mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 01:34:01 +00:00
Merge pull request #780 from gravitational/ev/docker
Created Docker-based test bed
This commit is contained in:
commit
df7df58749
4
docker/.bashrc
Normal file
4
docker/.bashrc
Normal file
|
@ -0,0 +1,4 @@
|
|||
PS1='\[\033[33;1m\]container(\h)\[\033[0;33m\] \w\[\033[00m\]: '
|
||||
PATH=$PATH:/teleport/build
|
||||
alias ls="ls --color=auto"
|
||||
alias ll="ls -alF"
|
1
docker/.dockerignore
Normal file
1
docker/.dockerignore
Normal file
|
@ -0,0 +1 @@
|
|||
data
|
1
docker/.gitignore
vendored
Normal file
1
docker/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
data
|
16
docker/Dockerfile
Normal file
16
docker/Dockerfile
Normal file
|
@ -0,0 +1,16 @@
|
|||
# The base image (buildbox:latest) is built by running `make -C build.assets`
|
||||
# from the base repo directory $GOPATH/gravitational.com/teleport
|
||||
FROM teleport-buildbox:latest
|
||||
|
||||
# DEBUG=1 is needed for the Web UI to be loaded from static assets instead
|
||||
# of the binary
|
||||
ENV DEBUG=1
|
||||
|
||||
# htop is useful for testing terminal resizing
|
||||
RUN apt-get install -y htop
|
||||
|
||||
VOLUME ["/teleport", "/var/lib/teleport"]
|
||||
COPY .bashrc /root/.bashrc
|
||||
|
||||
# expose only proxy ports (SSH and HTTPS)
|
||||
EXPOSE 3023 3080
|
61
docker/Makefile
Normal file
61
docker/Makefile
Normal file
|
@ -0,0 +1,61 @@
|
|||
TELEBOX=teleport:latest
|
||||
HOMEDIR=$(abspath ..)
|
||||
THISDIR=`pwd`
|
||||
NETNAME=telenet
|
||||
DOCKEROPS=--detach=true --net $(NETNAME) -w /teleport -v $(HOMEDIR):/teleport
|
||||
|
||||
#
|
||||
# Default target starts two Teleport clusters
|
||||
#
|
||||
.PHONY:run
|
||||
run:
|
||||
# create a docker Teleport image and a network
|
||||
docker build -t $(TELEBOX) .
|
||||
docker network create --subnet=172.10.0.0/16 $(NETNAME)
|
||||
mkdir -p data/one data/two/proxy data/two/node data/two/auth
|
||||
# start the single-node cluster named "one"
|
||||
docker run --name=one \
|
||||
--hostname one \
|
||||
--ip 172.10.1.1 \
|
||||
--publish 3080:3080 -p 3023:3023 \
|
||||
--volume $(THISDIR)/data/one:/var/lib/teleport \
|
||||
$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/one.yaml
|
||||
# start three-node cluster named "two"
|
||||
docker run --name=two-auth \
|
||||
--hostname two-auth \
|
||||
--ip 172.10.1.2 \
|
||||
--volume $(THISDIR)/data/two/auth:/var/lib/teleport \
|
||||
$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/two-auth.yaml
|
||||
docker run --name=two-proxy \
|
||||
--hostname two-proxy \
|
||||
--ip 172.10.1.3 \
|
||||
--publish 5080:5080 -p 5023:5023 \
|
||||
--volume $(THISDIR)/data/two/proxy:/var/lib/teleport \
|
||||
$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/two-proxy.yaml
|
||||
docker run --name=two-node \
|
||||
--hostname two-node \
|
||||
--ip 172.10.1.4 \
|
||||
--volume $(THISDIR)/data/two/node:/var/lib/teleport \
|
||||
$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/two-node.yaml
|
||||
|
||||
# 'make stop' stops all Teleport containers, deletes them
|
||||
# and their network
|
||||
#
|
||||
.PHONY:stop
|
||||
stop:
|
||||
-@docker rm -f one two-auth two-proxy two-node
|
||||
-@docker network rm telenet
|
||||
|
||||
# `make enter-one` gives you shell inside auth server
|
||||
# of cluster "one"
|
||||
#
|
||||
.PHONY:enter-one
|
||||
enter-one:
|
||||
docker exec -ti one /bin/bash
|
||||
|
||||
# `make enter-two` gives you shell inside auth server
|
||||
# of cluster "two"
|
||||
#
|
||||
.PHONY:enter-two
|
||||
enter-two:
|
||||
docker exec -ti two-auth /bin/bash
|
76
docker/README.md
Normal file
76
docker/README.md
Normal file
|
@ -0,0 +1,76 @@
|
|||
## Docker
|
||||
|
||||
This directory contains Docker-based flow to run Teleport clusters locally
|
||||
for testing & development purposes.
|
||||
|
||||
### Building
|
||||
|
||||
First, you need to build `teleport:latest` Docker image. This image is built
|
||||
automatically when you type `make` BUT...
|
||||
|
||||
But you have to build the base image first, by running `make -C build.assets`
|
||||
from `$GOPATH/github.com/gravitational/teleport` (repository base dir).
|
||||
|
||||
### Starting
|
||||
|
||||
Type:
|
||||
|
||||
```bash
|
||||
$ make
|
||||
```
|
||||
|
||||
This will start two Teleport clusters:
|
||||
|
||||
* Single-node cluster `one`, accessible now on https://localhost:3080
|
||||
* Three-node cluster `two`, accessible now on https://localhost:5080
|
||||
|
||||
### Stopping
|
||||
|
||||
Type:
|
||||
|
||||
```bash
|
||||
$ make stop
|
||||
```
|
||||
|
||||
### Configuration
|
||||
|
||||
Look at the [Makefile](Makefile): the containers are started with their
|
||||
`/var/lib/teleport` mounted to `data/one` or `data/two` on a host.
