cyberark / conjur-quickstart Goto Github PK
View Code? Open in Web Editor NEWStart securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
License: Apache License 2.0
Start securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
License: Apache License 2.0
The log format in the conjur quick-start
.
quick-start
logs:
[ORIGIN] [REQUEST ID] [THREAD ID] [MSG]
Ex:
[origin=172.29.0.3] [request_id=438d77c9-6c82-42c2-9620-589275dc28cc] [tid=34] Authentication Error: #<Errors::Authentication::InvalidCredentials: CONJ00002E Invalid credentials>
And from the Conjur repo, the logs look like
[SEVERITY] [TIMESTAMP] [PROCESS ID] [ORIGIN] [REQUEST ID] [THREAD ID] [MSG]
Ex:
INFO 2020/01/05 14:16:00 +0000 [pid=373] [origin=172.24.0.1] [request_id=47dcf956-1481-4256-a972-7b08d3a5b91c] [tid=383] Completed 401 Unauthorized in 68ms
Hi
We are trying the Conjur quickstart found here: https://github.com/cyberark/conjur-quickstart#
Please assist in finding an acceptable password.
Thanks so much.
password to be accepted.
All the steps in "Set up a Conjur Open Source environment" works fine.
podman compose exec conjur conjurctl account create myConjurAccount > admin_data
Created new account 'myConjurAccount'
Token-Signing Public Key: -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8uSbwrtzOsNQB7/WkpzV
E0ccjESrkAnDXZ+R2I+A0TERbYyfB6thKtW1uk97HvdCjC56SfN7aFaQhKxIoh+w
TabCERyW1GA2yD5NOE4PMce2D9yWMRrOY2aGd19Z1KnzmIwVYjojyZb1DXcBgl6K
80d0B4a/N5ahBo4ZAMhhGVDQ8Hxp9t3VIeCh+E8QxDwVHIDsKOQEYdGXflSrFwC2
D4tWhY4ljH1+Btdk1VWME1qqdqNjaozA1acUu01TYgDOQ1LmqH373yI4pwyln02M
Kb+GJrLOlvviGg8pmOF1vIKqa1IDnOs/n5Jzqs8ngfoqm2/pi/1E84JTvCCbGKFi
7QIDAQAB
-----END PUBLIC KEY-----
API key for admin: 364hdyy3j0xk6x1d895nn78hmaw2t6ebqx22tse3av4nb1g2zepcg9
Warning: Using self-signed certificates is not recommended and could lead to exposure of sensitive data
The server's certificate fingerprint is BFCB5A7B089F587E55DE5F1234AD14C78B5499F1.
Please verify this certificate on the appliance using command:
openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem
? Trust this certificate? Yes
Wrote certificate to /root/conjur-server.pem
Wrote configuration to /root/.conjurrc
The problem starts here: https://github.com/cyberark/conjur-quickstart#define-policy
At point 1.
Enter the API key for admin as password for this step.
podman compose exec client conjur login -i admin
? Please enter your password (it will not be echoed): ******************************************************
Error: Unable to authenticate with Conjur. Please check your credentials.
Error: executing /usr/bin/docker-compose exec client conjur login -i admin: exit status 1
nexus.bmwgroup.net/postgres 15 7fd3f745e3f1 3 weeks ago 433 MB
nexus.bmwgroup.net/nginx latest e4720093a3c1 4 weeks ago 191 MB
nexus.bmwgroup.net/dpage/pgadmin4 latest a0786aa69feb 5 weeks ago 489 MB
nexus.bmwgroup.net/cyberark/conjur-cli 8 d62cfa549ec9 4 months ago 14.8 MB
nexus.bmwgroup.net/cyberark/conjur latest 3e50a4ba543b 5 months ago 375 MB
nexus.bmwgroup.net/cfmanteiga/alpine-bash-curl-jq latest 3b21d4d5b512 6 years ago 12.3 MB
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
307019ab0089 nexus.bmwgroup.net/cfmanteiga/alpine-bash-curl-jq:latest tail -F anything 20 minutes ago Up 20 minutes bot_app
438bf20e4144 nexus.bmwgroup.net/postgres:15 postgres 20 minutes ago Up 20 minutes 0.0.0.0:8432->5432/tcp postgres_database
0f22cad1de93 nexus.bmwgroup.net/dpage/pgadmin4:latest 20 minutes ago Up 20 minutes 0.0.0.0:8081->80/tcp conjur-quickstart-pgadmin-1
205161aa916f nexus.bmwgroup.net/cyberark/conjur:latest server 20 minutes ago Up 20 minutes 0.0.0.0:8080->80/tcp conjur_server
5cb5e8087d5d nexus.bmwgroup.net/nginx:latest nginx -g daemon o... 20 minutes ago Up 20 minutes 0.0.0.0:8443->443/tcp nginx_proxy
bbeafe80bdeb nexus.bmwgroup.net/cyberark/conjur-cli:8 infinity 20 minutes ago Up 20 minutes conjur_client
VERSION="15-SP5"
podman-4.8.3-150500.3.6.1.x86_64
docker-compose-switch-1.0.5-bp155.1.10.x86_64
docker-compose-2.14.2-bp155.1.6.x86_64
Add any other context about the problem here.
