Skip to content

Latest commit

 

History

History

docker

Athenz on Docker

Index

Prerequisites

  1. git
  2. docker
  3. make
  4. sh

NOTE: Test are done on CentOS-7 and MacOS 10.14+ ONLY.

Build Athenz

cd "$(git rev-parse --show-toplevel)/docker"

# it takes about 15-30 mins
make build

# P.S. the latest code may cause docker build to fail, please use older version by specifying the tag version (< v1.9.27) or post an issue
# make build TAG=v1.9.27

Deploy Athenz

  • production environment
  • development environment
    make deploy-dev

Verify Athenz Deployment

  • production environment
  • development environment
    make verify

JAVA Remote debugging

### ZMS
ZMS_DEBUG_PORT=8001
export ZMS_JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=${ZMS_DEBUG_PORT}"
# re-deploy ZMS, reference: ./deploy-scripts/zms-deploy.sh
# expose debug port
docker run --rm \
    --network="${DOCKER_NETWORK}" \
    -p "${ZMS_DEBUG_PORT}:${ZMS_DEBUG_PORT}" \
    --link "${ZMS_HOST}:target" \
    alpine/socat \
    "tcp-listen:${ZMS_DEBUG_PORT},fork,reuseaddr" \
    "tcp-connect:target:${ZMS_DEBUG_PORT}"

### ZTS
ZTS_DEBUG_PORT=8002
export ZTS_JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=${ZTS_DEBUG_PORT}"
# re-deploy ZTS, reference: ./deploy-scripts/zts-deploy.sh
# expose debug port
docker run --rm \
    --network="${DOCKER_NETWORK}" \
    -p "${ZTS_DEBUG_PORT}:${ZTS_DEBUG_PORT}" \
    --link "${ZTS_HOST}:target" \
    alpine/socat \
    "tcp-listen:${ZTS_DEBUG_PORT},fork,reuseaddr" \
    "tcp-connect:target:${ZTS_DEBUG_PORT}"

Cleanup

# remove Athenz containers
make remove-containers

# remove server data
make remove-files

# remove bootstrap setup files
make reset-repo
# reset docker and repo
make remove-all

# remove everything include docker images
make clean

Appendix

Important Files

Default server ports

Useful Commands

# check logs
less ./logs/zms/server.log
less ./logs/zts/server.log

# remove single docker
docker stop athenz-zms-server; docker rm athenz-zms-server; rm -f ./logs/zms/*
docker stop athenz-zts-server; docker rm athenz-zts-server; rm -f ./logs/zts/*
docker stop athenz-ui; docker rm athenz-ui

# inspect
docker inspect athenz-zms-server | less
docker inspect athenz-zts-server | less

# check connectivity
telnet localhost 4443
curl localhost:4443/zms/v1 -o -
curl localhost:8443/zts/v1 -o -
curl localhost:3306 -o -
curl localhost:3307 -o -

# server status
curl -k -o - https://localhost:4443/zms/v1/status
curl -k -o - https://localhost:8443/zts/v1/status

# mysql
mysql -v -u root --host=127.0.0.1 --port=3306 --password=${ZMS_DB_ROOT_PASS} --database=zms_server -e 'show tables;'
mysql -v -u root --host=127.0.0.1 --port=3307 --password=${ZTS_DB_ROOT_PASS} --database=zts_store -e 'show tables;'

# keytool
keytool -list -keystore ./zms/var/certs/zms_keystore.pkcs12
keytool -list -keystore ./zts/var/certs/zts_keystore.pkcs12
keytool -list -keystore ./zms/var/certs/zms_truststore.jks
keytool -list -keystore ./zts/var/certs/zts_truststore.jks

TODO

  • Athenz-bootstrap#todo
  • UI
    1. convert default-config.js parameters to ENV
    2. server.js, login.js, serviceFQN; keys folder is hard coded
    3. configurable listening port
  • ZMS
    1. need server health check, e.g. readiness probe
  • ZPU
    1. If volume not mount to /home/athenz/tmp/zpe/, will have error: 2019/06/12 06:34:09 Failed to get policies for domain: garm, Error:Unable to write Policies for domain:"garm" to file, Error:rename /home/athenz/tmp/zpe/garm.tmp /etc/acceptance-test/zpu/garm.pol: invalid cross-device link
  • athenz-cli
    1. build with separated docker files (add go.mod to support caching the dependency)
  • common
    1. file permission for keys (chmod 600?)
    2. support docker image version tag on docker build and docker run using ENV. TAG.
  • KeyStoreJwkKeyResolver
    1. support setting CA certificate using system properties for JwkProviderBuilder to get JWK from Internet