conjurdemos / cdemo Goto Github PK
View Code? Open in Web Editor NEWA tour of Conjur including LDAP sync, scalable machine identity, policy-based mgmt, ssh key mgmt and Splunk integration.
A tour of Conjur including LDAP sync, scalable machine identity, policy-based mgmt, ssh key mgmt and Splunk integration.
dependencies are not completing when running as root on centos 7. Docker is installed, but not started. I had to manually install jq, conjur cli, etc after line 24 in the dependencies script. here is the output
./_install-dependencies.sh: line 24: /etc/docker/daemon.json: No such file or directory
Installed:
docker-ce.x86_64 0:17.12.0.ce-1.el7.centos
Dependency Installed:
audit-libs-python.x86_64 0:2.7.6-3.el7 checkpolicy.x86_64 0:2.5-4.el7
container-selinux.noarch 2:2.33-1.git86f33cd.el7 libcgroup.x86_64 0:0.41-13.el7
libseccomp.x86_64 0:2.3.1-3.el7 libsemanage-python.x86_64 0:2.5-8.el7
policycoreutils-python.x86_64 0:2.5-17.1.el7 python-IPy.noarch 0:0.75-6.el7
setools-libs.x86_64 0:3.3.8-1.1.el7
Complete!
./_install-dependencies.sh: line 24: /etc/docker/daemon.json: No such file or directory
https://docs.ansible.com/ansible/latest/modules/package_module.html
The package module provided by Ansible is a package manager agnostic module that will do detection automatically based on the end user's distribution and available package manager.
AWX stores it's information in a postgres container. By default the database is mapped back to postgres_data_dir=/tmp/pgdocker. This should be changed to something that will persist a shutdown/restart of the linux host machine.
Added HFT to createIdentity.yml and changed verifySSL to false, still receive errors below when trying to run ConjurIdentityPush from Ansible Tower
[WARNING]: provided hosts list is empty, only localhost is available. Note
that the implicit localhost does not match 'all'
[WARNING]: Could not match supplied host pattern, ignoring: newMachines
PLAY [newMachines] *************************************************************
skipping: no hosts matched
PLAY RECAP *********************************************************************
Only error message after running bin/install....
TASK [jenkinsConfig : Build curl image] *****************************************************************************************************
Tuesday 12 March 2019 10:48:36 -0400 (0:00:01.238) 0:06:42.753 *********
Tuesday 12 March 2019 10:48:36 -0400 (0:00:01.238) 0:06:42.752 *********
fatal: [default]: FAILED! => {"changed": false, "msg": "Error building curl_image - code: 1, message: The command '/bin/sh -c apk add --update bash && rm -rf /var/cache/apk/' returned a non-zero code: 1, logs: [u'Step 1/6 : FROM alpine', u'\n', u' ---> 5cb3aa00f899\n', u'Step 2/6 : RUN apk add --update bash && rm -rf /var/cache/apk/', u'\n', u' ---> Running in 781bef5dc39f\n', u'fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz\n', u'\x1b[91mERROR: http://dl-cdn.alpinelinux.org/alpine/v3.9/main: IO ERROR\nWARNING: Ignoring APKINDEX.b89edf6e.tar.gz: No such file or directory\n\x1b[0m', u'fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz\n', u'\x1b[91mERROR: http://dl-cdn.alpinelinux.org/alpine/v3.9/community: IO ERROR\nWARNING: Ignoring APKINDEX.737f7e01.tar.gz: No such file or directory\n\x1b[0m', u'\x1b[91mERROR: unsatisfiable constraints:\n\x1b[0m', u' bash (missing):\n required by: world[bash]\n', u'Removing intermediate container 781bef5dc39f\n']"}
Using a fresh minimal install of RHEL7.5 with no security profile, several issues were encountered after cloning cdemo.
