem
if [ $(stat -Lc %a ${CERTDIR}ca.pem) != 444 ]; then
echo -e "${0} ${LINENO} [ERROR]: File permissions for ${CERTDIR}ca.pem\n\tare not 444. Correcting $(stat -Lc %a ${CERTDIR}ca.pem) to 0444 file permissions" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: File permissions for ${CERTDIR}ca.pem\n\tare not 444. Correcting $(stat -Lc %a ${CERTDIR}ca.pem) to 0444 file permissions" 1>&2
chmod 0444 ${CERTDIR}ca.pem
fi
# Verify and correct file permissions for ${CERTDIR}cert.pem
if [ $(stat -Lc %a ${CERTDIR}cert.pem) != 444 ]; then
echo -e "${0} ${LINENO} [ERROR]: File permissions for ${CERTDIR}cert.pem\n\tare not 444. Correcting $(stat -Lc %a ${CERTDIR}cert.pem) to 0444 file permissions" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: File permissions for ${CERTDIR}cert.pem\n\tare not 444. Correcting $(stat -Lc %a ${CERTDIR}cert.pem) to 0444 file permissions" 1>&2
chmod 0444 ${CERTDIR}cert.pem
fi
# Verify and correct file permissions for ${CERTDIR}key.pem
if [ $(stat -Lc %a ${CERTDIR}key.pem) != 400 ]; then
echo -e "${0} ${LINENO} [ERROR]: File permissions for ${CERTDIR}key.pem\n\tare not 400. Correcting $(stat -Lc %a ${CERTDIR}key.pem) to 0400 file permissions" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: File permissions for ${CERTDIR}key.pem\n\tare not 400. Correcting $(stat -Lc %a ${CERTDIR}key.pem) to 0400 file permissions" 1>&2
chmod 0400 ${CERTDIR}key.pem
fi
# Verify and correct directory permissions for ${CERTDIR} directory
if [ $(stat -Lc %a ${CERTDIR}) != 700 ]; then
echo -e "${0} ${LINENO} [ERROR]: Directory permissions for ${CERTDIR}\n\tare not 700. Correcting $(stat -Lc %a ${CERTDIR}) to 700 directory permissions" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: Directory permissions for ${CERTDIR}\n\tare not 700. Correcting $(stat -Lc %a ${CERTDIR}) to 700 directory permissions" 1>&2
chmod 700 ${CERTDIR}
fi
#
Expand Down
26 changes: 14 additions & 12 deletions docker-TLS/check-user-tls.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
#!/bin/bash
# check-user-tls.sh 3.14.315 2018-02-27_21:01:40_CST https://github.com/BradleyA/docker-scripts uadmin four-rpi3b.cptx86.com 3.13
# added BOLD and NORMAL with little testing
# check-user-tls.sh 3.13.314 2018-02-27_19:55:54_CST https://github.com/BradleyA/docker-scripts uadmin four-rpi3b.cptx86.com 3.12
# added version
# check-user-tls.sh 3.12.313 2018-02-23_12:52:05_CST uadmin three-rpi3b.cptx86.com 3.11
Expand Down Expand Up @@ -50,35 +52,35 @@ NORMAL=$(tput sgr0)
# Root is required to check other users or user can check their own certs
if ! [ $(id -u) = 0 -o ${USER} = ${TLSUSER} ] ; then
display_help
echo "${NORMAL}${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: Use sudo ${0} ${TLSUSER}" 1>&2
echo "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: Use sudo ${0} ${TLSUSER}" 1>&2
echo -e "${BOLD}\n>> SCRIPT MUST BE RUN AS ROOT TO CHECK <another-user>/.docker DIRECTORY. <<\n${NORMAL}" 1>&2
exit 1
fi
# Check if user has home directory on system
if [ ! -d ${USERHOME}${TLSUSER} ] ; then
display_help
echo -e "${NORMAL}${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: ${TLSUSER} does not have a home directory\n\ton this system or ${TLSUSER} home directory is not ${USERHOME}${TLSUSER}" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${TLSUSER} does not have a home directory\n\ton this system or ${TLSUSER} home directory is not ${USERHOME}${TLSUSER}" 1>&2
exit 1
fi
# Check if user has .docker directory
if [ ! -d ${USERHOME}${TLSUSER}/.docker ] ; then
display_help
echo -e "${NORMAL}\n${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: ${TLSUSER} does not have a .docker directory" 1>&2
echo -e "${NORMAL}\n${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${TLSUSER} does not have a .docker directory" 1>&2
exit 1
fi
# Check if user has .docker ca.pem file
if [ ! -e ${USERHOME}${TLSUSER}/.docker/ca.pem ] ; then
echo -e "${NORMAL}\n${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: ${TLSUSER} does not have a .docker/ca.pem file" 1>&2