I had a lab working just a few days ago, was able to perform the entire quickstart process and successfully run program.sh. As of today, when i execute docker-compose up -d, everything appears to start, but then docker ps -a shows:
openssl and postgres_database as Exited just after everything starts up.
Running docker-ce Docker version 19.03.5, build 633a0ea838 on Ubuntu 18.04.4
Based on this discourse post we'd like to add more context to the quick start flow on conjur.org.
From the post (via @JakeQuilty):
I do agree that for a good chunk of the tutorial running the commands from outside seem weird at first. I just think going back and forth would make the tutorial choppier. Maybe another paragraph explaining why it is the way it is?
In this card we'll define improvements we'd like to make to the quick start flow and validate them, and share them with the web team so that the site can be updated.
At current, there is nothing validating that the docker-compose.yml in this file continues to work with the quick start flow
To ensure unexpected problems don't arise that break the quick start flow for end users, a pipeline should be added to this project (using github actions or jenkins) to run through the steps from the quick start and validate that they are functioning as expected. The pipeline should automatically run every day.
AC:
From what I have seen, this tutorial only works on MacOS. I've seen multiple posts on the Commons talking about it not working with Windows. We also had to change a lot to get it working on Ubuntu(https://discuss.cyberarkcommons.org/t/conjur-quick-start-ubuntu-workaround/544)
The version of Postgres used in the quickstart (9.4
) is end-of-life and needs to be updated. In the context of our Postgres upgrade epic, this should be updated to version 10.14
.
Related to cyberark/conjur#1876
When deploying Conjur as per the instructions, if CONJUR_DATA_KEY
is not valid when starting Conjur container, you may get the following error:
rake aborted!
ArgumentError: invalid base64
/opt/conjur-server/config/initializers/authenticator.rb:16:in `<top (required)>'
...
AC:
In the Docker File the postgreSQL Version 10.16 is stated. If I ignore, that postgreSQL 10 is EOL, this version is also outdated. The last Version of the 10th Branch ist 10.23.
Further I consider this from a security perspective as risk to the security of the application if an outdated postgresql version is used.
At current the quick start demo uses POSTGRES_HOST_AUTH_METHOD: trust
, but it should be updated to use at least POSTGRES_HOST_AUTH_METHOD: password
AC:
POSTGRES_HOST_AUTH_METHOD: password
GIVEN I have deployed Conjur OSS using the quick start docker-compose
AND I want to add or modify an environment variable in the Conjur container
THEN when I come to the quick start README, there are clear instructions for modifying the Conjur environment variables
AND to modify the Conjur environment variables, I don't have to tear down my existing deployment and start a new one from scratch
When I run this command "docker-compose exec client conjur policy load root policy/BotApp.yml > my_app_data" I get the following in the my_app_data.
"error: No such file or directory @ rb_sysopen - policy/BotApp.yml"
https://cyberark.aha.io/features/AAM-181 (Phase 1)
https://cyberark.aha.io/epics/AAM-E-37 (Full Requirement)
Add the nginx deployment as part of the docker compose.
@uCatu has created an OSS quickstart here
https://github.com/cyberark/conjur-quickstart
and instructions for deploying the docker compose
https://docs-staging.conjur.org/OSS/en/Content/OSS/Installation/DockerCompose.htm?tocpath=Setup%7CServer%20Setup%7C_____1
Validate the quickstart guide and scripts.
I was trying to follow this last night on an Ubuntu vm and was having problems with NGINX when trying to start the Docker containers. I know I've ran into a similar problem in the past.