|
||||
|
||||
The configuration is passed via YAML files located in `/teleport/docker/xxx.yaml`
|
||||
inside each container.
|
||||
|
||||
The cluster data is preserved between restarts, so you can link these two
|
||||
clusters (make them "trusted") by placing certificates within `data` and
|
||||
updating the config files.
|
||||
|
||||
### Using TCTL
|
||||
|
||||
To add users to any of the clusters, you have to "enter" into the running
|
||||
containers of their auth servers and use `tctl` there.
|
||||
|
||||
For cluster "one":
|
||||
|
||||
```bash
|
||||
$ make enter-one
|
||||
```
|
||||
|
||||
and then you'll find yourself inside a container where `teleport` auth daemon
|
||||
is running, try `ps -ef` for example and you'll get something like this:
|
||||
|
||||
```bash
|
||||
container(one) /teleport: ps -ef
|
||||
UID PID PPID C STIME TTY TIME CMD
|
||||
root 1 0 40 06:04 ? 00:00:06 build/teleport start -c /teleport/docker/one.yaml
|
||||
root 13 0 0 06:04 ? 00:00:00 /bin/bash
|
||||
root 19 13 0 06:04 ? 00:00:00 ps -ef
|
||||
```
|
||||
|
||||
For cluster "two":
|
||||
|
||||
```bash
|
||||
$ make enter-two
|
||||
```
|
||||
|
||||
... and then you can use stuff like `tctl users add`, etc. Make sure to pass
|
||||
the YAML file to `tctl` via `-c` flag.
|
24
docker/one.yaml
Normal file
24
docker/one.yaml
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Single-node Teleport cluster called "one" (runs all 3 roles: proxy, auth and node)
|
||||
teleport:
|
||||
nodename: one
|
||||
log:
|
||||
output: /var/lib/teleport/teleport.log
|
||||
severity: INFO
|
||||
|
||||
auth_service:
|
||||
enabled: yes
|
||||
cluster_name: one
|
||||
tokens:
|
||||
- "node,auth,proxy:xxx"
|
||||
|
||||
ssh_service:
|
||||
enabled: yes
|
||||
labels:
|
||||
cluster: one
|
||||
commands:
|
||||
- name: kernel
|
||||
command: [/bin/uname, -r]
|
||||
period: 5m
|
||||
|
||||
proxy_service:
|
||||
enabled: yes
|
25
docker/two-auth.yaml
Normal file
25
docker/two-auth.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
# Auth server for cluster "two". Also runs "node" role
|
||||
teleport:
|
||||
nodename: two-auth
|
||||
log:
|
||||
output: /var/lib/teleport/teleport.log
|
||||
severity: INFO
|
||||
|
||||
auth_service:
|
||||
enabled: yes
|
||||
cluster_name: two
|
||||
tokens:
|
||||
- "node,auth,proxy:xxx"
|
||||
|
||||
ssh_service:
|
||||
enabled: yes
|
||||
labels:
|
||||
cluster: two
|
||||
role: auth+node
|
||||
commands:
|
||||
- name: kernel
|
||||
command: [/bin/uname, -r]
|
||||
period: 5m
|
||||
|
||||
proxy_service:
|
||||
enabled: no
|
20
docker/two-node.yaml
Normal file
20
docker/two-node.yaml
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Dumb SSH node for cluster "two"
|
||||
teleport:
|
||||
nodename: two-node
|
||||
auth_servers: ["two-auth"]
|
||||
auth_token: xxx
|
||||
log:
|
||||
output: /var/lib/teleport/teleport.log
|
||||
severity: INFO
|
||||
|
||||
ssh_service:
|
||||
enabled: yes
|
||||
labels:
|
||||
cluster: two
|
||||
role: dumb_node
|
||||
|
||||
proxy_service:
|
||||
enabled: no
|
||||
|
||||
auth_service:
|
||||
enabled: no
|
26
docker/two-proxy.yaml
Normal file
26
docker/two-proxy.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
# Proxy server for cluster "two". Also runs "node" role
|
||||
teleport:
|
||||
nodename: two-proxy
|
||||
auth_servers: ["two-auth"]
|
||||
auth_token: xxx
|
||||
log:
|
||||
output: /var/lib/teleport/teleport.log
|
||||
severity: INFO
|
||||
|
||||
auth_service:
|
||||
enabled: no
|
||||
|
||||
ssh_service:
|
||||
enabled: yes
|
||||
labels:
|
||||
cluster: two
|
||||
role: proxy+node
|
||||
commands:
|
||||
- name: kernel
|
||||
command: [/bin/uname, -r]
|
||||
period: 5m
|
||||
|
||||
proxy_service:
|
||||
enabled: yes
|
||||
listen_addr: 0.0.0.0:5023
|
||||
web_listen_addr: 0.0.0.0:5080
|
|
@ -159,7 +159,7 @@ func (cmd *Command) sendFile(r *reader, ch io.ReadWriter, fi os.FileInfo, path s
|
|||
|
||||
// report progress:
|
||||
if cmd.Terminal != nil {
|
||||
defer fmt.Fprintf(cmd.Terminal, "-> %s/%s (%d)\n", path, fi.Name(), fi.Size())
|
||||
defer fmt.Fprintf(cmd.Terminal, "-> %s (%d)\n", path, fi.Size())
|
||||
}
|
||||
|
||||
_, err := io.WriteString(ch, out)
|
||||
|
|
Loading…
Reference in a new issue