5. Docker¶
Keeto ships a fully configured Docker image providing an easy and fast way for the establishment of an environment in order to become familiar with Keeto. This chapter gives an overview about this environment, describes how to set it up and ultimately use it.
5.1. Overview¶
The Docker environment consists of the two containers ‘keeto-openldap’ and ‘keeto-openssh’. ‘keeto-openldap’ provides a Directory Service based on OpenLDAP and ‘keeto-openssh’ runs an OpenSSH server configured with Keeto. The Directory Service contains various entries reflecting the access permissions, key material, users etc. for the OpenSSH server running within the ‘keeto-openssh’ container.
5.1.1. Services¶
The following ports are exposed by the Docker environment and bound to the local machine:
| Container | Protocol | Port |
|---|---|---|
| keeto-openldap | LDAP Plain/StartTLS | 127.0.0.1:1389 |
| keeto-openldap | LDAPS | 127.0.0.1:1636 |
| keeto-openssh | SSH | 127.0.0.1:1022 |
5.1.2. Syslog Settings¶
The local /dev/log socket is mounted to the container’s filesystem in order to obtain syslog messages from container components. The following syslog identifiers/facilities are used:
| Component | Syslog Identifier | Syslog Facility |
|---|---|---|
| OpenLDAP | slapd | LOG_LOCAL4 |
| OpenSSH | sshd | LOG_LOCAL0 |
| Keeto | keeto | LOG_LOCAL1 |
5.1.3. OpenLDAP Settings¶
| Option | Value |
|---|---|
| LDAP URI | ldap://127.0.0.1:1389 |
| Base DN | dc=keeto,dc=io |
| Bind DN | cn=directory-manager,dc=keeto,dc=io |
| Bind password | test123 |
5.1.4. OpenSSH Access Permissions¶
| Key/User | Direct Access | Access On Behalf |
|---|---|---|
| birgit | Yes | - |
| bjoern | No | keeto |
| oliver | No | slapd, opendj |
| sebastian | No | keeto |
| trixi | No | slapd, opendj |
| wolfgang | Yes | - |
5.2. Prerequisites¶
The following software packages are needed in order to run the Keeto Docker environment:
- Docker
- Docker Compose
- LDAP client
- SSH client
- Syslog (optional)
Although any LDAP client will do Apache Directory Studio is recommended as Keeto provides an export of the connection settings needed to configure the client for the usage with the Docker environment. The SSH client has to support either PKCS#8 or PuTTY’s .ppk private key format for public key authentication.
5.3. Setup¶
Grab the source code tarball from https://keeto.io and unpack the distribution. All files needed to setup the Docker environment are included in the ‘samples/docker’ directory:
<user>$ wget https://keeto.io/static/downloads/keeto-0.3.0-beta/keeto-0.3.0-beta.tar.gz
<user>$ tar xvfz keeto-0.3.0-beta.tar.gz
<user>$ cd keeto-0.3.0-beta/samples/docker
Now start the containers using Docker Compose with the following command:
<root>$ docker-compose up -d
Docker will download the images if they are not already available locally and subsequently start the environment. Finally you should see the following output:
Creating network "docker_keeto-net" with driver "bridge"
Creating keeto-openldap
Creating keeto-openssh
Thats it! The Keeto Docker environment is now fully operational. Optionally configure your local syslog daemon to log messages from container components. A sample configuration file for syslog-ng can be found in the ‘samples’ directory.
5.4. Usage¶
Now that the environment is up and running you are able to play around and gain a better understanding of Keeto. Configure your favourite LDAP client with the settings described in OpenLDAP Settings and browse/modify the content in the OpenLDAP Directory Service. If you are using Apache Directory Studio you might wanna import the connection settings from the ‘samples/docker/misc’ folder. The environment comes with some predefined access permissions as described in OpenSSH Access Permissions. The private key material for the various logins is available in the ‘samples/docker/keys’ folder. Note that some SSH clients require the private key to have certain access permissions. If you are using such a client change permissions of the private key file accordingly.
The following two examples show logins with the OpenSSH SSH client for a user that has direct access and another one that has access on behalf of another account:
<user>$ chmod 600 keys/birgit-key.pem
<user>$ ssh -i keys/birgit-key.pem -p 1022 birgit@localhost
<user>$ chmod 600 keys/oliver-key.pem
<user>$ ssh -i keys/oliver-key.pem -p 1022 slapd@localhost