openstack/zun
Code Issues Proposed changes

Merge "Fix Docker remote API TLS authentication"

Browse Source
This commit is contained in:
Zuul 2025-02-12 06:56:11 +00:00 committed by Gerrit Code Review
commit 9d5d4b69ba
3 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
zun/container/docker/driver.py
View File

@ -917,12 +917,16 @@ class DockerDriver(driver.BaseDriver, driver.ContainerDriver,
@check_container_id @check_container_id
def get_websocket_url(self, context, container): def get_websocket_url(self, context, container):
protocol = "wss" if (not CONF.docker.api_insecure and
CONF.docker.ca_file and
CONF.docker.key_file and
CONF.docker.cert_file) else "ws"
version = CONF.docker.docker_remote_api_version version = CONF.docker.docker_remote_api_version
remote_api_host = CONF.docker.docker_remote_api_host remote_api_host = CONF.docker.docker_remote_api_host
remote_api_port = CONF.docker.docker_remote_api_port remote_api_port = CONF.docker.docker_remote_api_port
url = "ws://" + remote_api_host + ":" + remote_api_port + \ url = protocol + "://" + remote_api_host + ":" + remote_api_port \
"/v" + version + "/containers/" + container.container_id \ + "/v" + version + "/containers/" + container.container_id \
+ ATTACH_FLAG + ATTACH_FLAG
return url return url
@check_container_id @check_container_id

3
zun/container/docker/utils.py
View File

@ -60,8 +60,7 @@ class DockerHTTPClient(docker.APIClient):
if ca_cert and client_key and client_cert: if ca_cert and client_key and client_cert:
ssl_config = docker.tls.TLSConfig( ssl_config = docker.tls.TLSConfig(
client_cert=(client_cert, client_key), client_cert=(client_cert, client_key),
verify=ca_cert, verify=ca_cert
assert_hostname=False,
) )
else: else:
ssl_config = False ssl_config = False

14
zun/websocket/websocketclient.py
View File

@ -13,9 +13,14 @@
# under the License. # under the License.
import socket import socket
import ssl
import websocket import websocket
from zun.common import exception from zun.common import exception
import zun.conf
CONF = zun.conf.CONF
class WebSocketClient(object): class WebSocketClient(object):
@ -29,8 +34,17 @@ class WebSocketClient(object):
def connect(self): def connect(self):
url = self.host_url url = self.host_url
sslopt = None
if url.startswith('wss'):
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.load_verify_locations(CONF.docker.ca_file)
ssl_context.load_cert_chain(CONF.docker.cert_file,
CONF.docker.key_file)
sslopt = {'context': ssl_context}
try: try:
self.ws = websocket.create_connection(url, self.ws = websocket.create_connection(url,
sslopt=sslopt,
skip_utf8_validation=True) skip_utf8_validation=True)
except socket.error as e: except socket.error as e:
raise exception.ConnectionFailed(e) raise exception.ConnectionFailed(e)