echo -e "${NORMAL}\n${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${TLSUSER} does not have a .docker/ca.pem file" 1>&2
exit 1
fi
# Check if user has .docker cert.pem file
if [ ! -e ${USERHOME}${TLSUSER}/.docker/cert.pem ] ; then
echo -e "${NORMAL}\n${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: ${TLSUSER} does not have a .docker/cert.pem file" 1>&2
echo -e "${NORMAL}\n${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${TLSUSER} does not have a .docker/cert.pem file" 1>&2
exit 1
fi
# Check if user has .docker key.pem file
if [ ! -e ${USERHOME}${TLSUSER}/.docker/key.pem ] ; then
echo -e "${NORMAL}\n${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: ${TLSUSER} does not have a .docker/key.pem file" 1>&2
echo -e "${NORMAL}\n${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${TLSUSER} does not have a .docker/key.pem file" 1>&2
exit 1
fi
# View user certificate expiration date of ca.pem file
Expand All @@ -99,29 +101,29 @@ echo -e "\nVerify that user public key in your certificate matches the public po
echo -e "${BOLD}WARNING:${NORMAL} -> If ONLY ONE line of output is returned then the public key matches the public portion of your private key.\n"
# Verify that user certificate was issued by the CA.
echo "Verify that user certificate was issued by the CA."
openssl verify -verbose -CAfile ${USERHOME}${TLSUSER}/.docker/ca.pem ${USERHOME}${TLSUSER}/.docker/cert.pem || { echo -e "${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: User certificate for ${TLSUSER} on ${LOCALHOSTNAME} was NOT issued by CA." ; exit 1; }
openssl verify -verbose -CAfile ${USERHOME}${TLSUSER}/.docker/ca.pem ${USERHOME}${TLSUSER}/.docker/cert.pem || { echo -e "${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: User certificate for ${TLSUSER} on ${LOCALHOSTNAME} was NOT issued by CA." ; exit 1; }
# Verify and correct file permissions for ${USERHOME}${TLSUSER}/.docker/ca.pem
echo "Verify and correct file permissions for ${USERHOME}${TLSUSER}/.docker"
if [ $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/ca.pem) != 444 ]; then
echo -e "${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: File permissions for ${USERHOME}${TLSUSER}/.docker/ca.pem\n\tare not 444. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/ca.pem) to 0444 file permissions" 1>&2
echo -e "${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: File permissions for ${USERHOME}${TLSUSER}/.docker/ca.pem\n\tare not 444. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/ca.pem) to 0444 file permissions" 1>&2
chmod 0444 ${USERHOME}${TLSUSER}/.docker/ca.pem
fi
# Verify and correct file permissions for ${USERHOME}${TLSUSER}/.docker/cert.pem
if [ $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/cert.pem) != 444 ]; then
echo -e "${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: File permissions for ${USERHOME}${TLSUSER}/.docker/cert.pem\n\tare not 444. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/cert.pem) to 0444 file permissions" 1>&2
echo -e "${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: File permissions for ${USERHOME}${TLSUSER}/.docker/cert.pem\n\tare not 444. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/cert.pem) to 0444 file permissions" 1>&2
chmod 0444 ${USERHOME}${TLSUSER}/.docker/cert.pem
fi
# Verify and correct file permissions for ${USERHOME}${TLSUSER}/.docker/key.pem
if [ $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/key.pem) != 400 ]; then
echo -e "${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: File permissions for ${USERHOME}${TLSUSER}/.docker/key.pem\n\tare not 400. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/key.pem) to 0400 file permissions" 1>&2
echo -e "${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: File permissions for ${USERHOME}${TLSUSER}/.docker/key.pem\n\tare not 400. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker/key.pem) to 0400 file permissions" 1>&2
chmod 0400 ${USERHOME}${TLSUSER}/.docker/key.pem
