VMware vRealize Automation/Code Stream and Docker host on Photon OS

I was trying to add a Docker hosts as a endpoint in vRealize Automation Code Stream, and was looking at the Blog VMware has published about this, but this was lacking some information, see the blog here.

I a later version of vRA, the form for the creating the Docker endpoint got some extra input, that is not in the blog.

Most of the scripts in this blog are form the script in the blog and Docker documentation. Some commands are changed to run on Photon OS, these can be found for other Linux distribution in the VMware blog.

I have created all the certificates on the Docker hosts, that is running in a Photon OS VM that I have imported as a OVA/OVF from the Photon OS repository.

First we need to create CA certificate for the Docker host.

export IP="<Docker host IP address>"
export HOST="<Docker host FQDN>"
# Condensed from https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl
# Run these commands individually
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

After this we need to create the Server certificate for the Docker host, from the CA certificate.

openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOST,IP:$IP,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf

And the last certificate that we need is the Client certificate.

openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf

And the we need to change some things and do some cleanup, and copy the certificate to “/etc/docker/ssl”.

rm -v client.csr server.csr extfile.cnf extfile-client.cnf 
chmod -v 0444 ca.pem server-cert.pem cert.pem
mkdir /etc/docker/ssl
cp ca.pem /etc/docker/ssl/
cp server-key.pem /etc/docker/ssl/
cp server-cert.pem /etc/docker/ssl/

We need to change the docker hosts, to use the new certificate, on Photon OS, the command is a little different.

systemctl edit --force --full docker.service

Add the following lines to the “[service]” section and put a # before the old line:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tls --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem

We need to configure the firewall on the Photon OS VM, if you have a cluster all nodes need to be added.

iptables -A INPUT -p tcp --source <vRA host> --dport 2376 -j ACCEPT
iptables -A INPUT -p tcp --source <vRA host> --dport 30000:32767 -j ACCEPT

Restart the docker services.

systemctl daemon-reload && systemctl restart docker.service

On the we have this files.

We need the content of some of this files, so we can use the “cat” command to get the content to the console. So we can copy the content to the add/configure Code Stream Endpoint UI.