VMware vRealize Automation/Code Stream and Docker host on Photon OS
I was trying to add a Docker hosts as a endpoint in vRealize Automation Code Stream, and was looking at the Blog VMware has published about this, but this was lacking some information, see the blog here.
I a later version of vRA, the form for the creating the Docker endpoint got some extra input, that is not in the blog.
Most of the scripts in this blog are form the script in the blog and Docker documentation. Some commands are changed to run on Photon OS, these can be found for other Linux distribution in the VMware blog.
I have created all the certificates on the Docker hosts, that is running in a Photon OS VM that I have imported as a OVA/OVF from the Photon OS repository.
First we need to create CA certificate for the Docker host.
export IP="<Docker host IP address>" export HOST="<Docker host FQDN>" # Condensed from https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl # Run these commands individually openssl genrsa -aes256 -out ca-key.pem 4096 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
After this we need to create the Server certificate for the Docker host, from the CA certificate.
openssl genrsa -out server-key.pem 4096 openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr echo subjectAltName = DNS:$HOST,IP:$IP,IP:127.0.0.1 >> extfile.cnf echo extendedKeyUsage = serverAuth >> extfile.cnf openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
And the last certificate that we need is the Client certificate.
openssl genrsa -out key.pem 4096 openssl req -subj '/CN=client' -new -key key.pem -out client.csr echo extendedKeyUsage = clientAuth > extfile-client.cnf openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
And the we need to change some things and do some cleanup, and copy the certificate to “/etc/docker/ssl”.
rm -v client.csr server.csr extfile.cnf extfile-client.cnf chmod -v 0444 ca.pem server-cert.pem cert.pem mkdir /etc/docker/ssl cp ca.pem /etc/docker/ssl/ cp server-key.pem /etc/docker/ssl/ cp server-cert.pem /etc/docker/ssl/
We need to change the docker hosts, to use the new certificate, on Photon OS, the command is a little different.
systemctl edit --force --full docker.service
Add the following lines to the “[service]” section and put a # before the old line:
[Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tls --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem
We need to configure the firewall on the Photon OS VM, if you have a cluster all nodes need to be added.
iptables -A INPUT -p tcp --source <vRA host> --dport 2376 -j ACCEPT iptables -A INPUT -p tcp --source <vRA host> --dport 30000:32767 -j ACCEPT
Restart the docker services.
systemctl daemon-reload && systemctl restart docker.service
On the we have this files.
We need the content of some of this files, so we can use the “cat” command to get the content to the console. So we can copy the content to the add/configure Code Stream Endpoint UI.