cyberark / conjur-quickstart Goto Github PK

Both the openssl container as well as the postgres containers exit. The conjur_server container restarts continually. I've been able to replicate this with three separate environments running Docker Toolbox and Docker CE.

The log format in the conjur quick-start.

quick-start logs:
[ORIGIN] [REQUEST ID] [THREAD ID] [MSG]

Ex:
[origin=172.29.0.3] [request_id=438d77c9-6c82-42c2-9620-589275dc28cc] [tid=34] Authentication Error: #<Errors::Authentication::InvalidCredentials: CONJ00002E Invalid credentials>

And from the Conjur repo, the logs look like
[SEVERITY] [TIMESTAMP] [PROCESS ID] [ORIGIN] [REQUEST ID] [THREAD ID] [MSG]
Ex:
INFO 2020/01/05 14:16:00 +0000 [pid=373] [origin=172.24.0.1] [request_id=47dcf956-1481-4256-a972-7b08d3a5b91c] [tid=383] Completed 401 Unauthorized in 68ms

Summary

Hi

We are trying the Conjur quickstart found here: https://github.com/cyberark/conjur-quickstart#
Please assist in finding an acceptable password.

Thanks so much.

Steps to Reproduce

1. Set up a Conjur Open Source environment step 1-6
2. Step 1 at Define policy - password not accepted.

Expected Results

password to be accepted.

Actual Results

All the steps in "Set up a Conjur Open Source environment" works fine.

podman compose exec conjur conjurctl account create myConjurAccount > admin_data

Created new account 'myConjurAccount'
Token-Signing Public Key: -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8uSbwrtzOsNQB7/WkpzV
E0ccjESrkAnDXZ+R2I+A0TERbYyfB6thKtW1uk97HvdCjC56SfN7aFaQhKxIoh+w
TabCERyW1GA2yD5NOE4PMce2D9yWMRrOY2aGd19Z1KnzmIwVYjojyZb1DXcBgl6K
80d0B4a/N5ahBo4ZAMhhGVDQ8Hxp9t3VIeCh+E8QxDwVHIDsKOQEYdGXflSrFwC2
D4tWhY4ljH1+Btdk1VWME1qqdqNjaozA1acUu01TYgDOQ1LmqH373yI4pwyln02M
Kb+GJrLOlvviGg8pmOF1vIKqa1IDnOs/n5Jzqs8ngfoqm2/pi/1E84JTvCCbGKFi
7QIDAQAB
-----END PUBLIC KEY-----
API key for admin: 364hdyy3j0xk6x1d895nn78hmaw2t6ebqx22tse3av4nb1g2zepcg9

Warning: Using self-signed certificates is not recommended and could lead to exposure of sensitive data

The server's certificate fingerprint is BFCB5A7B089F587E55DE5F1234AD14C78B5499F1.
Please verify this certificate on the appliance using command:
openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem

? Trust this certificate? Yes
Wrote certificate to /root/conjur-server.pem
Wrote configuration to /root/.conjurrc

The problem starts here: https://github.com/cyberark/conjur-quickstart#define-policy
At point 1.

Enter the API key for admin as password for this step.

podman compose exec client conjur login -i admin

? Please enter your password (it will not be echoed): ******************************************************
Error: Unable to authenticate with Conjur. Please check your credentials.
Error: executing /usr/bin/docker-compose exec client conjur login -i admin: exit status 1

Reproducible

• [x ] Always
• Sometimes
• Non-Reproducible

Version/Tag number

nexus.bmwgroup.net/postgres                        15          7fd3f745e3f1  3 weeks ago   433 MB
nexus.bmwgroup.net/nginx                           latest      e4720093a3c1  4 weeks ago   191 MB
nexus.bmwgroup.net/dpage/pgadmin4                  latest      a0786aa69feb  5 weeks ago   489 MB
nexus.bmwgroup.net/cyberark/conjur-cli             8           d62cfa549ec9  4 months ago  14.8 MB
nexus.bmwgroup.net/cyberark/conjur                 latest      3e50a4ba543b  5 months ago  375 MB
nexus.bmwgroup.net/cfmanteiga/alpine-bash-curl-jq  latest      3b21d4d5b512  6 years ago   12.3 MB

CONTAINER ID  IMAGE                                                     COMMAND               CREATED         STATUS         PORTS                                                     NAMES
307019ab0089  nexus.bmwgroup.net/cfmanteiga/alpine-bash-curl-jq:latest  tail -F anything      20 minutes ago  Up 20 minutes                                                            bot_app
438bf20e4144  nexus.bmwgroup.net/postgres:15                            postgres              20 minutes ago  Up 20 minutes  0.0.0.0:8432->5432/tcp                                    postgres_database
0f22cad1de93  nexus.bmwgroup.net/dpage/pgadmin4:latest                                        20 minutes ago  Up 20 minutes  0.0.0.0:8081->80/tcp                                      conjur-quickstart-pgadmin-1
205161aa916f  nexus.bmwgroup.net/cyberark/conjur:latest                 server                20 minutes ago  Up 20 minutes  0.0.0.0:8080->80/tcp                                      conjur_server
5cb5e8087d5d  nexus.bmwgroup.net/nginx:latest                           nginx -g daemon o...  20 minutes ago  Up 20 minutes  0.0.0.0:8443->443/tcp                                     nginx_proxy
bbeafe80bdeb  nexus.bmwgroup.net/cyberark/conjur-cli:8                  infinity              20 minutes ago  Up 20 minutes                                                            conjur_client

