diff options
-rw-r--r-- | docker/Dockerfile | 4 | ||||
-rw-r--r-- | docker/docker_remote_api/docs/TLS-intro.rst | 107 | ||||
-rw-r--r-- | docker/docker_remote_api/enable_remote_api.sh | 51 | ||||
-rw-r--r-- | docker/requirements.pip | 8 | ||||
-rwxr-xr-x | functest/opnfv_tests/features/sfc/sfc.py | 23 |
5 files changed, 180 insertions, 13 deletions
diff --git a/docker/Dockerfile b/docker/Dockerfile index 995d1ca13..37581a671 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -121,6 +121,10 @@ ADD http://205.177.226.237:9999/onosfw/firewall_block_image.img /home/opnfv/func RUN gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 RUN curl -L https://get.rvm.io | bash -s stable +# SNAPS integration +RUN git clone --depth 1 https://gerrit.cablelabs.com/snaps-provisioning ${repos_dir}/snaps +RUN pip install -e ${repos_dir}/snaps/ + RUN /bin/bash -c ". /home/opnfv/repos/functest/functest/opnfv_tests/features/sfc/tacker_client_install.sh" RUN cd ${repos_dir}/bgpvpn && pip install . #RUN cd ${repos_dir}/kingbird && pip install -e . diff --git a/docker/docker_remote_api/docs/TLS-intro.rst b/docker/docker_remote_api/docs/TLS-intro.rst new file mode 100644 index 000000000..934f99a8b --- /dev/null +++ b/docker/docker_remote_api/docs/TLS-intro.rst @@ -0,0 +1,107 @@ +Encrypt the docker remote API via TLS for Ubuntu and CentOS
+
+[Introduction]
+The Docker daemon can listen to Docker Remote API requests via three types of
+Socket: unix, tcp and fd. By default, a unix domain socket (or IPC socket) is
+created at /var/run/docker.sock, requiring either root permission, or docker
+group membership.
+
+Port 2375 is conventionally used for un-encrypted communition with Docker daemon
+remotely, where docker server can be accessed by any docker client via tcp socket
+in local area network. You can listen to port 2375 on all network interfaces with
+-H tcp://0.0.0.0:2375, where 0.0.0.0 means any available IP address on host, and
+tcp://0.0.0.0:2375 indicates that port 2375 is listened on any IP of daemon host.
+If we want to make docker server open on the Internet via TCP port, and only trusted
+clients have the right to access the docker server in a safe manner, port 2376 for
+encrypted communication with the daemon should be listened. It can be achieved to
+create certificate and distribute it to the trusted clients.
+
+Through creating self-signed certificate, and using --tlsverify command when running
+Docker daemon, Docker daemon opens the TLS authentication. Thus only the clients
+with related private key files can have access to the Docker daemon's server. As
+long as the key files for encryption are secure between docker server and client,
+the Docker daemon can keep secure.
+In summary,
+Firstly we should create docker server certificate and related key files, which
+are distributed to the trusted clients.
+Then the clients with related key files can access docker server.
+
+[Steps]
+1.0. Create a CA, server and client keys with OpenSSL.
+ OpenSSL is used to generate certificate, and can be installed as follows.
+ apt-get install openssl openssl-devel
+
+1.1 First generate CA private and public keys.
+ openssl genrsa -aes256 -out ca-key.pem 4096
+ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
+
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request, where the instance of $HOST should be replaced
+ with the DNS name of your Docker daemon's host, here the DNS name of my Docker
+ daemon is ly.
+ Common Name (e.g. server FQDN or YOUR name) []:$HOST
+
+1.2 Now we have a CA (ca-key.pem and ca.pem), you can create a server key and
+certificate signing request.
+ openssl genrsa -out server-key.pem 4096
+ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
+
+1.3 Sign the public key with our CA.
+ TLS connections can be made via IP address as well as DNS name, they need to be
+ specified when creating the certificate.
+
+ echo subjectAltName = IP:172.16.10.121,IP:127.0.0.1 > extfile.cnf
+ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
+ -CAcreateserial -out server-cert.pem -extfile extfile.cnf
+
+1.4 For client authentication, create a client key and certificate signing request.
+ openssl genrsa -out key.pem 4096
+ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
+
+1.5 To make the key suitable for client authentication, create an extensions config file.
+ echo extendedKeyUsage = clientAuth > extfile.cnf
+
+1.6 Sign the public key and after generating cert.pem and server-cert.pem, two certificate
+ signing requests can be removed.
+ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
+ -CAcreateserial -out cert.pem -extfile extfile.cnf
+
+1.7 In order to protect your keys from accidental damage, you may change file modes to
+ be only readable.
+ chmod -v 0400 ca-key.pem key.pem server-key.pem
+ chmod -v 0444 ca.pem server-cert.pem cert.pem
+
+1.8 Build docker server
+ dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
+ -H=0.0.0.0:2376
+ Then, it can be seen from the command 'netstat -ntlp' that port 2376 has been listened
+ and the Docker daemon only accept connections from clients providing a certificate
+ trusted by our CA.
+
+1.9 Distribute the keys to the client
+ scp /etc/docker/ca.pem wwl@172.16.10.121:/etc/docker
+ scp /etc/docker/cert.pem wwl@172.16.10.121:/etc/docker
+ scp /etc/docker/key.pem wwl@172.16.10.121:/etc/docker
+ Where, wwl and 172.16.10.121 is the username and IP of the client respectively.
+ And the password of the client is needed when you distribute the keys to the client.
