Docker Compose
Docker Compose
Docker Compose builds on the docker plugin integration.
We will explore two ways of running border0 connector with docker compose
- as vHost service outside of docker-compose scope
- as one of services described in docker compose file
This document focuses on the second option or running border0 connector as part of our docker-compose setup
We will create 4 containers in a single flat network setup
- border0 connector
- shell server(ssh)
- nginx server (http)
- mysql server (database)
working directory
For simplicity and documentation purposes, we will create a temporary directory. All files mentioned from this point should be placed into that directory.
border0 binary
Before we start we need to obtain border0 binary.
You can obtain the binary from our downloads page
Or follow our HOWTO: Install CLI tool
border0.yaml config file
In this step we will create a minimal configuration for border0 connector
with your favourite editor create a border0.yaml using following example:
connector:
name: "d0kr-lab"
credentials:
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey<...>J9.qJ75mbolje96zpD9gnOnhCKTSBoEjIGDdMMeteZ7RJQ
docker_plugin:
- group: docker_team
policies: [docker-policy]
Please see our "Creating Access Tokens" howto for details on managing tokens
Create the Policy
By default all your sockets have default org policy applied, in our example we are using a custom policy especially for docker plugin called docker-policy
to create our custom policy we can use the CLI or portal
border0 policy add --name docker-policy
example policy we can use, please update your access parameters
{
"version": "v1",
"action": [
"database",
"ssh",
"http"
],
"condition": {
"who": {
"email": [
"[email protected]"
],
"domain": [
"border0.com"
]
},
"where": {
"allowed_ip": ["0.0.0.0/0", "::/0"],
"country": [],
"country_not": []
},
"when": {
"after": "2022-10-17",
"before": null,
"time_of_day_after": "00:00:00 UTC",
"time_of_day_before": "23:59:59 UTC"
}
}
}
Details on creating policies can be found here: Policies as well as Creating a custom policy
Containers for sockets
For our docker-compose setup we are going to create 3 containers, one for each of the main socket types.
HTTP and Database containers will be based off stock nginx and mysql images but SSH server requires additional configuration
Dockerfile.ssh (shell server container)
Just like in Access to an SSH server guide, download your border0 organisation public Certificate
border0 organization show | grep ecdsa-sha2-nistp256 | awk '{print $5,$6}' > ssh-ca.pub
with your favourite editor create a Dockerfile.ssh using following example:
FROM ubuntu:18.04
RUN apt-get update
RUN apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:root' |chpasswd
RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config
RUN echo "TrustedUserCAKeys /etc/ssh-ca.pub" >>/etc/ssh/sshd_config
COPY ssh-ca.pub /etc/ssh-ca.pub
RUN echo "AuthorizedPrincipalsFile %h/.ssh/authorized_principals" >>/etc/ssh/sshd_config
RUN mkdir -p /root/.ssh
RUN echo "mysocket_ssh_signed" > /root/.ssh/authorized_principals
RUN apt-get install -y iproute2 net-tools mtr-tiny iperf3 nmap
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]
Dockerfile.border0_connector
We are now ready to prepare our border0 docker container definition.
with your favourite editor create a Dockerfile.border0_connector using following example:
FROM --platform=linux/amd64 alpine
MAINTAINER [email protected]
RUN mkdir /code
WORKDIR /code
ADD https://download.border0.com/linux_amd64/border0 /code/border0
COPY border0* /code/
RUN chmod ogu+x /code/border0
CMD ["/code/border0", "connector", "start", "--config", "/code/border0.yaml"]
Dockerfile.border0_bastion (optional)
We can epand our setup by a bastion host
with your favourite editor create a Dockerfile.border0_bastion using following example:
FROM ubuntu
RUN apt-get update ; apt-get install -y ca-certificates; mkdir /code
WORKDIR /code
ADD https://download.border0.com/linux_amd64/border0 /code/border0
RUN chmod ogu+x /code/border0
ENTRYPOINT ["/code/border0", "connect", "--type", "ssh", "--name", "border0-bastion", "--sshserver"]
docker-compose
For details on how to install docker and docker-compose please refer to the official documentation page
docker-compose.yml
Last but not least, with your favourite editor create a docker-compose.yml using following example:
version: "3.3"
services:
border0_connector:
build:
context: "."
