Fix Docker remote API TLS authentication

Since version 7 docker-py has refactored tls.TLSConfig, and assert_hostname parameter is no longer available. Remove it here as well. And fix websocket proxy to be able to connect to TLS-secured Docker API. Change-Id: Ie83d7b485886decb4078a90f4028246c8d995b2e
2025-01-24 06:29:57 -05:00 · 2025-01-24 06:29:57 -05:00 · 4fa82fe3d0
commit 4fa82fe3d0
parent af65475776
3 changed files with 22 additions and 5 deletions
--- a/zun/container/docker/driver.py
+++ b/zun/container/docker/driver.py
@ -917,12 +917,16 @@ class DockerDriver(driver.BaseDriver, driver.ContainerDriver,

    @check_container_id
    def get_websocket_url(self, context, container):
+        protocol = "wss" if (not CONF.docker.api_insecure and
+                             CONF.docker.ca_file and
+                             CONF.docker.key_file and
+                             CONF.docker.cert_file) else "ws"
        version = CONF.docker.docker_remote_api_version
        remote_api_host = CONF.docker.docker_remote_api_host
        remote_api_port = CONF.docker.docker_remote_api_port
-        url = "ws://" + remote_api_host + ":" + remote_api_port + \
-              "/v" + version + "/containers/" + container.container_id \
-              + ATTACH_FLAG
+        url = protocol + "://" + remote_api_host + ":" + remote_api_port \
+            + "/v" + version + "/containers/" + container.container_id \
+            + ATTACH_FLAG
        return url

    @check_container_id
--- a/zun/container/docker/utils.py
+++ b/zun/container/docker/utils.py
@ -60,8 +60,7 @@ class DockerHTTPClient(docker.APIClient):
        if ca_cert and client_key and client_cert:
            ssl_config = docker.tls.TLSConfig(
                client_cert=(client_cert, client_key),
-                verify=ca_cert,
-                assert_hostname=False,
+                verify=ca_cert
            )
        else:
            ssl_config = False
--- a/zun/websocket/websocketclient.py
+++ b/zun/websocket/websocketclient.py
@ -13,9 +13,14 @@
 #    under the License.

 import socket
+import ssl
 import websocket

 from zun.common import exception
+import zun.conf
+
+
+CONF = zun.conf.CONF


 class WebSocketClient(object):
@ -29,8 +34,17 @@ class WebSocketClient(object):

    def connect(self):
        url = self.host_url
+        sslopt = None
+        if url.startswith('wss'):
+            ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+            ssl_context.load_verify_locations(CONF.docker.ca_file)
+            ssl_context.load_cert_chain(CONF.docker.cert_file,
+                                        CONF.docker.key_file)
+            sslopt = {'context': ssl_context}
+
        try:
            self.ws = websocket.create_connection(url,
+                                                  sslopt=sslopt,
                                                  skip_utf8_validation=True)
        except socket.error as e:
            raise exception.ConnectionFailed(e)