Setting Docker up as a compute resource

Peter_Berghold · July 1, 2015, 6:08pm

I've got Docker running on one of my Puppet managed hosts and I'm trying to
connect Foreman to it. I noticed in the Docker documentation they suggest
using a self signed SSL cert which I rejected since I'm sure Foreman would
complain about not being able to validate the CA.

So, I got "clever" and decided to reuse the Puppet cert and CA files thusly:

DOCKER_OPTS="–tlsverify --tlscacert=/var/lib/puppet/ssl/certs/ca.pem
–tlscert=/var/lib/puppet/ssl/certs/mcadprod3.mca.sharkrivertech.com.pem
–tlskey=/var/lib/puppet/ssl/private_keys/mcadprod3.mca.sharkrivertech.com.pem
-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock -d"

I then tried to connect to the host and got this as an error:

Error connecting with the compute resource: Unable to verify certificate,
please set Excon.defaults[:ssl_ca_path] = path_to_certs,
ENV['SSL_CERT_DIR'] = path_to_certs, Excon.defaults[:ssl_ca_file] = path_to_file, ENV['SSL_CERT_FILE'] = path_to_file,
Excon.defaults[:ssl_verify_callback] = callback (see
OpenSSL::SSL::SSLContext#verify_callback), or
Excon.defaults[:ssl_verify_peer] = false (less secure).

So my questions are:
1) who is complaining here? Docker or Foreman and where do those values
get set?

2) Why wouldn't using the Puppet certs work?

anybody got an idea about this?

Jorg · August 12, 2016, 7:43pm

Hi,

I am facing the same situation. Did you find a solution to the problem?

otherwise… bump…

Cheers, Jörg

···

Am Mittwoch, 1. Juli 2015 20:08:52 UTC+2 schrieb Peter Berghold: > > I've got Docker running on one of my Puppet managed hosts and I'm trying > to connect Foreman to it. I noticed in the Docker documentation they > suggest using a self signed SSL cert which I rejected since I'm sure > Foreman would complain about not being able to validate the CA. > > So, I got "clever" and decided to reuse the Puppet cert and CA files > thusly: > > DOCKER_OPTS="--tlsverify --tlscacert=/var/lib/puppet/ssl/certs/ca.pem > --tlscert=/var/lib/puppet/ssl/certs/mcadprod3.mca.sharkrivertech.com.pem > --tlskey=/var/lib/puppet/ssl/private_keys/mcadprod3.mca.sharkrivertech.com.pem > -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock -d" > > I then tried to connect to the host and got this as an error: > > Error connecting with the compute resource: *Unable to verify > certificate, please set `Excon.defaults[:ssl_ca_path] = path_to_certs`, > `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = > path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, > `Excon.defaults[:ssl_verify_callback] = callback` (see > OpenSSL::SSL::SSLContext#verify_callback), or > `Excon.defaults[:ssl_verify_peer] = false` (less secure).* > > *So my questions are:* > *1) who is complaining here? Docker or Foreman and where do those values > get set?* > > *2) Why wouldn't using the Puppet certs work?* > > *anybody got an idea about this?* >

Jorg · August 30, 2016, 3:23pm

OK, I am one step farther…

The solution to the original problem is to add the puppet ca to the list of
trusted cas of the foreman node. On Ubuntu:

ln -s /var/lib/puppet/ssl/ca/ca_crt.pem

/usr/local/share/ca-certificates/puppet-ca.pem

update-ca-certificates

My next question: How to I get foreman to provide a client certificate to
the docker daemon? Currently, when testing the connection I get this
message on foreman:
SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A:
sslv3 alert bad certificate (OpenSSL::SSL::SSLError)
And this one on the docker node:
TLS handshake error from 1.2.3.4:44818: tls: client didn't provide a
certificate

One more thing:
It is a bad idea to re-use the puppet ca for docker administration because
every puppet node has a signed certificate from this ca. So after getting
this to work, the next step will be to set up a dedicated ca.

Cheers, Jörg

···

Am Sonntag, 14. August 2016 08:50:47 UTC+2 schrieb Jörg: > > Hi, > > I am facing the same situation. Did you find a solution to the problem? > > > otherwise... bump... > > > Cheers, Jörg > > Am Mittwoch, 1. Juli 2015 20:08:52 UTC+2 schrieb Peter Berghold: >> >> I've got Docker running on one of my Puppet managed hosts and I'm trying >> to connect Foreman to it. I noticed in the Docker documentation they >> suggest using a self signed SSL cert which I rejected since I'm sure >> Foreman would complain about not being able to validate the CA. >> >> So, I got "clever" and decided to reuse the Puppet cert and CA files >> thusly: >> >> DOCKER_OPTS="--tlsverify --tlscacert=/var/lib/puppet/ssl/certs/ca.pem >> --tlscert=/var/lib/puppet/ssl/certs/mcadprod3.mca.sharkrivertech.com.pem >> --tlskey=/var/lib/puppet/ssl/private_keys/mcadprod3.mca.sharkrivertech.com.pem >> -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock -d" >> >> I then tried to connect to the host and got this as an error: >> >> Error connecting with the compute resource: *Unable to verify >> certificate, please set `Excon.defaults[:ssl_ca_path] = path_to_certs`, >> `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = >> path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, >> `Excon.defaults[:ssl_verify_callback] = callback` (see >> OpenSSL::SSL::SSLContext#verify_callback), or >> `Excon.defaults[:ssl_verify_peer] = false` (less secure).* >> >> *So my questions are:* >> *1) who is complaining here? Docker or Foreman and where do those values >> get set?* >> >> *2) Why wouldn't using the Puppet certs work?* >> >> *anybody got an idea about this?* >> >