Docker Compose

Docker Compose

Docker Compose builds on the docker plugin integration.

We will explore two ways of running border0 connector with docker compose

  1. as vHost service outside of docker-compose scope
  2. as one of services described in docker compose file

This document focuses on the second option or running border0 connector as part of our docker-compose setup
We will create 4 containers in a single flat network setup

  • border0 connector
  • shell server(ssh)
  • nginx server (http)
  • mysql server (database)
721721

working directory

For simplicity and documentation purposes, we will create a temporary directory. All files mentioned from this point should be placed into that directory.

border0 binary

Before we start we need to obtain border0 binary.

You can obtain the binary from our downloads page
Or follow our HOWTO: Install CLI tool

border0.yaml config file

In this step we will create a minimal configuration for border0 connector
with your favourite editor create a border0.yaml using following example:

connector:
  name: "d0kr-lab"

credentials:
  token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey<...>J9.qJ75mbolje96zpD9gnOnhCKTSBoEjIGDdMMeteZ7RJQ

docker_plugin:
  - group: docker_team
    policies: [docker-policy]

👍

Please see our "Creating Access Tokens" howto for details on managing tokens

Create the Policy

By default all your sockets have default org policy applied, in our example we are using a custom policy especially for docker plugin called docker-policy
to create our custom policy we can use the CLI or portal

border0 policy add --name docker-policy

example policy we can use, please update your access parameters

{
        "version": "v1",
        "action": [
                "database",
                "ssh",
                "http"
        ],
        "condition": {
                "who": {
                "email": [
                        "[email protected]"
                ],
                "domain": [
                        "border0.com"
                ]
                },
                "where": {
                        "allowed_ip": ["0.0.0.0/0", "::/0"],
                        "country": [],
                        "country_not": []
                },
                "when": {
                        "after": "2022-10-17",
                        "before": null,
                        "time_of_day_after": "00:00:00 UTC",
                        "time_of_day_before": "23:59:59 UTC"
                }
        }
}

Details on creating policies can be found here: Policies as well as Creating a custom policy

Containers for sockets

For our docker-compose setup we are going to create 3 containers, one for each of the main socket types.
HTTP and Database containers will be based off stock nginx and mysql images but SSH server requires additional configuration

Dockerfile.ssh (shell server container)

Just like in Access to an SSH server guide, download your border0 organisation public Certificate

border0 organization show | grep ecdsa-sha2-nistp256 | awk '{print $5,$6}' > ssh-ca.pub 

with your favourite editor create a Dockerfile.ssh using following example:

FROM ubuntu:18.04
RUN apt-get update

RUN apt-get install -y openssh-server
RUN mkdir /var/run/sshd

RUN echo 'root:root' |chpasswd

RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config

RUN echo "TrustedUserCAKeys /etc/ssh-ca.pub" >>/etc/ssh/sshd_config
COPY ssh-ca.pub /etc/ssh-ca.pub
RUN echo "AuthorizedPrincipalsFile %h/.ssh/authorized_principals" >>/etc/ssh/sshd_config
RUN mkdir -p /root/.ssh
RUN echo "mysocket_ssh_signed" > /root/.ssh/authorized_principals

RUN apt-get install -y iproute2 net-tools mtr-tiny iperf3 nmap

EXPOSE 22

CMD    ["/usr/sbin/sshd", "-D", "-e"]

Dockerfile.border0_connector

We are now ready to prepare our border0 docker container definition.
with your favourite editor create a Dockerfile.border0_connector using following example:

FROM --platform=linux/amd64 alpine
MAINTAINER [email protected]

RUN mkdir /code
WORKDIR /code
ADD https://download.border0.com/linux_amd64/border0 /code/border0
COPY border0* /code/
RUN chmod ogu+x /code/border0

CMD ["/code/border0", "connector", "start", "--config", "/code/border0.yaml"]

Dockerfile.border0_bastion (optional)

We can epand our setup by a bastion host
with your favourite editor create a Dockerfile.border0_bastion using following example:

FROM ubuntu

RUN apt-get update ; apt-get install -y  ca-certificates; mkdir /code
WORKDIR /code
ADD https://download.border0.com/linux_amd64/border0 /code/border0
RUN chmod ogu+x /code/border0

