Dear list
I have a containerised Guacamole instance using docker compose. I like the
docker approach for its relative simplicity
and reproducibility.
I want to use LDAPS or STARTTLS for authentication against an LDAP directory
(AD in this case). This means that I must
inject Certificate Authority (CA) certificates into the trust store of the
container. Turning off certificate checks
isn;t an option these days.
I have a working solution but I don't think it is optimal. I found a script in
the root of the container called
__cacert_entrypoint.sh which seems to deal with this. The guacamole user that
the image runs as does not have the
required rights to update certificates and I don't know whether that script
runs at all: finding docs or even the source
for the ubuntu image is quite tricky for a civilian.
My solution is to run the container command as root and get it to run the
script and then Guacamole. I also mount a
folder of certificates into the container and set an environment variable as
the script requires.
Is there a better way to do this that I am missing, or should I file a bug on
Jira to get that script run on startup and
some permissions fixed up?
Cheers
Jon
PS: For reference, here is my guacamole service section in compose.yml. Pop
your CA certs into ./certificates, note how
command (CMD in a dockerfile) is overridden to run two commands, as user: root.
Thinking about it: seeing as command is running as root, we can run probably
run start.sh as guacamole instead with a su
or similar. I'm not sure how insecure running as the container root is vs the
guacamole user but it might break
something else that assumes the guacamole user.
-------------------------------------- 8<
---------------------------------------------
guacamole:
container_name: guacamole
depends_on:
- guacd
- postgres
environment:
GUACD_HOSTNAME: guacd
POSTGRESQL_DATABASE: guacamole_db
POSTGRESQL_HOSTNAME: postgres
POSTGRESQL_PASSWORD: 'long_password'
POSTGRESQL_USER: guacamole_user
LDAP_HOSTNAME: dc.example.co.uk
LDAP_ENCRYPTION_METHOD: starttls
LDAP_SEARCH_BIND_DN: 'CN=LDAPuser,OU=SA,OU=example,DC=co,DC=uk'
LDAP_SEARCH_BIND_PASSWORD: 'long_password'
LDAP_USER_BASE_DN: 'DC=example,DC=co,DC=uk'
LDAP_USERNAME_ATTRIBUTE: 'sAMAccountName'
USE_SYSTEM_CA_CERTS: true
user: root
command: >
bash -c "/__cacert_entrypoint.sh &&
/opt/guacamole/bin/start.sh"
volumes:
- ./certificates:/certificates
image: guacamole/guacamole
links:
- guacd
networks:
guacnetwork:
ports:
- 8080/tcp
restart: always
-------------------------------------- 8<
---------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