1st issue - when running the ansible install script, the if statement does not find the correct version of software, so ansible is not installed. After modifying the script to use the Fedora function, no error is returned, although it is still not installed. I found the epel release could not be installed through yum. Instead, I had to run the following commands:
sudo yum install -y wget
sudo wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo rpm -ivh epel-release-latest-7.noarch.rpm
2nd issue - Docker CE cannot be installed from YUM Repos on RHEL. After getting ansible installed, I encountered an issue where the docker install failed. Below is the error seen:
TASK [dockerConfig : installDocker] *********************************************************************************
fatal: [default]: FAILED! => {"changed": false, "msg": "Error: Package: docker-ce-18.06.1.ce-3.el7.x86_64 (docker-ce-stable)\n Requires: container-selinux >= 2.9\n", "rc": 1, "results": ["Loaded plugins: product-id, search-disabled-repos, subscription-manager\nResolving Dependencies\n--> Running transaction check\n---> Package docker-ce.x86_64 0:18.06.1.ce-3.el7 will be installed\n--> Processing Dependency: container-selinux >= 2.9 for package: docker-ce-18.06.1.ce-3.el7.x86_64\n--> Processing Dependency: libcgroup for package: docker-ce-18.06.1.ce-3.el7.x86_64\n--> Running transaction check\n---> Package docker-ce.x86_64 0:18.06.1.ce-3.el7 will be installed\n--> Processing Dependency: container-selinux >= 2.9 for package: docker-ce-18.06.1.ce-3.el7.x86_64\n---> Package libcgroup.x86_64 0:0.41-15.el7 will be installed\n--> Finished Dependency Resolution\nError: Package: docker-ce-18.06.1.ce-3.el7.x86_64 (docker-ce-stable)\n
Requires: container-selinux >= 2.9\n**********************************************************************\nyum can be configured to try to resolve such errors by temporarily enabling\ndisabled repos and searching for missing dependencies.\nTo enable this functionality please set 'notify_only=0' in /etc/yum/pluginconf.d/search-disabled-repos.conf\n**********************************************************************\n\n You could try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n"]}
to retry, use: --limit @/conjur/cdemo/conjurDemo/site.retry
To resolve this issue, I ran the following commands:
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum makecache fast
sudo yum install http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.68-1.el7.noarch.rpm
I could not find a link for hte latest container-selinux version, but the link above is the latest as of 9/5/2018.
When you try to load the extended policies in cdemo/policy they will not load.
---snip--
They brake at the output files starting at:
Grant group 'test/webapp1/secrets-managers' to group 'devops'
Grant group 'prod/webapp1/secrets-managers' to group 'sec_ops'
Grant group 'prod/webapp1/secrets-users' to group 'devops'
PUT /api/authz/dev/roles/policy/dev/webapp1 acting_as=dev%3Agroup%3Adev%2Fdevops failed with error 403:
PUT /api/authz/dev/resources/policy/dev/webapp1 acting_as=dev%3Apolicy%3Adev%2Fwebapp1 failed with error 403:
POST /api/variables id=dev%2Fwebapp1%2Fdatabase_password&ownerid=dev%3Apolicy%3Adev%2Fwebapp1&mime_type=text%2Fplain&kind=secret failed with error 403:
{"error":{"kind":"Forbidden","message":"403 Forbidden"}}
--snip--
In some demo contexts, we will want to allow the CyberArk vault to send data to Splunk via port 51444. The playbook should have an option to expose this port when that's desired.
line 48 in 0-startup-conjur.sh is wrong and docker service can't start.
It has to be sudo systemctl start docker.service
Line 16 in e10eb27
Starting at Line 16 is the function for installing via Yum. Adding sudo
like in the Apt function would help non-privileged users setup the environment.
One of the tasks in machinePrep ensures that outdated packages aren't in apt but it actually is removing even the most up to date packages and then fails the build on ensuring docker is running because that package is effectively gone.