dockerfile: "Dockerfile.border0_connector"
container_name: "border0_connector"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./border0.yaml:/code/border0.yaml:ro"
# uncomment this section for optional border0 bastion container
# border0_bastion:
# build:
# context: "."
# dockerfile: "Dockerfile.border0_bastion"
# container_name: "border0_bastion"
# environment:
# - BORDER0_ADMIN_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey<...>J9.qJ75mbolje96zpD9gnOnhCKTSBoEjIGDdMMeteZ7RJQ
http-server0:
depends_on:
- border0_connector
image: "nginx:latest"
container_name: "ngx-srv0"
ports:
- "80:80"
labels:
- "border0_80=type=http,port=80,group=docker_team"
ssh-server0:
depends_on:
- border0_connector
build:
context: "."
dockerfile: "Dockerfile.ssh"
container_name: "shell-server0"
ports:
- "1022:22"
labels:
- "border0_22=type=ssh,port=22,group=docker_team"
database-server0:
depends_on:
- border0_connector
image: "mysql:latest"
container_name: "mysql-server0"
environment:
- MYSQL_ROOT_PASSWORD=my-secret-pw
ports:
- "3306:3306"
labels:
- "border0_db01=type=database,port=3306,group=docker_team,upstream_type=mysql,upstream_username=root,upstream_password=my-secret-pw"
Build and Start
The final steps are building and starting our compose.
Verify you have all the required files created:
| File Name | Notes |
|---|---|
| border0 | border0 binary |
| border0.yaml | border0 connector yaml configuration |
| Dockerfile.border0_connector | border0 connector container definition |
| Dockerfile.border0_bastion | border0 bastion container definition |
| Dockerfile.ssh | ssh server container definition |
| docker-compose.yml | the docker-compose file for our environment |
Build all the components
$docker-compose build
Building border0_connector
Sending build context to Docker daemon 69.84MB
Step 1/6 : FROM --platform=linux/amd64 alpine
latest: Pulling from library/alpine
<...>
Successfully built 65ae61ca676d
Successfully tagged connector_ssh-server0:latest
Our environment is ready to be bough up
[email protected]:(main)~/github/connector/connector$ docker-compose up
Recreating border0_connector ... done
Starting ngx-srv0 ... done
Starting mysql-server0 ... done
Recreating ssh-server0 ... done
Recreating ssh-server1 ... done
Recreating border0_bastion ... done
Attaching to ngx-srv0, mysql-server0, border0_connector, ssh-server1, ssh-server0, border0_bastion
mysql-server0 | 2022-10-20 16:44:36+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.31-1.el8 started.
border0_connector | 2022/10/20 16:44:36 starting the connector service
ngx-srv0 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
ngx-srv0 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
mysql-server0 | 2022-10-20 16:44:36+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
ngx-srv0 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
mysql-server0 | 2022-10-20 16:44:36+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.31-1.el8 started.
ngx-srv0 | 10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
ssh-server0 | Server listening on 0.0.0.0 port 22.
ssh-server0 | Server listening on :: port 22.
mysql-server0 | '/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
ngx-srv0 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
ngx-srv0 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
ngx-srv0 | /docker-entrypoint.sh: Configuration complete; ready for start up
ssh-server1 | Server listening on 0.0.0.0 port 22.
ssh-server1 | Server listening on :: port 22.
