Ubuntu 16.04 w/ 2cpu and 4GB of memory Docker CE Conjur v5 EE appliance
You can use other distros, but the instructions here assume Ubuntu 16.04 LTS. These instructions should also work for 17.04 and 18.04 as well (or any Debian distro for that matter) You could also use the OSS version of Conjur with these instructions, but the instructions here assume v5 EE.
First, we'll get some Docker pre-requisites out of the way.
$ sudo apt-get install -y curl \ apt-transport-https \ ca-certificates \ software-properties-common \ openssh-server \ git
Now we'll prep for the Docker install. If you skip the next 2 steps, you'll install the wrong version of Docker. These steps are distro specific, so check out the Docker documentation if you're using a different distro.
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
$ sudo apt-get update
$ sudo apt-get install -y docker-ce
$ sudo groupadd docker
$ sudo usermod -aG docker $USER
$ newgrp docker
If you get a weird deamon error then you probably don't exist in the docker group or forgot to refresh the groups
$ docker run hello-world
OK, great, we have Docker installed, making our VM our "Docker host". That's it for pre-requisites to install Conjur!
Go ahead and use WinSCP if you want, or if you're doing this from an SSH session already you can just SCP the file over
$ scp filename username@host:/tmp
$ docker load -i conjur-appliance-5.1.2.tar.gz $ docker load -i conjur_cli.tar.gz
$ docker images
$ docker run --name conjur-master -d --restart=always --security-opt
seccomp:unconfined -p "443:443" -p "636:636" -p "5432:5432" -p "1999:1999" conjur-appliance_tag
$ docker ps
$ docker inspect conjur-master
$ docker exec -it conjur-master bash
$ evoke configure master -h master.nate.lab -p Cyberark1 CYBR
Note: If you use a name other than the docker host's hostname, you'll need to edit /etc/hosts so that the name you use resolves to
$ curl -k https://master.nate.lab/health $ curl -k https://master.nate.lab/info
Let's make a working directory on the Docker host. We'll volume mount this into the CLI container so our files persist.
$ mkdir ~/Documents/conjur
Note, we're pulling this from a public GitHub project, so your docker host will need internet access to do this the first time.
$ docker run -v ~/Documents/conjur:/root --rm -it cyberark/conjur-cli:5
$ vi /etc/hosts
$ conjur init -a CYBR -u https://master.nate.lab
$ conjur authn login -u admin -p Cyberark1
$ touch /root/users.yml && touch /root/variable.yml
Check out https://cyberark.github.io/conjur-policy-generator/# for help creating policy files.
- !user alice
- !user bob
- !group secrets-users
- !group secrets-managers
- !grant role: !group secrets-users member: !user alice
- !grant role: !group secrets-managers member: !user bob
Paste into variable.yml. Note that we're building a policy tree here. Root or / is the trunk of the policy tree
and is where our users and groups are created. When we create the variable with a nested policy like this
we need to be sure we reference the correct location for the groups. If we used secrets-users instead of /secrets-users
- !policy
id: myapp
body:
-
!policy id: alfa body:
- &secrets_hydrogen
- !variable hydrogen
- !permit role: !group /secrets-users privileges: [ read, execute ] resources: *secrets_hydrogen
- !permit role: !group /secrets-managers privileges: [ read, execute, update ] resources: *secrets_hydrogen
- &secrets_hydrogen
-
!policy id: bravo body:
- &secrets_lithium
- !variable lithium
- !permit role: !group /secrets-users privileges: [ read, execute ] resources: *secrets_lithium
- !permit role: !group /secrets-managers privileges: [ read, execute, update ] resources: *secrets_lithium
- &secrets_lithium
-
$ conjur policy load root users.yml $ conjur policy load root variable.yml