fi
# Verify and correct directory permissions for ${USERHOME}${TLSUSER}/.docker directory
if [ $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker) != 700 ]; then
echo -e "${0} ${LINENO} ${BOLD}[ERROR]${NORMAL}: Directory permissions for ${USERHOME}${TLSUSER}/.docker\n\tare not 700. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker) to 700 directory permissions" 1>&2
echo -e "${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: Directory permissions for ${USERHOME}${TLSUSER}/.docker\n\tare not 700. Correcting $(stat -Lc %a ${USERHOME}${TLSUSER}/.docker) to 700 directory permissions" 1>&2
chmod 700 ${USERHOME}${TLSUSER}/.docker
fi
echo -e "\n${0} ${LINENO} [INFO]: Done.\n" 1>&2
echo -e "\n${0} ${LINENO} [${BOLD}INFO${NORMAL}]: Done.\n" 1>&2
#
# May want to create a version of this script that automates this process for SRE tools,
# but keep this script for users to run manually,
Expand Down
24 changes: 14 additions & 10 deletions docker-TLS/copy-host-2-remote-host-tls.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
#!/bin/bash
# copy-host-2-remote-host-tls.sh 3.14.315 2018-02-27_21:01:40_CST https://github.com/BradleyA/docker-scripts uadmin four-rpi3b.cptx86.com 3.13
# added BOLD and NORMAL with little testing
# copy-host-2-remote-host-tls.sh 3.13.314 2018-02-27_19:55:54_CST https://github.com/BradleyA/docker-scripts uadmin four-rpi3b.cptx86.com 3.12
# added version
# copy-host-2-remote-host.sh 3.7.291 2018-02-18_23:16:00_CST uadmin six-rpi3b.cptx86.com 3.7
Expand Down Expand Up @@ -48,16 +50,18 @@ REMOTEHOST=$1
USERHOME=${2:-/home/}
ADMTLSUSER=${3:-${USER}}
SSHPORT=${4:-22}
BOLD=$(tput bold)
NORMAL=$(tput sgr0)
# Check if admin user has home directory on system
if [ ! -d ${USERHOME}${ADMTLSUSER} ] ; then
display_help
echo -e "${0} ${LINENO} [ERROR]: ${ADMTLSUSER} does not have a home directory\n\ton this system or ${ADMTLSUSER} home directory is not ${USERHOME}${ADMTLSUSER}" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${ADMTLSUSER} does not have a home directory\n\ton this system or ${ADMTLSUSER} home directory is not ${USERHOME}${ADMTLSUSER}" 1>&2
exit 1
fi
# Check if ${USERHOME}${ADMTLSUSER}/.docker/docker-ca directory on system
if [ ! -d ${USERHOME}${ADMTLSUSER}/.docker/docker-ca ] ; then
display_help
echo -e "${0} ${LINENO} [ERROR]: default directory," 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: default directory," 1>&2
echo -e "\t${USERHOME}${ADMTLSUSER}/.docker/docker-ca,\n\tnot on system." 1>&2
echo -e "\tRunning create-site-private-public-tls.sh will create directories"
echo -e "\tand site private and public keys. Then run sudo"
Expand All @@ -73,31 +77,31 @@ fi
# Check if ${REMOTEHOST} string length is zero
if [ -z ${REMOTEHOST} ] ; then
display_help
echo -e "${0} ${LINENO} [ERROR]: Remote host is required.\n" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: Remote host is required.\n" 1>&2
exit 1
fi
# Check if ${REMOTEHOST}-priv-key.pem file on system
if ! [ -e ${USERHOME}${ADMTLSUSER}/.docker/docker-ca/${REMOTEHOST}-priv-key.pem ] ; then
display_help
echo -e "${0} ${LINENO} [ERROR]: The ${REMOTEHOST}-priv-key.pem\n\tfile was not found in ${USERHOME}${ADMTLSUSER}/.docker/docker-ca." 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: The ${REMOTEHOST}-priv-key.pem\n\tfile was not found in ${USERHOME}${ADMTLSUSER}/.docker/docker-ca." 1>&2
echo -e "\tRunning create-host-tls.sh will create public and private keys."
exit 1
fi
# Check if ${REMOTEHOST} is available on port ${SSHPORT}
if $(nc -z ${REMOTEHOST} ${SSHPORT} >/dev/null) ; then
echo -e "${0} ${LINENO} [INFO]: ${ADMTLSUSER} may receive password and\n\tpassphrase prompts from ${REMOTEHOST}. Running ssh-copy-id\n\t${ADMTLSUSER}@${REMOTEHOST} may stop the prompts."
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}INFO${NORMAL}]: ${ADMTLSUSER} may receive password and\n\tpassphrase prompts from ${REMOTEHOST}. Running ssh-copy-id\n\t${ADMTLSUSER}@${REMOTEHOST} may stop the prompts."