after a successful setup, all jenkins jobs fail with the error:
java.lang.NoSuchMethodError: No such DSL method 'pipeline' found among steps [acceptGitLabMR, addGitLabMRComment, archive, build, catchError, checkout, deleteDir, dir, echo, emailext, emailextrecipients, error, fileExists, getContext, git, gitlabBuilds, gitlabCommitStatus, input, isUnix, jiraComment, jiraIssueSelector, jiraSearch, junit, library, libraryResource, load, lock, mail, milestone, parallel, properties, publishHTML, pwd, readFile, readTrusted, resolveScm, retry, sleep, stage, stash, step, svn, timeout, timestamps, tm, tool, unarchive, unstash, updateGitlabCommitStatus, waitUntil, withContext, withCredentials, withEnv, wrap, writeFile] or symbols [all, always, ant, antFromApache, antOutcome, antPath, antTarget, apiToken, architecture, archiveArtifacts, artifactManager, authorizationMatrix, batchFile, bitbucket, booleanParam, brokenBuildSuspects, brokenTestsSuspects, buildButton, buildDiscarder, caseInsensitive, caseSensitive, certificate, choice, choiceParam, clock, cloud, cobertura, coberturaAdapter, command, configFile, configFileProvider, credentials, cron, crumb, culprits, defaultView, demand, developers, disableConcurrentBuilds, disableResume, dockerCert, downloadSettings, downstream, dumb, durabilityHint, envVars, file, fileParam, filePath, fingerprint, frameOptions, freeStyle, freeStyleJob, fromScm, fromSource, git, gitBranchDiscovery, gitLabConnection, gitTagDiscovery, github, githubPush, gitlab, globalConfigFiles, headRegexFilter, headWildcardFilter, hyperlink, hyperlinkToModels, inheriting, inheritingGlobal, installSource, istanbulCobertura, istanbulCoberturaAdapter, jacoco, jacocoAdapter, jdk, jgit, jgitapache, jnlp, jobName, lastDuration, lastFailure, lastGrantedAuthorities, lastStable, lastSuccess, legacy, legacySCM, list, local, location, logRotator, loggedInUsersCanDoAnything, masterBuild, maven, maven3Mojos, mavenErrors, mavenMojos, mavenWarnings, modernSCM, myView, nodeProperties, nonInheriting, nonStoredPasswordParam, none, overrideIndexTriggers, paneStatus, parameters, password, pattern, permanent, pipelineTriggers, plainText, plugin, pollSCM, projectNamingStrategy, proxy, publishCoverage, queueItemAuthenticator, quietPeriod, rateLimitBuilds, recipients, remotingCLI, requestor, run, runParam, schedule, scmRetryCount, scriptApprovalLink, search, security, shell, slave, sourceFiles, sourceRegexFilter, sourceWildcardFilter, sshUserPrivateKey, stackTrace, standard, status, string, stringParam, swapSpace, text, textParam, tmpSpace, toolLocation, unsecured, upstream, upstreamDevelopers, usernameColonPassword, usernamePassword, viewsTabBar, weather, withAnt, zfs, zip] or globals [currentBuild, env, params, scm]
The policies directory needs documentation on how to use the policies in cdemo.
The package 'jmespath' is required to run the task : - name: Get full name of conjur-appliance image
in https://github.com/conjurdemos/cdemo/blob/master/conjurDemo/roles/conjurConfig/tasks/conjurEE.yml
I have setup a cdemo environment on an AWS hosted CentOS 7 machine and the output of ./1-setup-containers.sh with 2 numerical arguments (2 5)is as follows; ERROR: No container found for cli_1
There is no cli_1 container deployed by running _install-dependencies.sh and 0-startup-conjur.sh. It is my understanding the containerized cli has been deprecated. I am using conjur-appliance-4.9.9.1.tar and pointed the 0-startup-conjur.sh script to its location prior to running.
Perhaps there is a workaround I am not aware of.
Thanks in advance.
So that we suppress the warning regarding running curl
.
I don't even know that is reeeeeeally necessary... we could change to get_uri
but I'm feeling lazy.
Thoughts?
In README.md, there is no mention of the necessity for a Conjur Appliance TAR file, nor mention of editing docker-compose.yml for the path to the TAR file until after initially running $ ./0-startup-conjur.sh
and receiving a nag error.
Please update README.md to reflect these pre-requisites to configuration prior to execution of the shell script.
I received the error:
TASK [conjurConfig : Get full name of conjur-appliance image] ******************************************************************************************************
task path: /mnt/hgfs/GitHubProjects/cdemo/conjurDemo/roles/conjurConfig/tasks/conjurEE.yml:20
fatal: [default]: FAILED! => {
"msg": "You need to install \"jmespath\" prior to running json_query filter"
}
to retry, use: --limit @/mnt/hgfs/GitHubProjects/cdemo/conjurDemo/site.retry
PLAY RECAP *********************************************************************************************************************************************************
default : ok=24 changed=5 unreachable=0 failed=1
This error seems to point to a python dependency that is missing on my system. I am using TurnKey Linux Core which is a Debian Jessie based distribution.
