Merge pull request #1336 from hashicorp/f-default-ssl-docker-registry

Making SSL default

CHANGELOG.md

@@ -6,6 +6,8 @@ __BACKWARDS INCOMPATIBILITIES:__
     eval-status -monitor`.
   * config: Consul configuration has been moved from client options map to
     consul block under client configuration
+  * driver/docker: Enabled SSL by default for pulling images from docker
+    registries. [GH-1336]
 
 IMPROVEMENTS:
   * core: Scheduler reuses blocked evaluations to avoid unbounded creation of
@@ -34,6 +36,8 @@ IMPROVEMENTS:
     if the artifact exists inside a chrooted directory [GH-1262]
   * driver/docker: Added a client options to set SELinux labels for container
     bind mounts. [GH-788]
+  * driver/docker: Enabled SSL by default for pulling images from docker
+    registries. [GH-1336]
   * server: If Consul is available, automatically bootstrap Nomad Servers
     using the `_nomad` service in Consul.  [GH-1276]
 

client/driver/docker.go

@@ -98,15 +98,7 @@ type DockerDriverConfig struct {
 	ShmSize          int64               `mapstructure:"shm_size"`           // Size of /dev/shm of the container in bytes
 }
 
-func (c *DockerDriverConfig) Init() error {
+// Validate validates a docker driver config
-	if strings.Contains(c.ImageName, "https://") {
-		c.SSL = true
-		c.ImageName = strings.Replace(c.ImageName, "https://", "", 1)
-	}
-
-	return nil
-}
-
 func (c *DockerDriverConfig) Validate() error {
 	if c.ImageName == "" {
 		return fmt.Errorf("Docker Driver needs an image name")
@@ -118,6 +110,24 @@ func (c *DockerDriverConfig) Validate() error {
 	return nil
 }
 
+// NewDockerDriverConfig returns a docker driver config by parsing the HCL
+// config
+func NewDockerDriverConfig(task *structs.Task) (*DockerDriverConfig, error) {
+	var driverConfig DockerDriverConfig
+	driverConfig.SSL = true
+	if err := mapstructure.WeakDecode(task.Config, &driverConfig); err != nil {
+		return nil, err
+	}
+	if strings.Contains(driverConfig.ImageName, "https://") {
+		driverConfig.ImageName = strings.Replace(driverConfig.ImageName, "https://", "", 1)
+	}
+
+	if err := driverConfig.Validate(); err != nil {
+		return nil, err
+	}
+	return &driverConfig, nil
+}
+
 type dockerPID struct {
 	Version        string
 	ImageID        string
@@ -657,16 +667,8 @@ func (d *DockerDriver) loadImage(driverConfig *DockerDriverConfig, client *docke
 }
 
 func (d *DockerDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle, error) {
-	var driverConfig DockerDriverConfig
+	driverConfig, err := NewDockerDriverConfig(task)
-	if err := mapstructure.WeakDecode(task.Config, &driverConfig); err != nil {
+	if err != nil {
-		return nil, err
-	}
-
-	if err := driverConfig.Init(); err != nil {
-		return nil, err
-	}
-
-	if err := driverConfig.Validate(); err != nil {
 		return nil, err
 	}
 
@@ -683,7 +685,7 @@ func (d *DockerDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle
 		return nil, fmt.Errorf("Failed to connect to docker daemon: %s", err)
 	}
 
-	if err := d.createImage(&driverConfig, client, taskDir); err != nil {
+	if err := d.createImage(driverConfig, client, taskDir); err != nil {
 		return nil, fmt.Errorf("failed to create image: %v", err)
 	}
 
@@ -723,7 +725,7 @@ func (d *DockerDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle
 		return nil, fmt.Errorf("failed to start syslog collector: %v", err)
 	}
 
-	config, err := d.createContainer(ctx, task, &driverConfig, ss.Addr)
+	config, err := d.createContainer(ctx, task, driverConfig, ss.Addr)
 	if err != nil {
 		d.logger.Printf("[ERR] driver.docker: failed to create container configuration for image %s: %s", image, err)
 		pluginClient.Kill()

website/source/docs/drivers/docker.html.md

@@ -94,7 +94,7 @@ The following options are available for use in the job specification.
   to use.
 
 * `SSL` - (Optional) If this is set to true, Nomad uses SSL to talk to the
-  repository. The default value is `false`.
+  repository. The default value is `true`.
 
 * `port_map` - (Optional) A key/value map of port labels (see below).