# Check if /etc/docker directory on ${REMOTEHOST}
if ! $(ssh -t ${ADMTLSUSER}@${REMOTEHOST} "test -d /etc/docker") ; then
display_help
echo -e "${0} ${LINENO} [ERROR]: /etc/docker directory missing," 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: /etc/docker directory missing," 1>&2
echo -e "\tis docker installed on ${REMOTEHOST}." 1>&2
exit 1
fi
# Check if /etc/docker/certs.d directory exists on remote system
if $(ssh -t ${ADMTLSUSER}@${REMOTEHOST} "test -d /etc/docker/certs.d" ) ; then
# Check if /etc/docker/certs.d/daemon/${REMOTEHOST}-priv-key.pem file exists on remote system
if $(ssh -t ${ADMTLSUSER}@${REMOTEHOST} "test -e /etc/docker/certs.d/daemon/${REMOTEHOST}-priv-key.pem" ) ; then
echo -e "${0} ${LINENO} [ERROR]: /etc/docker/certs.d/daemon/${REMOTEHOST}-priv-key.pem\n\talready exists, renaming existing keys so new keys can be created." 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: /etc/docker/certs.d/daemon/${REMOTEHOST}-priv-key.pem\n\talready exists, renaming existing keys so new keys can be created." 1>&2
ssh -t ${ADMTLSUSER}@${REMOTEHOST} "sudo mv /etc/docker/certs.d/daemon/${REMOTEHOST}-priv-key.pem /etc/docker/certs.d/daemon/${REMOTEHOST}-priv-key.pem`date +%Y-%m-%d_%H:%M:%S_%Z`"
ssh -t ${ADMTLSUSER}@${REMOTEHOST} "sudo mv /etc/docker/certs.d/daemon/${REMOTEHOST}-cert.pem /etc/docker/certs.d/daemon/${REMOTEHOST}-cert.pem`date +%Y-%m-%d_%H:%M:%S_%Z`"
ssh -t ${ADMTLSUSER}@${REMOTEHOST} "sudo mv /etc/docker/certs.d/daemon/ca.pem /etc/docker/certs.d/daemon/ca.pem`date +%Y-%m-%d_%H:%M:%S_%Z`"
Expand All @@ -116,12 +120,12 @@ if $(nc -z ${REMOTEHOST} ${SSHPORT} >/dev/null) ; then
ln -s ${REMOTEHOST}-cert.pem cert.pem
cd ../../../..
tar -cf ./${REMOTEHOST}${TIMESTAMP}.tar ./etc/docker/certs.d/daemon
echo -e "${0} ${LINENO} [INFO]: Transfer TLS keys to\n\t${REMOTEHOST}."
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}INFO${NORMAL}]: Transfer TLS keys to\n\t${REMOTEHOST}."
scp -p ./${REMOTEHOST}${TIMESTAMP}.tar ${ADMTLSUSER}@${REMOTEHOST}:/tmp
# Create remote directory /etc/docker/certs.d/daemon
# This directory was selected to place dockerd TLS certifications because
# docker registry stores it's TLS certifications in /etc/docker/certs.d.
echo -e "${0} ${LINENO} [INFO]: Create dockerd certification\n\tdirectory on ${REMOTEHOST}"
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}INFO${NORMAL}]: Create dockerd certification\n\tdirectory on ${REMOTEHOST}"
# ssh -t ${ADMTLSUSER}@${REMOTEHOST} "sudo mkdir -p /etc/docker/certs.d/daemon ; sudo chmod -R 0700 /etc/docker/certs.d"
ssh -t ${ADMTLSUSER}@${REMOTEHOST} "sudo mkdir -p /etc/docker/certs.d/daemon ; sudo chmod -R 0700 /etc/docker/certs.d ; cd / ; sudo tar -xf /tmp/${REMOTEHOST}${TIMESTAMP}.tar ; rm /tmp/${REMOTEHOST}${TIMESTAMP}.tar ; sudo chown -R root.root /etc/docker/certs.d"
# Remove ${TLSUSER}/.docker and tar file from ${USERHOME}${ADMTLSUSER}/.docker/docker-ca
Expand All @@ -143,7 +147,7 @@ if $(nc -z ${REMOTEHOST} ${SSHPORT} >/dev/null) ; then
exit 0
else
display_help
echo -e "${0} ${LINENO} [ERROR]: ${REMOTEHOST} not responding on port ${SSHPORT}.\n" 1>&2
echo -e "${NORMAL}${0} ${LINENO} [${BOLD}ERROR${NORMAL}]: ${REMOTEHOST} not responding on port ${SSHPORT}.\n" 1>&2
exit 1
fi
###
Expand Down
Loading

0 comments on commit cb1dfa3

Please sign in to comment.