Secure client/server communication using TLS

Registered by Digambar on 2015-05-26

If we need Docker to be reachable via the network in a safe manner, we should add TLS support.

Blueprint information

Status:
Complete
Approver:
Adrian Otto
Priority:
Essential
Drafter:
Digambar
Direction:
Approved
Assignee:
Andrew Melton
Definition:
Approved
Series goal:
Accepted for liberty
Implementation:
Implemented
Milestone target:
milestone icon liberty-2
Started by
Andrew Melton on 2015-08-18
Completed by
Andrew Melton on 2015-10-06

Related branches

Sprints

Whiteboard

Between swarm master and nodes we will use TLS. Also from conductor to master.

Gerrit topic: https://review.openstack.org/#q,topic:bp/secure-docker,n,z

Addressed by: https://review.openstack.org/212598
    [WIP] Add TLS to Docker-Swarm Template

TODOs:

1.A dd test cases for new attributes, extra_params, etc. to magnum/tests/unit/conductor/test_template_definition.py

From this guide it seems like we don't need the --tls flag if we are going to perform mutual auth between client and daemon: https://docs.docker.com/articles/https/

I've started the work to enable the Docker conductor to talk TLS and am making good progress. I should have a review up in a day or so.

Addressed by: https://review.openstack.org/229627
    Use dockerpy logs operation instead of attach

Addressed by: https://review.openstack.org/229628
    Set up temp files containing client TLS certs

Addressed by: https://review.openstack.org/229629
    Add TLS support to container handler

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.