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: using the "epoll" event method
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: nginx/1.23.1
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: OS: Linux 5.15.0-52-generic
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: start worker processes
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: start worker process 24
ngx-srv0 | 2022/10/20 16:44:36 [notice] 1#1: start worker process 39
mysql-server0 | 2022-10-20T16:44:36.942668Z 0 [Warning] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead.
mysql-server0 | 2022-10-20T16:44:36.943694Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.31) starting as process 1
mysql-server0 | 2022-10-20T16:44:36.949541Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
mysql-server0 | 2022-10-20T16:44:37.041434Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
mysql-server0 | 2022-10-20T16:44:37.148600Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
mysql-server0 | 2022-10-20T16:44:37.148620Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
mysql-server0 | 2022-10-20T16:44:37.149383Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
mysql-server0 | 2022-10-20T16:44:37.163857Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.31' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.
mysql-server0 | 2022-10-20T16:44:37.163853Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
border0_bastion | ┌──────────────────────────────────────┬─────────────────┬─────────────────────────────────────────┬─────────┬──────┬─────────────┐
border0_bastion | │ SOCKET ID │ NAME │ DNS NAME │ PORT(S) │ TYPE │ DESCRIPTION │
border0_bastion | ├──────────────────────────────────────┼─────────────────┼─────────────────────────────────────────┼─────────┼──────┼─────────────┤
border0_bastion | │ dfa40cca-7997-4700-b7e6-c4033a02bb94 │ border0-bastion │ border0-bastion-MY-ORG.border0.io │ 17798 │ ssh │ │
border0_bastion | └──────────────────────────────────────┴─────────────────┴─────────────────────────────────────────┴─────────┴──────┴─────────────┘
border0_bastion |
border0_bastion | Policies:
border0_bastion | ┌─────────────────────────┬─────────────────────────────────────────┬───────────────────┐
border0_bastion | │ POLICY NAME │ POLICY DESCRIPTION │ ORGANIZATION WIDE │
border0_bastion | ├─────────────────────────┼─────────────────────────────────────────┼───────────────────┤
border0_bastion | │ default-org-wide-policy │ Default org wide policy for all sockets │ Yes │
border0_bastion | └─────────────────────────┴─────────────────────────────────────────┴───────────────────┘
border0_bastion |
border0_bastion | Connecting to Server: tunnel.border0.com
border0_bastion |
border0_bastion | Welcome to Border0.com
border0_bastion | border0-bastion - ssh://border0-bastion-MY-ORG.border0.io
border0_bastion |
border0_bastion | =======================================================
border0_bastion | Logs
border0_bastion | =======================================================
border0_connector | 2022/10/20 16:45:36 creating a socket: ssh-ssh-server1-d0kr
border0_connector | 2022/10/20 16:45:42 creating a socket: ssh-ssh-server0-d0kr
border0_connector | Welcome to Border0.com
border0_connector | http-ngx-srv0-p81-d0kr - https://http-ngx-srv0-p81-d0kr-MY-ORG.border0.io
border0_connector |
border0_connector | =======================================================
border0_connector | Logs
border0_connector | =======================================================
border0_connector | Welcome to Border0.com
border0_connector | ssh-ssh-server0-d0kr - ssh://ssh-ssh-server0-d0kr-MY-ORG.border0.io
border0_connector |
border0_connector | =======================================================
border0_connector | Logs
border0_connector | =======================================================
border0_connector | Welcome to Border0.com
border0_connector | ssh-ssh-server1-d0kr - ssh://ssh-ssh-server1-d0kr-MY-ORG.border0.io
border0_connector |
border0_connector | =======================================================
border0_connector | Logs
border0_connector | =======================================================
border0_connector | Welcome to Border0.com
border0_connector | database-mysql-server0-d0kr - database://database-mysql-server0-d0kr-MY-ORG.border0.io
border0_connector |
border0_connector | =======================================================
border0_connector | Logs
border0_connector | =======================================================
border0_connector | Welcome to Border0.com
border0_connector | http-ngx-srv0-d0kr - https://http-ngx-srv0-d0kr-MY-ORG.border0.io
border0_connector |
border0_connector | =======================================================
border0_connector | Logs
border0_connector | =======================================================
border0_bastion | 2022/10/20 16:46:08 new ssh session for [email protected] (as user root)
Updated 5 months ago