Skip to content

Latest commit

 

History

History
209 lines (146 loc) · 5.26 KB

README.md

File metadata and controls

209 lines (146 loc) · 5.26 KB

Docker

This directory contains Docker-based flow to run Teleport clusters locally for testing & development purposes.

Building

First, you need to build teleport:latest Docker image.

Run the following commands from $GOPATH/github.com/gravitational/teleport (repository base dir):

$ make docker
$ cd docker
$ make build

Starting

$ make up

This will start two Teleport clusters:

Stopping

$ make down

SSH

SSH container needs User CA authorities exported:

$ make export-certs

Configuration

Look at the Makefile: the containers are started with their /var/lib/teleport mounted to data/one or data/two on a host.

The configuration is passed via YAML files located in /teleport/docker/xxx.yaml inside each container.

Since the cluster data is preserved between restarts, so you can edit the configuration and restart if you want to change configuration changes.

Using TCTL

To add users to any of the clusters, you have to "enter" into the running containers of their auth servers and use tctl there.

For cluster "one":

$ make enter-one

and then you'll find yourself inside a container where teleport auth daemon is running, try ps -ef for example and you'll get something like this:

container(one) /teleport: ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0 40 06:04 ?        00:00:06 build/teleport start -c /teleport/docker/one.yaml
root        13     0  0 06:04 ?        00:00:00 /bin/bash
root        19    13  0 06:04 ?        00:00:00 ps -ef

For cluster "two":

$ make enter-two

... and then you can use stuff like tctl users add, etc. Make sure to pass the YAML file to tctl via -c flag.

Trusted Clusters

Trusted Clusters with Resources

  1. Update two-role.yaml and replace username_goes_here with your username.

  2. Create a Role and TrustedCluster resource on Cluster Two.

    make enter-two
    tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-role-admin.yaml
    tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-tc.yaml

Trusted Clusters with File Configuration

Export CAs

Run the following commands to export your CAs.

# enter cluster two and export ca
make enter-two
tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml auth export > docker/data/two/two.ca
exit

# enter cluster one and export ca
make enter-one
tctl auth export > docker/data/one/one.ca
exit
Upate Configuration

Stop both clusters with make stop, update the file configuration for both clusters, and start again with make.

# update docker/one.yaml with the following under "auth_service"
trusted_clusters:
  - key_file: /root/go/src/github.com/gravitational/teleport/docker/data/two/two.ca
# update docker/two-auth.yaml with the following under "auth_service"
trusted_clusters:
  - key_file: /root/go/src/github.com/gravitational/teleport/docker/data/one/one.ca
    allow_logins: root
    tunnel_addr: one

Ansible

To setup Ansible:

  1. Follow steps in Trusted Cluster section to setup Trusted Clusters.

  2. Use tctl to issue create user command and follow link on screen to create user.

    tctl users add {username} root
  3. Configure Ansible.

    # add two-node to ansible hosts file
    echo "172.10.1.2:3022" >> /etc/ansible/hosts
    
    # setup ssh_args that ansible will use to access trusted cluster nodes
    sed -i '/ssh_args = -o ControlMaster=auto -o ControlPersist=60s/assh_args = -o "ProxyCommand ssh -p 3023 one -s proxy:%h:%p@two"' /etc/ansible/ansible.cfg
    
    # use scp over sftp
    sed -i '/scp_if_ssh/s/^#//g' /etc/ansible/ansible.cfg
  4. Start and load OpenSSH agent with keys.

    # create directory for ssh config
    mkdir ~/.ssh && chmod 700 ~/.ssh
    
    # start ssh-agent
    eval `ssh-agent`
    
    # log in with the user created before
    tsh --proxy=localhost --user=rjones login
    
    # load keys into ssh-agent
    tsh --proxy=localhost --user=rjones agent --load
  5. Verify Ansible works:

    $ ansible all -m ping
    172.10.1.2 | success >> {
        "changed": false, 
        "ping": "pong"
    }
  6. Run an simple playbook:

    # cd to directory that contains playbook
    cd /root/go/src/github.com/gravitational/teleport/docker/ansible
    
    # run playbook
    ansible-playbook playbook.yaml

Interactive Usage

Also you can start an empty container from which you can manually invoke teleport start. This is similar to launching an empty Linux VM with a Teleport binary.

To get shell inside the same "one" (single-node cluster) container without Teleport running:

$ make shell

NOTE: If you get "network already exists" error, do make stop first.

Once inside, you'll get the same /var/lib/teleport as "one", so you can start (and even build) teleport daemon manually. This container also comes with a fully configured screen so you can treat it as a real VM.