Add support for syslog over TLS.

Signed-off-by: David Calavera <david.calavera@gmail.com>

daemon/logger/syslog/syslog.go

@@ -4,9 +4,9 @@
 package syslog
 
 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
-	"log/syslog"
 	"net"
 	"net/url"
 	"os"
@@ -14,13 +14,19 @@ import (
 	"strconv"
 	"strings"
 
+	syslog "github.com/RackSec/srslog"
+
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/docker/daemon/logger"
 	"github.com/docker/docker/daemon/logger/loggerutils"
 	"github.com/docker/docker/pkg/urlutil"
+	"github.com/docker/go-connections/tlsconfig"
 )
 
-const name = "syslog"
+const (
+	name        = "syslog"
+	secureProto = "tcp+tls"
+)
 
 var facilities = map[string]syslog.Priority{
 	"kern":     syslog.LOG_KERN,
@@ -77,12 +83,19 @@ func New(ctx logger.Context) (logger.Logger, error) {
 		return nil, err
 	}
 
-	log, err := syslog.Dial(
-		proto,
-		address,
-		facility,
-		path.Base(os.Args[0])+"/"+tag,
-	)
+	logTag := path.Base(os.Args[0]) + "/" + tag
+
+	var log *syslog.Writer
+	if proto == secureProto {
+		tlsConfig, tlsErr := parseTLSConfig(ctx.Config)
+		if tlsErr != nil {
+			return nil, tlsErr
+		}
+		log, err = syslog.DialWithTLSConfig(proto, address, facility, logTag, tlsConfig)
+	} else {
+		log, err = syslog.Dial(proto, address, facility, logTag)
+	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -147,6 +160,10 @@ func ValidateLogOpt(cfg map[string]string) error {
 		case "syslog-address":
 		case "syslog-facility":
 		case "syslog-tag":
+		case "syslog-tls-ca-cert":
+		case "syslog-tls-cert":
+		case "syslog-tls-key":
+		case "syslog-tls-skip-verify":
 		case "tag":
 		default:
 			return fmt.Errorf("unknown log opt '%s' for syslog log driver", key)
@@ -177,3 +194,16 @@ func parseFacility(facility string) (syslog.Priority, error) {
 
 	return syslog.Priority(0), errors.New("invalid syslog facility")
 }
+
+func parseTLSConfig(cfg map[string]string) (*tls.Config, error) {
+	_, skipVerify := cfg["syslog-tls-skip-verify"]
+
+	opts := tlsconfig.Options{
+		CAFile:             cfg["syslog-tls-ca-cert"],
+		CertFile:           cfg["syslog-tls-cert"],
+		KeyFile:            cfg["syslog-tls-key"],
+		InsecureSkipVerify: skipVerify,
+	}
+
+	return tlsconfig.Client(opts)
+}

docs/reference/logging/overview.md

@@ -69,9 +69,13 @@ If `max-size` and `max-file` are set, `docker logs` only returns the log lines f
 
 The following logging options are supported for the `syslog` logging driver:
 
-    --log-opt syslog-address=[tcp|udp]://host:port
+    --log-opt syslog-address=[tcp|udp|tcp+tls]://host:port
     --log-opt syslog-address=unix://path
     --log-opt syslog-facility=daemon
+    --log-opt syslog-tls-ca-cert=/etc/ca-certificates/custom/ca.pem
+    --log-opt syslog-tls-cert=/etc/ca-certificates/custom/cert.pem
+    --log-opt syslog-tls-key=/etc/ca-certificates/custom/key.pem
+    --log-opt syslog-tls-skip-verify=true
     --log-opt tag="mailer"
 
 `syslog-address` specifies the remote syslog server address where the driver connects to.
@@ -107,6 +111,19 @@ the following named facilities:
 * `local6`
 * `local7`
 
+`syslog-tls-ca-cert` specifies the absolute path to the trust certificates
+signed by the CA. This option is ignored if the address protocol is not `tcp+tls`.
+
+`syslog-tls-cert` specifies the absolute path to the TLS certificate file.
+This option is ignored if the address protocol is not `tcp+tls`.
+
+`syslog-tls-key` specifies the absolute path to the TLS key file.
+This option is ignored if the address protocol is not `tcp+tls`.
+
+`syslog-tls-skip-verify` configures the TLS verification.
+This verification is enabled by default, but it can be overriden by setting
+this option to `true`. This option is ignored if the address protocol is not `tcp+tls`.
+
 By default, Docker uses the first 12 characters of the container ID to tag log messages.
 Refer to the [log tag option documentation](log_tags.md) for customizing
 the log tag format.