Conjur appliance packaging based on UML.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
builder
imgcvt
initramfs
kernel
kitchen
scripts
slirp
.dockerignore
.gitignore
.kitchen.yml
Jenkinsfile
Makefile
README.md
Vagrantfile
bootstrap.sh
config
mkimage.sh
mkrpm.sh
mktar.sh
publish-s3.sh
secrets.yml
smokec2.sh
smoketest.sh

README.md

appliance-uml

Conjur appliance packaging based on UML.

CI pipeline: https://jenkins.conjur.net/job/appliance-uml/

Configuration

You can configure port redirects in /opt/conjur/config; by default it's:

SSH_PORT=127.0.0.1:48022
HTTPS_PORT=48443
LDAPS_PORT=48636
POSTGRES_PORT=5432
PG_ARCHIVE_PORT=5433

Note you can also specify interfaces to bind to, by giving the address here. If you don't it binds to wildcard 0.0.0.0.

Creating the artifacts

Building each piece is containerized, have a current Docker installed.

# Create 'conjur-uml.x64.tar', compiles old Linux kernel for various reasons
$ ./mktar.sh

# Create 'conjur-uml-<version>.x86_64.rpm'. The tar ^ must be created first.
# <version> is git-calculated.
$ ./mkrpm.sh

# Create the sqsh-format image, given <src-image>.
# <src-image> will be pulled if not already on your system.
$ ./mkimage.sh <src-image> (ex: `registry.tld/conjur-appliance:4.9-stable`)

Running tests

We only have a barebones smoke test implemented so far.

$ ./smoketest.sh
...smoke test console output
  1. Launches a RHEL 6.2 EC2 instance; see kitchen.yml.
  2. Uploads the built rpm and sqsh artifacts from the working directory to the instance
  3. Installs the rpm, symlinks the sqsh image to the appropriate place; see smokeec2.sh.
  4. Starts the Conjur process and configures Conjur.
  5. Runs a few Conjur CLI commands to make sure all is well.

The smoke tests use test-kitchen (with summon for AWS creds). Unfortunately, the smoke tests don't use the test-kitchen busser framework to actually run the tests (see smokeec2.sh), so our reporting is limited. Pass/fail right now.

Tech Notes

Kernel

Kernel built is vanilla kernel with ARCH=um. Version is set in kernel/Makefile. Configuration is stored in kernel/kernel.config and can be adjusted with make -C kernel menuconfig.

Slirp

Slirp code included is based on slirp-1.0.17, which is ancient and messy; possibly also insecure, unstable and slow.

Slirp ceased to be developed as a standalone project over ten years ago, but it has found a new life in qemu and docker-win32. It would be nice to port changes from there.

Etc

  • Note that the host's /dev/shm is used for memory.

  • There is a Vagrant environment available for debugging, but this is not maintained.

    $ mkimage.sh conjur-appliance_4.8.1.0
    $ vagrant up
    $ vagrant ssh
    
    [vagrant@localhost ~]$ sudo rpm -i /vagrant/conjur-uml-0.3.1-1.x86_64.rpm
    [vagrant@localhost ~]$ sudo -iuconjur
    [conjur@localhost ~]$ cp /vagrant/conjur-appliance_4.8.1.0.sqsh shared
    [conjur@localhost ~]$ cd shared
    [conjur@localhost shared]$ ln -s conjur-appliance_4.8.1.0.sqsh image.sqsh
    [conjur@localhost shared]$ cd ..
    [conjur@localhost ~]$ ( sleep 5 ; bin/launch ) &
    [conjur@localhost ~] exit
    # wait until you see the following output indicating the conjur appliance is ready to be configured:
    #    [2017-02-08 16:56:54] INFO  WEBrick::HTTPServer#start: pid=xxx port=xxxxconjur$ ssh conjur
    [vagrant@localhost ~]$ sudo -iuconjur
    [conjur@localhost ~]$ ssh conjur   
    root@conjur# evoke configure master -h <hostname> -p <password> <orgaccount>
    # wait until you see output similar to the following indicating conjur configuration is complete (about 5.5 mins):
    #    Waiting for Conjur to be ready
    #     done
    exit
    exit
    # install CLI client
    sudo rpm -i /vagrant/conjur-5.4.0-1.el6.x86_64.rpm
    # initialize client on this machine
    conjur init -h localhost:48443
    conjur bootstrap