+
+1.10 To access Docker daemon from the client via keys.
+ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem \
+ -H=$HOST:2376 version
+
+ Then we can operate docker in the Docker daemon from the client vis keys, for example:
+ 1) create container from the client
+ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 run -d \
+ -it --name w1 grafana/grafana
+ 2) list containers from the client
+ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 pa -a
+ 3) stop/start containers from the client
+ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 stop w1
+ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=ly:2376 start w1
+
+
+
+
+
+
+
diff --git a/docker/docker_remote_api/enable_remote_api.sh b/docker/docker_remote_api/enable_remote_api.sh new file mode 100644 index 000000000..6867eeddf --- /dev/null +++ b/docker/docker_remote_api/enable_remote_api.sh @@ -0,0 +1,51 @@ +#!/bin/bash
+# SPDX-license-identifier: Apache-2.0
+
+# ******************************
+# Script to update the docker host configuration
+# to enable Docker Remote API
+# ******************************
+
+if [ -f /etc/lsb-release ]; then
+ #tested on ubuntu 14.04 and 16.04
+ if grep -q "#DOCKER_OPTS=" "/etc/default/docker"; then
+ cp /etc/default/docker /etc/default/docker.bak
+ sed -i 's/^#DOCKER_OPTS.*$/DOCKER_OPTS=\"-H unix:\/\/\/var\/run\/docker.sock -H tcp:\/\/0.0.0.0:2375\"/g' /etc/default/docker
+ else
+ echo DOCKER_OPTS=\"-H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375\" >> /etc/default/docker
+ fi
+ service docker restart
+ #docker start $(docker ps -aq)
+elif [ -f /etc/system-release ]; then
+ #tested on centos 7.2
+ if grep -q "ExecStart=\/usr\/bin\/docker-current daemon" "/lib/systemd/system/docker.service"; then
+ cp /lib/systemd/system/docker.service /lib/systemd/system/docker.service.bak
+ sed -i 's/^ExecStart=.*$/ExecStart=\/usr\/bin\/docker daemon -H tcp:\/\/0.0.0.0:2375 -H unix:\/\/\/var\/run\/docker.sock \\/g' /lib/systemd/system/docker.service
+ systemctl daemon-reload
+ systemctl restart docker
+ else
+ echo "to be implemented"
+ fi
+else
+ echo "OS is not supported"
+fi
+
+# Issue Note for Ubuntu
+# 1. If the configuration of the file /etc/default/docker does not take effect after restarting docker service,
+# you may try to modify /lib/systemd/system/docker.service
+# commands:
+# cp /lib/systemd/system/docker.service /lib/systemd/system/docker.service.bak
+# sed -i '/^ExecStart/i\EnvironmentFile=-/etc/default/docker' /lib/systemd/system/docker.service
+# sed -i '/ExecStart=\/usr\/bin\/dockerd/{;s/$/ \$DOCKER_OPTS/}' /lib/systemd/system/docker.service
+# systemctl daemon-reload
+# service docker restart
+# 2. Systemd is a system and session manager for Linux, where systemctl is one tool for systemd to view and control systemd.
+# If the file /lib/systemd/system/docker.service is modified, systemd has to be reloaded to scan new or changed units.
+# 1) systemd and related packages are available on the PPA. To use the PPA, first add it to your software sources list as follows.
+# add-apt-repository ppa:pitti/systemd
+# apt-get update
+# 2) system can be installed from the PPS as follows.
+# apt-get install systemd libpam-systemd systemd-ui
+
+
+
diff --git a/docker/requirements.pip b/docker/requirements.pip index c3f77997c..ed941bc19 100644 --- a/docker/requirements.pip +++ b/docker/requirements.pip @@ -10,9 +10,10 @@ pyyaml==3.10 gitpython==1.0.1 python-openstackclient==2.3.0 -python-ceilometerclient==1.5.1 -python-keystoneclient==3.6.0 -python-neutronclient==4.1.1 +python-ceilometerclient==2.6.2 +python-keystoneclient==3.5.0 +python-neutronclient==6.0.0 +python-congressclient==1.5.0 virtualenv==1.11.4 pexpect==4.0 requests==2.8.0 @@ -24,7 +25,6 @@ Flask==0.10.1 xmltodict==0.9.2 scp==0.10.2 paramiko==1.16.0 -python-congressclient==1.3.0 subprocess32 shyaml dnspython diff --git a/functest/opnfv_tests/features/sfc/sfc.py b/functest/opnfv_tests/features/sfc/sfc.py index 42fac5613..e048d90f0 100755 --- a/functest/opnfv_tests/features/sfc/sfc.py +++ b/functest/opnfv_tests/features/sfc/sfc.py @@ -414,15 +414,20 @@ def capture_time_log(compute_clients): while True: rsps = ovs_logger.ofctl_time_counter(compute_clients[0]) if not i: - first_RSP = rsps[0] - i = i + 1 - if(first_RSP != rsps[0] and len(rsps) > 1): - if (rsps[0] == rsps[1]): - stop_time = time.time() - logger.info("classification rules updated") - difference = stop_time - start_time - logger.info("It took %s seconds" % difference) - break + if len(rsps) > 0: + first_RSP = rsps[0] + i = i + 1 + else: + first_RSP = 0 + i = i + 1 + if (len(rsps) > 1): + if(first_RSP != rsps[0]): + if (rsps[0] == rsps[1]): + stop_time = time.time() + logger.info("classification rules updated") + difference = stop_time - start_time + logger.info("It took %s seconds" % difference) + break time.sleep(1) return |