ENTRYPOINT ["/code/border0", "connect", "--type", "ssh", "--name", "border0-bastion", "--sshserver"]

docker-compose

For details on how to install docker and docker-compose please refer to the official documentation page

docker-compose.yml

Last but not least, with your favourite editor create a docker-compose.yml using following example:

version: "3.3"

services:
  border0_connector:
    build:
      context: "."
      dockerfile: "Dockerfile.border0_connector"
    container_name: "border0_connector"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./border0.yaml:/code/border0.yaml:ro"

  # uncomment this section for optional border0 bastion container
  # border0_bastion:
  #   build:
  #     context: "."
  #     dockerfile: "Dockerfile.border0_bastion"
  #   container_name: "border0_bastion"
  #   environment:
  #     - BORDER0_ADMIN_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey<...>J9.qJ75mbolje96zpD9gnOnhCKTSBoEjIGDdMMeteZ7RJQ

  http-server0:
    depends_on:
      - border0_connector
    image: "nginx:latest"
    container_name: "ngx-srv0"
    ports:
      - "80:80"
    labels:
      - "border0_80=type=http,port=80,group=docker_team"

  ssh-server0:
    depends_on:
      - border0_connector
    build:
      context: "."
      dockerfile: "Dockerfile.ssh"
    container_name: "shell-server0"
    ports:
      - "1022:22"
    labels:
      - "border0_22=type=ssh,port=22,group=docker_team"

  database-server0:
    depends_on:
      - border0_connector
    image: "mysql:latest"
    container_name: "mysql-server0"
    environment:
    - MYSQL_ROOT_PASSWORD=my-secret-pw
    ports:
      - "3306:3306"
    labels:
      - "border0_db01=type=database,port=3306,group=docker_team,upstream_type=mysql,upstream_username=root,upstream_password=my-secret-pw"

Build and Start

The final steps are building and starting our compose.

Verify you have all the required files created:

File NameNotes
border0border0 binary
border0.yamlborder0 connector yaml configuration
Dockerfile.border0_connectorborder0 connector container definition
Dockerfile.border0_bastionborder0 bastion container definition
Dockerfile.sshssh server container definition
docker-compose.ymlthe docker-compose file for our environment

Build all the components

$docker-compose build

Building border0_connector
Sending build context to Docker daemon  69.84MB
Step 1/6 : FROM --platform=linux/amd64 alpine
latest: Pulling from library/alpine

<...>
Successfully built 65ae61ca676d
Successfully tagged connector_ssh-server0:latest

