github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/cmd/dockerd/options.go

github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/cmd/dockerd/options.go (about)

     1  package main
     2  
     3  import (
     4  	"os"
     5  	"path/filepath"
     6  
     7  	cliconfig "github.com/docker/docker/cli/config"
     8  	"github.com/docker/docker/daemon/config"
     9  	"github.com/docker/docker/opts"
    10  	"github.com/docker/go-connections/tlsconfig"
    11  	"github.com/spf13/pflag"
    12  )
    13  
    14  const (
    15  	// DefaultCaFile is the default filename for the CA pem file
    16  	DefaultCaFile = "ca.pem"
    17  	// DefaultKeyFile is the default filename for the key pem file
    18  	DefaultKeyFile = "key.pem"
    19  	// DefaultCertFile is the default filename for the cert pem file
    20  	DefaultCertFile = "cert.pem"
    21  	// FlagTLSVerify is the flag name for the TLS verification option
    22  	FlagTLSVerify = "tlsverify"
    23  	// FlagTLS is the flag name for the TLS option
    24  	FlagTLS = "tls"
    25  	// DefaultTLSValue is the default value used for setting the tls option for tcp connections
    26  	DefaultTLSValue = false
    27  )
    28  
    29  var (
    30  	dockerCertPath  = os.Getenv("DOCKER_CERT_PATH")
    31  	dockerTLSVerify = os.Getenv("DOCKER_TLS_VERIFY") != ""
    32  )
    33  
    34  type daemonOptions struct {
    35  	configFile   string
    36  	daemonConfig *config.Config
    37  	flags        *pflag.FlagSet
    38  	Debug        bool
    39  	Hosts        []string
    40  	LogLevel     string
    41  	TLS          bool
    42  	TLSVerify    bool
    43  	TLSOptions   *tlsconfig.Options
    44  	Validate     bool
    45  }
    46  
    47  // newDaemonOptions returns a new daemonFlags
    48  func newDaemonOptions(config *config.Config) *daemonOptions {
    49  	return &daemonOptions{
    50  		daemonConfig: config,
    51  	}
    52  }
    53  
    54  // InstallFlags adds flags for the common options on the FlagSet
    55  func (o *daemonOptions) InstallFlags(flags *pflag.FlagSet) {
    56  	if dockerCertPath == "" {
    57  		// cliconfig.Dir returns $DOCKER_CONFIG or ~/.docker.
    58  		// cliconfig.Dir does not look up $XDG_CONFIG_HOME
    59  		dockerCertPath = cliconfig.Dir()
    60  	}
    61  
    62  	flags.BoolVarP(&o.Debug, "debug", "D", false, "Enable debug mode")
    63  	flags.BoolVar(&o.Validate, "validate", false, "Validate daemon configuration and exit")
    64  	flags.StringVarP(&o.LogLevel, "log-level", "l", "info", `Set the logging level ("debug"|"info"|"warn"|"error"|"fatal")`)
    65  	flags.BoolVar(&o.TLS, FlagTLS, DefaultTLSValue, "Use TLS; implied by --tlsverify")
    66  	flags.BoolVar(&o.TLSVerify, FlagTLSVerify, dockerTLSVerify || DefaultTLSValue, "Use TLS and verify the remote")
    67  
    68  	// TODO use flag flags.String("identity"}, "i", "", "Path to libtrust key file")
    69  
    70  	o.TLSOptions = &tlsconfig.Options{
    71  		CAFile:   filepath.Join(dockerCertPath, DefaultCaFile),
    72  		CertFile: filepath.Join(dockerCertPath, DefaultCertFile),
    73  		KeyFile:  filepath.Join(dockerCertPath, DefaultKeyFile),
    74  	}
    75  	tlsOptions := o.TLSOptions
    76  	flags.Var(opts.NewQuotedString(&tlsOptions.CAFile), "tlscacert", "Trust certs signed only by this CA")
    77  	flags.Var(opts.NewQuotedString(&tlsOptions.CertFile), "tlscert", "Path to TLS certificate file")
    78  	flags.Var(opts.NewQuotedString(&tlsOptions.KeyFile), "tlskey", "Path to TLS key file")
    79  
    80  	hostOpt := opts.NewNamedListOptsRef("hosts", &o.Hosts, opts.ValidateHost)
    81  	flags.VarP(hostOpt, "host", "H", "Daemon socket(s) to connect to")
    82  }
    83  
    84  // SetDefaultOptions sets default values for options after flag parsing is
    85  // complete
    86  func (o *daemonOptions) SetDefaultOptions(flags *pflag.FlagSet) {
    87  	// Regardless of whether the user sets it to true or false, if they
    88  	// specify --tlsverify at all then we need to turn on TLS
    89  	// TLSVerify can be true even if not set due to DOCKER_TLS_VERIFY env var, so we need
    90  	// to check that here as well
    91  	if flags.Changed(FlagTLSVerify) || o.TLSVerify {
    92  		o.TLS = true
    93  	}
    94  
    95  	if o.TLS && !flags.Changed(FlagTLSVerify) {
    96  		// Enable tls verification unless explicitly disabled
    97  		o.TLSVerify = true
    98  	}
    99  
   100  	if !o.TLS {
   101  		o.TLSOptions = nil
   102  	} else {
   103  		tlsOptions := o.TLSOptions
   104  		tlsOptions.InsecureSkipVerify = !o.TLSVerify
   105  
   106  		// Reset CertFile and KeyFile to empty string if the user did not specify
   107  		// the respective flags and the respective default files were not found.
   108  		if !flags.Changed("tlscert") {
   109  			if _, err := os.Stat(tlsOptions.CertFile); os.IsNotExist(err) {
   110  				tlsOptions.CertFile = ""
   111  			}
   112  		}
   113  		if !flags.Changed("tlskey") {
   114  			if _, err := os.Stat(tlsOptions.KeyFile); os.IsNotExist(err) {
   115  				tlsOptions.KeyFile = ""
   116  			}
   117  		}
   118  	}
   119  }