Public | Automated Build

Last pushed: 2 years ago
Short Description
Short description is empty for this repo.
Full Description

Conjur docker-webservice

Docker image providing Conjur CLI tools and web service/web application inbound gatekeeper and outbound proxy.

An excellent way to Conjurize web applications easily.

Basic usage

(See https://github.com/conjurdemos/asgard for a more complete example.)

Application images

Base a docker image on conjur/webservice:

FROM conjurinc/webservice

Conjur/webservice is based on Alpine Linux; use
apk to install packages, eg.

RUN apk update
RUN apk add openjdk7-jre-base bash

ADD http://dist.neo4j.org/neo4j-community-2.1.3-unix.tar.gz /tmp/neo4j.tar.gz
RUN ["tar", "-C", "/opt", "-zxf", "/tmp/neo4j.tar.gz"]

Put a launch script into /etc/scripts/launch

COPY launch /etc/scripts/

eg.

#!/bin/sh
/opt/neo4j-community-*/bin/neo4j start

Put a container config in /etc/conjur.container

COPY conjur.container /etc/

eg.

# port 80 is gated by Conjur and redirected to 7474
gate 80, to: 7474

Expose the port

EXPOSE 80

Build the image

docker build -t example/neo4j examples/neo4j

Permissions

Gating and proxying requires a host identity for the container.
Gated requests are allowed based on execute permission on the host.

The easiest way to setup a host identity is to create a policy, eg.

policy "neo4j-0.0.1" do
  users = group "neo4j-users"
  clients = layer "neo4j-clients" do
    add_host host("neo4j-client") # a client host
  end

  layer "neo4j", name: "Neo4j database servers" do
    add_member "use_host", users # use_host permission on layer grants execute on hosts
    add_member "use_host", clients

    add_host host("docker/neo4j")
  end
end
conjur policy load -c policy.json examples/neo4j/policy.rb

Launch

A helper script is provided to easily launch containers from policy context file:

./bin/policy-run policy.json docker/neo4j --name neo4j -d -p 8080:80 example/neo4j
Docker Pull Command
Owner
conjurinc
Source Repository

Comments (0)