Environment setup

VERSION="15-SP5"
podman-4.8.3-150500.3.6.1.x86_64
docker-compose-switch-1.0.5-bp155.1.10.x86_64
docker-compose-2.14.2-bp155.1.6.x86_64

Additional Information

Add any other context about the problem here.

I had a lab working just a few days ago, was able to perform the entire quickstart process and successfully run program.sh. As of today, when i execute docker-compose up -d, everything appears to start, but then docker ps -a shows:

openssl and postgres_database as Exited just after everything starts up.

Running docker-ce Docker version 19.03.5, build 633a0ea838 on Ubuntu 18.04.4

Based on this discourse post we'd like to add more context to the quick start flow on conjur.org.

From the post (via @JakeQuilty):

I do agree that for a good chunk of the tutorial running the commands from outside seem weird at first. I just think going back and forth would make the tutorial choppier. Maybe another paragraph explaining why it is the way it is?

In this card we'll define improvements we'd like to make to the quick start flow and validate them, and share them with the web team so that the site can be updated.

Is your feature request related to a problem? Please describe.

At current, there is nothing validating that the docker-compose.yml in this file continues to work with the quick start flow

Describe the solution you would like

To ensure unexpected problems don't arise that break the quick start flow for end users, a pipeline should be added to this project (using github actions or jenkins) to run through the steps from the quick start and validate that they are functioning as expected. The pipeline should automatically run every day.

AC:

• This project has a daily build that runs through the quick start steps and alerts maintainers early of breaking changes

From what I have seen, this tutorial only works on MacOS. I've seen multiple posts on the Commons talking about it not working with Windows. We also had to change a lot to get it working on Ubuntu(https://discuss.cyberarkcommons.org/t/conjur-quick-start-ubuntu-workaround/544)

The version of Postgres used in the quickstart (9.4) is end-of-life and needs to be updated. In the context of our Postgres upgrade epic, this should be updated to version 10.14.

Related to cyberark/conjur#1876

Summary

When deploying Conjur as per the instructions, if CONJUR_DATA_KEY is not valid when starting Conjur container, you may get the following error:

rake aborted!
ArgumentError: invalid base64
/opt/conjur-server/config/initializers/authenticator.rb:16:in `<top (required)>'
...

AC:

• We provide better UX or documentation for this common pitfall

In the Docker File the postgreSQL Version 10.16 is stated. If I ignore, that postgreSQL 10 is EOL, this version is also outdated. The last Version of the 10th Branch ist 10.23.

Further I consider this from a security perspective as risk to the security of the application if an outdated postgresql version is used.

At current the quick start demo uses POSTGRES_HOST_AUTH_METHOD: trust, but it should be updated to use at least POSTGRES_HOST_AUTH_METHOD: password

AC:

• pg container uses POSTGRES_HOST_AUTH_METHOD: password
• (optional) Conjur communicates with pg via TLS

GIVEN I have deployed Conjur OSS using the quick start docker-compose
AND I want to add or modify an environment variable in the Conjur container
THEN when I come to the quick start README, there are clear instructions for modifying the Conjur environment variables
AND to modify the Conjur environment variables, I don't have to tear down my existing deployment and start a new one from scratch

When I run this command "docker-compose exec client conjur policy load root policy/BotApp.yml > my_app_data" I get the following in the my_app_data.

"error: No such file or directory @ rb_sysopen - policy/BotApp.yml"

Aha card

https://cyberark.aha.io/features/AAM-181 (Phase 1)
https://cyberark.aha.io/epics/AAM-E-37 (Full Requirement)

Objective

Add the nginx deployment as part of the docker compose.

Technical breakdown

@uCatu has created an OSS quickstart here
https://github.com/cyberark/conjur-quickstart
and instructions for deploying the docker compose
https://docs-staging.conjur.org/OSS/en/Content/OSS/Installation/DockerCompose.htm?tocpath=Setup%7CServer%20Setup%7C_____1

Defintion of Done

Validate the quickstart guide and scripts.

• Can be successfully run without error
• Is helpful/easy to follow (this will be a judgement call).
• Deploys a working instance of Conjur with TLS termination.

I was trying to follow this last night on an Ubuntu vm and was having problems with NGINX when trying to start the Docker containers. I know I've ran into a similar problem in the past.

