9605128f67
* Fix docker-compose Getting Started guide issues This addresses several issues with the Docker Compose Getting Started Guide. - Intermittent SSH failures and password prompts from the term container In the bootstrap container, the "generate-certs.sh" script is used to generate certificates for other containers in the environment. This uses two "tctl auth export" commands. If the Teleport container is not available, i.e., it hasn't finished booting, generate-cert.sh is supposed to execute a "return" statement from either of the two "tctl auth export" commands with a nonzero code, causing the script to try again after one second. However, since the output of each "tctl auth export" command is piped into a "sed" command, the "generate_certs()" function continues without retrying if the Teleport container is not yet available. This means that the term container does not have access to the certificate it needs to connect to the OpenSSH server, public key authentication fails, and SSH issues a password challenge. This change adds the "set -o pipefail" option to the "generate-certs.sh" script so that the "tctl auth export" commands return a nonzero exit code if they fail and the retry logic works as intended. - Add session recording to the "Next steps" section This demo isn't set up for session recording, so we remove the mention from the main body of the guide to avoid misleading users that this is supposed to be set up here. Instead, this mentions it as a next step. - Update instructions for accessing the Web UI. This mentions the currently valid Chrome flag to use and indicates that you can visit the invite page in your browser via localhost. Fixes #9687 Fixes #7872 * Respond to PR feedback |
||
|---|---|---|
| .. | ||
| ansible | ||
| sshd | ||
| teleport/config | ||
| .dockerignore | ||
| .env | ||
| .gitignore | ||
| docker-compose.yml | ||
| Dockerfile | ||
| env.file | ||
| Makefile | ||
| one-node.yaml | ||
| one-proxy.yaml | ||
| one.yaml | ||
| README.md | ||
| teleport-ent-quickstart.yml | ||
| teleport-lab.yml | ||
| teleport-quickstart.yml | ||
| two-auth.yaml | ||
| two-node.yaml | ||
| two-proxy.yaml | ||
| two-role-admin.yaml | ||
| two-tc.yaml | ||
Docker
This directory contains Docker-based flow to run Teleport clusters locally for testing & development purposes.
Building
First, you need to build teleport:latest Docker image.
Run the following commands from $GOPATH/github.com/gravitational/teleport (repository base dir):
$ make docker
$ cd docker
$ make build
Starting
$ make up
This will start two Teleport clusters:
- Single-node cluster
one, accessible now on https://localhost:3080 - Three-node cluster
two, accessible now on https://localhost:5080
Stopping
$ make down
SSH
SSH container needs User CA authorities exported:
$ make export-certs
Configuration
Look at the Makefile: the containers are started with their
/var/lib/teleport mounted to data/one or data/two on a host.
The configuration is passed via YAML files located in /teleport/docker/xxx.yaml
inside each container.
Since the cluster data is preserved between restarts, so you can edit the configuration and restart if you want to change configuration changes.
Using TCTL
To add users to any of the clusters, you have to "enter" into the running
containers of their auth servers and use tctl there.
For cluster "one":
$ make enter-one
and then you'll find yourself inside a container where teleport auth daemon
is running, try ps -ef for example and you'll get something like this:
container(one) /teleport: ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 40 06:04 ? 00:00:06 build/teleport start -c /teleport/docker/one.yaml
root 13 0 0 06:04 ? 00:00:00 /bin/bash
root 19 13 0 06:04 ? 00:00:00 ps -ef
For cluster "two":
$ make enter-two
... and then you can use stuff like tctl users add, etc. Make sure to pass
the YAML file to tctl via -c flag.
Trusted Clusters
Trusted Clusters with Resources
-
Update
two-role.yamland replaceusername_goes_herewith your username. -
Create a
RoleandTrustedClusterresource on Cluster Two.make enter-two tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-role-admin.yaml tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-tc.yaml
Trusted Clusters with File Configuration
Export CAs
Run the following commands to export your CAs.
# enter cluster two and export ca
make enter-two
tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml auth export > docker/data/two/two.ca
exit
# enter cluster one and export ca
make enter-one
tctl auth export > docker/data/one/one.ca
exit
Upate Configuration
Stop both clusters with make stop, update the file configuration for both clusters, and start again with make.
# update docker/one.yaml with the following under "auth_service"
trusted_clusters:
- key_file: /root/go/src/github.com/gravitational/teleport/docker/data/two/two.ca
# update docker/two-auth.yaml with the following under "auth_service"
trusted_clusters:
- key_file: /root/go/src/github.com/gravitational/teleport/docker/data/one/one.ca
allow_logins: root
tunnel_addr: one
Ansible
To setup Ansible:
-
Follow steps in Trusted Cluster section to setup Trusted Clusters.
-
Use
tctlto issue create user command and follow link on screen to create user.tctl users add {username} root -
Configure Ansible.
# add two-node to ansible hosts file echo "172.10.1.2:3022" >> /etc/ansible/hosts # setup ssh_args that ansible will use to access trusted cluster nodes sed -i '/ssh_args = -o ControlMaster=auto -o ControlPersist=60s/assh_args = -o "ProxyCommand ssh -p 3023 one -s proxy:%h:%p@two"' /etc/ansible/ansible.cfg # use scp over sftp sed -i '/scp_if_ssh/s/^#//g' /etc/ansible/ansible.cfg -
Start and load OpenSSH agent with keys.
# create directory for ssh config mkdir ~/.ssh && chmod 700 ~/.ssh # start ssh-agent eval `ssh-agent` # log in with the user created before tsh --proxy=localhost --user=rjones login # load keys into ssh-agent tsh --proxy=localhost --user=rjones agent --load -
Verify Ansible works:
$ ansible all -m ping 172.10.1.2 | success >> { "changed": false, "ping": "pong" } -
Run an simple playbook:
# cd to directory that contains playbook cd /root/go/src/github.com/gravitational/teleport/docker/ansible # run playbook ansible-playbook playbook.yaml
Interactive Usage
Also you can start an empty container from which you can manually invoke teleport start.
This is similar to launching an empty Linux VM with a Teleport binary.
To get shell inside the same "one" (single-node cluster) container without Teleport running:
$ make shell
NOTE: If you get "network already exists" error, do make stop first.
Once inside, you'll get the same /var/lib/teleport as "one", so you
can start (and even build) teleport daemon manually. This container also
comes with a fully configured screen so you can treat it as a real VM.