Terminal:
$ git clone https://github.com/cyberark/conjur-quickstart.git
Cloning into 'conjur-quickstart'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (86/86), done.
remote: Compressing objects: 100% (63/63), done.
remote: Total 86 (delta 32), reused 53 (delta 14), pack-reused 0
Unpacking objects: 100% (86/86), done.
Checking connectivity... done.
$ cd conjur-quickstart
$ docker-compose pull
Pulling openssl ... done
Pulling bot_app ... done
Pulling database ... done
Pulling conjur ... done
Pulling proxy ... done
Pulling client ... done
$ docker-compose run --no-deps --rm conjur data-key generate > data_key
Creating network "conjur-quickstart_default" with the default driver
$ export CONJUR_DATA_KEY="$(< data_key)"
$ echo $CONJUR_DATA_KEY
F2SCCPHTTU1ZM+XkedS7lZJRgwKvW6ugQJ51LYFJoZI=
$ docker-compose up -d
Creating postgres_database ... done
Creating openssl ... done
Creating bot_app ... done
Creating conjur_server ... done
Creating nginx_proxy ... error
ERROR: for nginx_proxy Cannot start service proxy: b'OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \\"rootfs_linux.go:58: mounting \\\\\\"/home/scrapbook/tutorial/conjur-quickstart/conf/default.conf\\\\\\" to rootfs \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged\\\\\\" at \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged/etc/nginx/conf.d/default.conf\\\\\\" caused \\\\\\"not a directory\\\\\\"\\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'
ERROR: for proxy Cannot start service proxy: b'OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \\"rootfs_linux.go:58: mounting \\\\\\"/home/scrapbook/tutorial/conjur-quickstart/conf/default.conf\\\\\\" to rootfs \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged\\\\\\" at \\\\\\"/var/lib/docker/overlay/3b578a083ce7833e47d08cee715d2c5db63a159dc80f69e8f3183a13ee7def6a/merged/etc/nginx/conf.d/default.conf\\\\\\" caused \\\\\\"not a directory\\\\\\"\\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'
ERROR: Encountered errors while bringing up the project.
OS Info:
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
A clear and concise description of what the bug is.
Steps to reproduce the behavior:
A clear and concise description of what you expected to happen.
A clear and concise description of what actually did happen.
What version of the product are you running? Any version info that you can share is helpful.
For example, you might give the version from Docker logs, the Docker tag, a specific download URL,
the output of the /info
route, etc.
Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
Which cloud provider? Which container orchestrator (including version)?
The more info you can share about your runtime environment, the better we may be able to reproduce the issue.
Add any other context about the problem here.
Using Docker Desktop on Windows 10, When trying to pull image it stuck and not responding.
Tried to run below command
$ docker-compose pull
After that it is not responding.
Steps to reproduce the behavior:
It should pulled the docker images defined in docker-compose.yml
After running the given command its not responding.
Docker Desktop Community 3.1.0
Also tried on
Docker Desktop Community 2.5.0.1
When working with mac with m1 chip, and performing "docker-compose pull" command, an error "no matching manifest for linux/arm64/v8 in the manifest list entries" appears
Work on macbook m1 chip
No errors appear
The following error appears: no matching manifest for linux/arm64/v8 in the manifest list entries
latest version
macbook with m1 chip
upon adding: "platform: linux/amd64" to docker-compose.yaml to the services the problem resolved.
The current Conjur OSS quickstart guide does not provide instructions on how to run
Conjur OSS with persistent storage of Conjur configuration/state.
The Conjur OSS quickstart guide includes instructions on how to run
Conjur OSS with persistent storage of Conjur configuration/state.
I have not been able to access the containers from outside of docker execing
into one and pinging the other. Only being able to make API calls from inside a shell of one of the containers makes tutorials like this one unusable.
Using conjur cli I able to use REST APIs to store and fetch secret (using host http://conjur).
Like to set secret for username
curl -H "$(conjur authn authenticate -H)" http://conjur/secrets/conjurAccount/variable/root%2Fdb%2Fusername --data "ravics09"
But when I try same command in git bash I am getting error:
curl: (28) Failed to connect to 192.168.29.227 port 808: Timed out
Why Its trying to connect with given IP? Is any port mapping require ?
Or What setting require so I can test those REST APIs using postman?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.