Terminal:

$ git clone https://github.com/cyberark/conjur-quickstart.git
Cloning into 'conjur-quickstart'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (86/86), done.
remote: Compressing objects: 100% (63/63), done.
remote: Total 86 (delta 32), reused 53 (delta 14), pack-reused 0
Unpacking objects: 100% (86/86), done.
Checking connectivity... done.
$ cd conjur-quickstart
$ docker-compose pull
Pulling openssl  ... done
Pulling bot_app  ... done
Pulling database ... done
Pulling conjur   ... done
Pulling proxy    ... done
Pulling client   ... done
$ docker-compose run --no-deps --rm conjur data-key generate > data_key
Creating network "conjur-quickstart_default" with the default driver
$ export CONJUR_DATA_KEY="$(< data_key)"
$ echo $CONJUR_DATA_KEY
F2SCCPHTTU1ZM+XkedS7lZJRgwKvW6ugQJ51LYFJoZI=
$ docker-compose up -d
Creating postgres_database ... done
Creating openssl           ... done
Creating bot_app           ... done
Creating conjur_server     ... done
Creating nginx_proxy       ... error

ERROR: for nginx_proxy  Cannot start service proxy: b'OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \\"rootfs_linux.go:58: mounting \\\\\\"/home/scrapbook/tutorial/conjur-quickstart/conf/default.conf\\\\\\" to rootfs \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged\\\\\\" at \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged/etc/nginx/conf.d/default.conf\\\\\\" caused \\\\\\"not a directory\\\\\\"\\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'

ERROR: for proxy  Cannot start service proxy: b'OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \\"rootfs_linux.go:58: mounting \\\\\\"/home/scrapbook/tutorial/conjur-quickstart/conf/default.conf\\\\\\" to rootfs \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged\\\\\\" at \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged/etc/nginx/conf.d/default.conf\\\\\\" caused \\\\\\"not a directory\\\\\\"\\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'
ERROR: Encountered errors while bringing up the project.

OS Info:
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Summary

A clear and concise description of what the bug is.

Steps to Reproduce

Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected Results

A clear and concise description of what you expected to happen.

Actual Results (including error logs, if applicable)

A clear and concise description of what actually did happen.

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

What version of the product are you running? Any version info that you can share is helpful.
For example, you might give the version from Docker logs, the Docker tag, a specific download URL,
the output of the /info route, etc.

Environment setup

Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
Which cloud provider? Which container orchestrator (including version)?
The more info you can share about your runtime environment, the better we may be able to reproduce the issue.

Additional Information

Add any other context about the problem here.

Summary

Using Docker Desktop on Windows 10, When trying to pull image it stuck and not responding.
Tried to run below command
$ docker-compose pull

After that it is not responding.

Steps to Reproduce

Steps to reproduce the behavior:

1. Clone the repo https://github.com/cyberark/conjur-quickstart.git
2. cd conjur-quickstart
3. docker-compose pull

Expected Results

It should pulled the docker images defined in docker-compose.yml

Actual Results (including error logs, if applicable)

After running the given command its not responding.

Environment setup

Docker Desktop Community 3.1.0
Also tried on
Docker Desktop Community 2.5.0.1

Summary

When working with mac with m1 chip, and performing "docker-compose pull" command, an error "no matching manifest for linux/arm64/v8 in the manifest list entries" appears

Steps to Reproduce

Work on macbook m1 chip

1. git clone https://github.com/cyberark/conjur-quickstart.git
2. docker-compose pull

Expected Results

No errors appear

Actual Results

The following error appears: no matching manifest for linux/arm64/v8 in the manifest list entries

Reproducible

• [V] Always
• Sometimes
• Non-Reproducible

Version/Tag number

latest version

Environment setup

macbook with m1 chip

Additional Information

upon adding: "platform: linux/amd64" to docker-compose.yaml to the services the problem resolved.

Is your feature request related to a problem? Please describe.

The current Conjur OSS quickstart guide does not provide instructions on how to run
Conjur OSS with persistent storage of Conjur configuration/state.

Describe the solution you would like

The Conjur OSS quickstart guide includes instructions on how to run
Conjur OSS with persistent storage of Conjur configuration/state.

Describe alternatives you have considered

Additional context

Well now I am able to get all the way to the last step which is to fetch the secret but I am getting the following error... "The retrieved value is: Malformed authorization token". What am I doing wrong here?? This was done within the 8 minute limit.

I have not been able to access the containers from outside of docker execing into one and pinging the other. Only being able to make API calls from inside a shell of one of the containers makes tutorials like this one unusable.

Using conjur cli I able to use REST APIs to store and fetch secret (using host http://conjur).
Like to set secret for username
curl -H "$(conjur authn authenticate -H)" http://conjur/secrets/conjurAccount/variable/root%2Fdb%2Fusername --data "ravics09"
But when I try same command in git bash I am getting error:
curl: (28) Failed to connect to 192.168.29.227 port 808: Timed out

Why Its trying to connect with given IP? Is any port mapping require ?
Or What setting require so I can test those REST APIs using postman?

My conjur server running on localhost port 8080.