Add cert expiration check to offline image
Docker cert will expire after 90d of offline image generation,
we have to regenerate it in order to start docker-swarm service.
PROD-21676
PROD-36329
Change-Id: I5568bda90c54264625e65803f207dc16271695db
diff --git a/mirror-image/files/etc/systemd/system/dockerswarm_cert.service b/mirror-image/files/etc/systemd/system/dockerswarm_cert.service
new file mode 100644
index 0000000..ae66633
--- /dev/null
+++ b/mirror-image/files/etc/systemd/system/dockerswarm_cert.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=dockerswarm_cert
+Wants=docker.service
+After=docker.service
+Before=cloud-final.service
+
+[Service]
+User=root
+Group=root
+Type=oneshot
+ExecStart=/bin/bash /usr/local/bin/dockerswarm_cert.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/mirror-image/files/usr/local/bin/dockerswarm_cert.sh b/mirror-image/files/usr/local/bin/dockerswarm_cert.sh
new file mode 100644
index 0000000..2510e61
--- /dev/null
+++ b/mirror-image/files/usr/local/bin/dockerswarm_cert.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+crt="/var/lib/docker/swarm/certificates/swarm-node.crt"
+if test -f ${crt} && openssl x509 -checkend 3600 -noout -in ${crt}; then
+ echo "WARNING: swarm CA not expired yet."
+ echo "WARNING: docker CA WA not applied."
+ exit 0
+fi
+echo 'Re-creating docker stack services!'
+systemctl stop docker || true
+echo 'Removing outdated certificates'
+rm -rf /var/lib/docker/swarm/*
+echo 'Starting docker service'
+systemctl restart docker
+sleep 5
+echo 'Creating docker swarm'
+docker swarm init --advertise-addr 127.0.0.1
+sleep 5
+for c in docker aptly; do
+ pushd /etc/docker/compose/${c}/
+ echo "Starting ${c} docker stack"
+ docker stack deploy --compose-file docker-compose.yml ${c};
+ echo "Stack ${c} started"
+ popd
+ sleep 1
+done
\ No newline at end of file
diff --git a/mirror-image/template.json b/mirror-image/template.json
index 59e477c..94e9b69 100644
--- a/mirror-image/template.json
+++ b/mirror-image/template.json
@@ -93,8 +93,7 @@
"scripts/security.sh",
"scripts/info.sh",
"scripts/cleanup.sh",
- "scripts/cleanup_salt.sh",
- "scripts/flush_disk.sh"
+ "scripts/cleanup_salt.sh"
]
},
{
@@ -106,6 +105,31 @@
"type": "file",
"source": "files/etc/cloud/cloud.cfg",
"destination": "/etc/cloud/cloud.cfg"
+ },
+ {
+ "type": "file",
+ "source": "files/usr/local/bin/dockerswarm_cert.sh",
+ "destination": "/tmp/dockerswarm_cert.sh"
+ },
+ {
+ "type": "shell",
+ "inline": ["mkdir -p /usr/local/bin",
+ "mv /tmp/dockerswarm_cert.sh /usr/local/bin/dockerswarm_cert.sh",
+ "chmod +x /usr/local/bin/dockerswarm_cert.sh"]
+ },
+ {
+ "type": "file",
+ "source": "files/etc/systemd/system/dockerswarm_cert.service",
+ "destination": "/etc/systemd/system/dockerswarm_cert.service"
+ },
+ {
+ "type": "shell",
+ "inline": ["systemctl enable dockerswarm_cert.service"]
+ },
+ {
+ "type": "shell",
+ "pause_before": "60s",
+ "scripts": ["scripts/flush_disk.sh"]
}
],
"builders": [