The error can be solved by running: apt-get install python-jmespath
There should be a check on debian based systems for this particular package and then added as an automatic install.
Weavescope fails to be accessible even though the container is working. Potential docker networking issue.
Give more transparency into config.cfg
and the steps necessary for customers on README.md.
Currently only alerts in 0-startup-conjur.sh
Request from RedHat to switch from AWX to RedHat Ansible Tower with free 10-node license whenever possible.
Logging here so we don't forget.
Need to diagnose why users are not being authenticated against their public keys. /opt/conjur/bin/conjur_authorized_keys successfully retrieve keys.
SSH "VM" containers are instances of the rack-vm image, an Ubuntu 14.04 image configured in the Dockerfile with the Chef ssh/sudo cookbook using a dummy identity. In ssh/0-setup-ssh.sh copies, correct /etc/conjur* files into containers once they are brought up.
The command for me has been updated in the daemon to docker save <image> -o <file>
.
So, for me... I did:
docker save registry2.itci.conjur.net/conjur-appliance:5.0-stable -o conjur.tar
I would like to use Enterprise instead of OSS for my Conjur version, but there's not description of what value to give in the inventory.yml file.
Need to get the TimeZone of Jenkins to match the Conjur Master...so the logs are in synch when in use with the EE version.
The instructions on the readme state to make edits to values in cdemo/conjurDemo/roles/conjurConfig/defaults/main.yml but nothing exists in that file.
Currently, Conjur SSH and conjurization is done on one VM during the demo. Distinguishing and presenting it separately between CentOS and Ubuntu would be able to showcase either use-case depending on the customer's needs.
Rather than deploying one VM, maybe one of each could be used instead. It shouldn't require any retooling in cdemo, because the Chef Cookbook will detect the distro and choose the proper path itself.
There's an awesome port chart that lists out the ports things are exposed on, but it is missing the port Splunk is exposed on. Please add to the list.
Without making specific modifications to the global PATH, sudoers "secure_path" or other potential solutions, the docker-compose commands will fail when running scripts with sudo since /usr/local/bin is not a path sudo is aware of. It would be helpful for those of us less familiar with Unix/Linux to have this resolved as part of the dependency installation process to avoid multiple people having to troubleshoot on their own.
Thanks!
port from training image
I've run into many problems when not preceding commands on the README.md with sudo
as a non-privileged user. Adding a note explaining this requirement or utilizing become
within the roles/playbooks would be helpful.
Weavescope isn't set to restart=always.
Spelled Set varilables
Should be Set variables
authn-ldap is not configured by default. show how that's done and how it authns to an external ldap service.
cdemo/build/haproxy/Dockerfile
Line 3 in 78c34ca
cdemo/build/haproxy/Dockerfile
Line 4 in 78c34ca
cdemo/build/haproxy/Dockerfile
Line 5 in 78c34ca
Splitting apt-get update
and apt-get install -y ...
will cause caching issues when building and can cause file sizes to be larger than necessary.
Combine all 3 RUN commands L3-L5 into one RUN command instead:
RUN apt-get clean \
&& apt-get update \
&& apt-get install -y \
curl \
git
The original demos ran against lower 4.9.x appliance builds but the later ones (cluster, failover, etc) require higher 4.9.x (4.9.12). As demos are added to the cdemo setup, it would be nice to have a standard way to describe what the minimum appliance requirement is for each demo. It would also be nice to run a quick summary that would show currently configured appliance version, a list of demo scenarios, and whether the current appliance version supports that demo or not. Example output below:
Currently Configured Appliance: ~/conjur/appliance/conjur-appliance-4.9.11.tar (Version: 4.9.11)
Demo Scenarios:
Adding scenarios to the system to support this would require the formulation of some kind of scenario metadata file (maybe formatting of the README?).
The Conjur Identity template fails to run for 2 reasons:
Now the template will run.
This will be a long process...
A multi-step pipeline in Jenkins should be created to provide automated testing, error reporting, building and publishing of cdemo.
This will allow for automated build, test, and deployment to SkyTap for CyberArk regional Sales Engineers globally to access for demonstration purposes.
Containers don't share local time with the host by default. We can overcome this by sharing /etc/localtime
as a read-only volume on each container.
Possibly related: #55
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.