Our environment is ready to be bough up

[email protected]:(main)~/github/connector/connector$ docker-compose up
Recreating border0_connector ... done
Starting ngx-srv0            ... done
Starting mysql-server0       ... done
Recreating ssh-server0       ... done
Recreating ssh-server1       ... done
Recreating border0_bastion   ... done
Attaching to ngx-srv0, mysql-server0, border0_connector, ssh-server1, ssh-server0, border0_bastion
mysql-server0        | 2022-10-20 16:44:36+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.31-1.el8 started.
border0_connector    | 2022/10/20 16:44:36 starting the connector service
ngx-srv0             | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
ngx-srv0             | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
mysql-server0        | 2022-10-20 16:44:36+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
ngx-srv0             | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
mysql-server0        | 2022-10-20 16:44:36+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.31-1.el8 started.
ngx-srv0             | 10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
ssh-server0          | Server listening on 0.0.0.0 port 22.
ssh-server0          | Server listening on :: port 22.
mysql-server0        | '/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
ngx-srv0             | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
ngx-srv0             | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
ngx-srv0             | /docker-entrypoint.sh: Configuration complete; ready for start up
ssh-server1          | Server listening on 0.0.0.0 port 22.
ssh-server1          | Server listening on :: port 22.
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: using the "epoll" event method
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: nginx/1.23.1
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: OS: Linux 5.15.0-52-generic
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: start worker processes
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: start worker process 24
ngx-srv0             | 2022/10/20 16:44:36 [notice] 1#1: start worker process 39
mysql-server0        | 2022-10-20T16:44:36.942668Z 0 [Warning] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead.
mysql-server0        | 2022-10-20T16:44:36.943694Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.31) starting as process 1
mysql-server0        | 2022-10-20T16:44:36.949541Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
mysql-server0        | 2022-10-20T16:44:37.041434Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
mysql-server0        | 2022-10-20T16:44:37.148600Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
mysql-server0        | 2022-10-20T16:44:37.148620Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
mysql-server0        | 2022-10-20T16:44:37.149383Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
mysql-server0        | 2022-10-20T16:44:37.163857Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.31'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
mysql-server0        | 2022-10-20T16:44:37.163853Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
border0_bastion      | ┌──────────────────────────────────────┬─────────────────┬─────────────────────────────────────────┬─────────┬──────┬─────────────┐
border0_bastion      | │ SOCKET ID                            │ NAME            │ DNS NAME                                │ PORT(S) │ TYPE │ DESCRIPTION │
border0_bastion      | ├──────────────────────────────────────┼─────────────────┼─────────────────────────────────────────┼─────────┼──────┼─────────────┤
border0_bastion      | │ dfa40cca-7997-4700-b7e6-c4033a02bb94 │ border0-bastion │ border0-bastion-MY-ORG.border0.io       │ 17798   │ ssh  │             │
border0_bastion      | └──────────────────────────────────────┴─────────────────┴─────────────────────────────────────────┴─────────┴──────┴─────────────┘
border0_bastion      | 
border0_bastion      | Policies:
border0_bastion      | ┌─────────────────────────┬─────────────────────────────────────────┬───────────────────┐
border0_bastion      | │ POLICY NAME             │ POLICY DESCRIPTION                      │ ORGANIZATION WIDE │
border0_bastion      | ├─────────────────────────┼─────────────────────────────────────────┼───────────────────┤
border0_bastion      | │ default-org-wide-policy │ Default org wide policy for all sockets │ Yes               │
border0_bastion      | └─────────────────────────┴─────────────────────────────────────────┴───────────────────┘
border0_bastion      | 
border0_bastion      | Connecting to Server: tunnel.border0.com
border0_bastion      | 
border0_bastion      | Welcome to Border0.com
border0_bastion      | border0-bastion - ssh://border0-bastion-MY-ORG.border0.io
border0_bastion      | 
border0_bastion      | =======================================================
border0_bastion      | Logs
border0_bastion      | =======================================================
border0_connector    | 2022/10/20 16:45:36 creating a socket: ssh-ssh-server1-d0kr
border0_connector    | 2022/10/20 16:45:42 creating a socket: ssh-ssh-server0-d0kr
border0_connector    | Welcome to Border0.com
border0_connector    | http-ngx-srv0-p81-d0kr - https://http-ngx-srv0-p81-d0kr-MY-ORG.border0.io
border0_connector    | 
border0_connector    | =======================================================
border0_connector    | Logs
border0_connector    | =======================================================
border0_connector    | Welcome to Border0.com
border0_connector    | ssh-ssh-server0-d0kr - ssh://ssh-ssh-server0-d0kr-MY-ORG.border0.io
border0_connector    | 
border0_connector    | =======================================================
border0_connector    | Logs
border0_connector    | =======================================================
border0_connector    | Welcome to Border0.com
border0_connector    | ssh-ssh-server1-d0kr - ssh://ssh-ssh-server1-d0kr-MY-ORG.border0.io
border0_connector    | 
border0_connector    | =======================================================
border0_connector    | Logs
border0_connector    | =======================================================
border0_connector    | Welcome to Border0.com
border0_connector    | database-mysql-server0-d0kr - database://database-mysql-server0-d0kr-MY-ORG.border0.io
border0_connector    | 
border0_connector    | =======================================================
border0_connector    | Logs
border0_connector    | =======================================================
border0_connector    | Welcome to Border0.com
border0_connector    | http-ngx-srv0-d0kr - https://http-ngx-srv0-d0kr-MY-ORG.border0.io
border0_connector    | 
border0_connector    | =======================================================
border0_connector    | Logs
border0_connector    | =======================================================
border0_bastion      | 2022/10/20 16:46:08 new ssh session for [email protected] (as user root)