Skip to content

Commit

Permalink
Merge 23da3e5 into 963794c
Browse files Browse the repository at this point in the history
  • Loading branch information
@erikespinoza
erikespinoza committed Dec 4, 2020
2 parents 963794c + 23da3e5 commit b95aea5
Show file tree
Hide file tree
Showing 6 changed files with 209 additions and 2 deletions.
70 changes: 70 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
#################
# Build Step
#################

FROM golang:latest as build

# Setup work env
RUN mkdir -p /app/ /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
ADD . /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster


# Required envs for GO
ENV GOPATH=/tmp/gocode
ENV GOOS=linux
ENV GOARCH=amd64
ENV DEBIAN_FRONTEND=noninteractive

# Update and confirm deps
RUN apt-get update && apt-get -y dist-upgrade && apt-get -y install build-essential

# Install deps
RUN go get -d -v ./...

## Dirty Hack - Remove when https://github.com/golang/go/issues/37278 is closed
# Compatibility with OpenSSH 8.2 and above
WORKDIR /tmp/gocode/src/golang.org/x/crypto/
RUN git config user.email "you@example.com"
RUN git config user.name "Your Name"
RUN git pull --no-edit https://go.googlesource.com/crypto refs/changes/37/220037/3
WORKDIR /tmp/gocode/src/github.com/Cloud-Foundations/keymaster
## Dirty Hack End

# Build and copy final result
RUN make

#################
# Run Step
#################

FROM debian:buster as run

# Copy binary from build container
COPY --from=build /tmp/gocode/bin/keymasterd /app/keymasterd
COPY --from=build /tmp/gocode/bin/keymaster-unlocker /app/keymaster-unlocker
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/customization_data /usr/share/keymasterd/customization_data
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/cmd/keymasterd/static_files /usr/share/keymasterd/static_files

# Copy docker specific scripts from build container
COPY --from=build /tmp/gocode/src/github.com/Cloud-Foundations/keymaster/misc/docker/start.sh /app/docker/

# Perform update and clear cache
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update
RUN apt-get -y --no-install-recommends install procps apache2-utils ca-certificates
RUN apt-get -y install wget
RUN wget https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64.deb
RUN dpkg -i dumb-init_1.2.2_amd64.deb
RUN rm -f dumb-init_1.2.2_amd64.deb
RUN apt-get -y --purge autoremove wget
RUN apt-get -y dist-upgrade && rm -rf /var/cache/apt/*


# Install init

# Expose web and LDAP ports
EXPOSE 80 443 6920

ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["/bin/sh", "/app/docker/start.sh"]
103 changes: 103 additions & 0 deletions docs/docker/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Keymaster in Docker

## Build

On a machine with docker installed, pull this source and create the container

```
$ git clone https://github.com/Cloud-Foundations/keymaster.git
$ cd keymaster
$ docker build -t local/keymaster .
```

## Bootstrap

Now that you have the local container built, you will need to create keys and a
default config for bootstrapping the server.

```
$ cd misc/docker
$ cp env.example .env # Edit this file to set timezone and local dirs
$ . .env
$ docker run --rm -it -v "${KEYMASTER_DATA}/conf/:/etc/keymaster/" -v \
"${KEYMASTER_DATA}/db/:/var/lib/keymaster/" -e "TZ=${TIMEZONE}" \
local/keymaster /app/keymasterd -generateConfig
```

This will generate a series of prompts. Here's how to answer them.


Enter and re-enter your passphrase

```
Please enter your passphrase:
Please re-enter your passphrase:
```

Due to a bug in config, enter / for Base dir

```
Default base Dir[/tmp]:/
```

Leave blank and hit enter for data directory

```
Data Directory[//var/lib/keymaster]:
```

Enter your public hostname

```
HostIdentity[keymaster.DOMAIN]:keymaster.mydomain.com
```

Hit enter for the ports and accept the default.

```
HttpAddress[:443]:
AdminAddress[:6920]:
```

Fix the config issues mentioned in the main README.md

```
$ sudo sed -i 's% data_directory:.*% data_directory: "/var/lib/keymaster"%g' \
${KEYMASTER_DATA}/conf/config.yml
$ sudo sed -i 's% shared_data_directory:.*% shared_data_directory: "/usr/share/keymasterd/"%g' \
${KEYMASTER_DATA}/conf/config.yml
```

## Start

After bootstrapping configs and keys you just start the container. This will
start it sealed.

```
$ docker-compose up -d
```

## Unseal

By default the CA will start in a sealed state. To unseal it you will need to
enter your passphrase.

```
$ docker exec -e SSL_CERT_FILE=/etc/keymaster/server.pem -it keymaster \
/app/keymaster-unlocker -cert /etc/keymaster/adminClient.pem \
-key /etc/keymaster/adminClient.key -keymasterHostname localhost
Password for unlocking localhost:
OK
```

## Add users

By default a user is created. Let's start by deleting this and creating our own
user.

```
$ rm -f ${KEYMASTER_DATA}/conf/passfile.htpass
$ docker exec -it keymaster /usr/bin/htpasswd -B -c \
/etc/keymaster/passfile.htpass $USERNAME
```
4 changes: 2 additions & 2 deletions docs/workarounds/SHA1-RSA-ssh-keys.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# SHA1 RSA SSH Keys

## Background
With the release of [OpenSSH 8.2](https://www.openssh.com/txt/release-8.2], SHA1
With the release of [OpenSSH 8.2](https://www.openssh.com/txt/release-8.2), SHA1
RSA keys are disabled by default.

Go currently generates [SHA1 keys](https://github.com/golang/go/issues/37278)
Expand Down Expand Up @@ -60,4 +60,4 @@ support.
* [Golang Issue](https://github.com/golang/go/issues/37278)
* [Golang ChangeList](https://go-review.googlesource.com/c/crypto/+/220037/)
* [OpenSSH 8.2 Release Notes](https://www.openssh.com/txt/release-8.2)
* [Okta Workaround](https://support.okta.com/help/s/question/0D51Y00009BJVuZSAX/kali-linux-support-isnt-the-sshrsa-signature-algorithm-a-bad-idea?language=en_US)
* [Okta Workaround](https://support.okta.com/help/s/question/0D51Y00009BJVuZSAX/kali-linux-support-isnt-the-sshrsa-signature-algorithm-a-bad-idea?language=en_US)
18 changes: 18 additions & 0 deletions misc/docker/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# See ../../docs/docker for more info. This will not work without bootstrapping

version: "2"

services:
keymaster:
image: "local/keymaster"
container_name: "keymaster"
environment:
- "TZ=${TIMEZONE}"
ports:
- "80:80"
- "443:443"
- "6920:6920"
volumes:
- "${KEYMASTER_DATA}/conf/:/etc/keymaster/"
- "${KEYMASTER_DATA}/db/:/var/lib/keymaster/"
restart: "unless-stopped"
2 changes: 2 additions & 0 deletions misc/docker/env.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
TIMEZONE=America/Los_Angeles
KEYMASTER_DATA=/srv/docker/keymaster
14 changes: 14 additions & 0 deletions misc/docker/start.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/sh

# Copy config file if it doesn't exist so that the app can start
if [ ! -f /etc/keymaster/config.yml ] ; then
echo "Generate Configs"
exit 1
fi

# Run app
/app/keymasterd -config /etc/keymaster/config.yml -alsoLogToStderr

echo ""
echo "keymasterd has exited."
echo "Exiting."

0 comments on commit b95aea5

Please sign in to comment.