Open
Description
Hello,
I have been trying to set up Mokey via docker to make as a web-accessible frontend to my FreeIPA server.
My stack uses Traefik as the reverse proxy, which allows for all required network access.
My FreeIPA server is running on a dedicated host, so I've had to apply a few hacks in lieu of finding a formal option for setting the server URL
There are a number of issues I've encountered:
- Loop of
mokey | Waiting for FreeIPA server (HTTP Server) ...(Fixed by the extra_hosts in the compose file below) - Systemd slice issues (Fixed by setting
initandprivilegedflags)
$ docker compose run --rm -it mokey curl -o /etc/pki/ca-trust/source/anchors/ipa-ca.crt -fs http://ipa.mokey.local/ipa/config/ca.crt
host: parse of /etc/resolv.conf failed
FreeIPA server is ready.
+ curl -o /etc/pki/ca-trust/source/anchors/ipa-ca.crt -fs http://ipa.mokey.local/ipa/config/ca.crt
+ update-ca-trust
systemd 252-46.el9_5.2.0.1 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization docker.
Detected architecture x86-64.
Welcome to Rocky Linux 9.5 (Blue Onyx)!
Failed to create /system.slice/docker-0154243a1c85bb788892c1af3136f22b5a8930f5056662ce76fa58cb443323f4.scope/init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...
- Missing telinit support (Fix pending)
$ docker compose run --rm -it mokey curl -o /etc/pki/ca-trust/source/anchors/ipa-ca.crt -fs http://ipa.mokey.local/ipa/config/ca.crt
host: parse of /etc/resolv.conf failed
FreeIPA server is ready.
+ curl -o /etc/pki/ca-trust/source/anchors/ipa-ca.crt -fs http://ipa.mokey.local/ipa/config/ca.crt
+ update-ca-trust
Couldn't find an alternative telinit implementation to spawn.
Note for the docker-compose, I intentionally removed the server container. All the other files are untouched from the clone of the repo
docker-compose.yml:
services:
mokey:
image: ipaclient
restart: ${RESTART_MODE}
build:
context: ./container
dockerfile: Dockerfile.client
args:
DEV_SSH_KEY: $DEV_SSH_KEY
GO_VERSION: $GO_VERSION
USER_ID: ${UID:-1000}
USER: ${USER:-developer}
init: true # Part of systemd slice fix
privileged: true # Part of systemd slice fix
container_name: mokey
hostname: [redacted]
labels:
# ... Traefik labels
- traefik.http.services.mokey-svc.loadbalancer.server.port=8080
- traefik.enable=true
cgroup: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro # Attempted fix for telinit issue
- ${VOLUMES_ROOT_PATH}/config:/app:cached
- ${VOLUMES_ROOT_PATH}/data:/data
tmpfs:
- /run
stop_signal: RTMIN+3
networks:
- [redacted]
extra_hosts:
- "ipa.mokey.local:[redacted]" # Hack to have mokey connect to my FreeIPA Server
depends_on:
- mokey-redis
mokey-redis:
image: redis:latest
# ... Redis config
networks:
[redacted]
config/mokey.toml:
#------------------------------------------------------------------------------
# Sample Mokey Config
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Site specific configuration
#------------------------------------------------------------------------------
[site]
# Name of your site
name = "[redacted] Identity Management"
# Homepage of your organization
homepage = "https://[redacted]"
# Link to your sites help pages
help_url = ""
# Link to your getting started guide
getting_started_url = ""
# Link to your terms of service
tos_url = "https://[redacted]"
# Path to custom favicon.ico file
favicon = ""
# Path to logo
logo = ""
# Path to custom css styles file
css = ""
# Path to local template override directory. You can override one or more
# of the templates using this directory
# templates_dir = "/usr/share/mokey/templates"
# Path to local static assets directory This is used to host all
# css/javascript/images assets locally. Only used for advanced customization.
# static_assets_dir = "/usr/share/mokey/assets"
# User account for the mokey service
ktuser = "mokeyapp"
# Path to keytab file
keytab = "/etc/mokey/private/mokeyapp.keytab"
# Path to logo
# logo = "/etc/mokey/assets/my-logo.png"
#------------------------------------------------------------------------------
# User account settings
#------------------------------------------------------------------------------
[accounts]
# Default home directory
default_homedir = "/home"
# Default login shell
default_shell = "/bin/bash"
# Minimum password length. Used for validating new passwords. Should match your
# password policy set in FreeIPA
min_passwd_len = 16
# Minimum password classes. Classes are lowercase, uppercase, numbers, and
# special characters. Used for validating new passwords. Should match your
# password policy set in FreeIPA
min_passwd_classes = 2
# Hash algorithm for generating OTP tokens: sha1, sha256, or sha512
otp_hash_algorithm = "sha512"
# Custom issuer name for OTP tokens. This creates a nice name for importing into authenticator apps
otp_issuer = "[redacted]"
# Block list of user accounts from logging in
block_users = ["[redacted]", "username2", "username3"]
# Extract username from email address
username_from_email = false
# Allowed domains. Format is {"domain": "username-generator"}, where
# username-generator can be one of the following username generator algorithms:
# - default = takes username part from email
# - flast = assumes emails are formated FirstName.LastName@example.com
# Generates usernames using the first letter firstname + last name.
# Example: John.Doe@example.com = jdoe
allowed_domains = {"[redacted].com" = "default", "[redacted].com" = "flast"}
# Require Two-Factor authentication on all accounts. This prevents users from
# uploading ssh keys and displays a warning message reminding users to enable
# Two-Factor authentication.
require_mfa = false
# Require FreeIPA admin to activate the account. With this option enabled new
# accounts are disabled by default until a FreeIPA admin activates them.
require_admin_verify = true
# By default, login attempts for non-existent user accounts will be shown an
# error message indicating that the username is not found in the system. If
# your site is concerned about the potential for username enumeration attacks,
# you could hide this error message by setting this to true.
hide_invalid_username_error = true
#------------------------------------------------------------------------------
# Email
#------------------------------------------------------------------------------
[email]
# Base URL used for email links. This should be the URL where mokey is being
# hosted and defaults to the hostname used in the http request. Set this value
# to hard code the base_url.
base_url = "https://[redacted].com"
# Max lifetime of branca tokens used for password resets and account verify
token_max_age = 3600
# Secret key for branca tokens. Must be 32 bytes. To generate run:
# openssl rand -hex 32
token_secret = ""
# Hostname for smtp server
smtp_host = "[redacted]"
# Port for smtp server
smtp_port = 465
# Enable smtp tls
smtp_tls = "true"
# SMTP Authentication Credentials
#smtp_username = ""
#smtp_password = ""
# Email signature to append to end of all emails
signature = ""
# From email address
from = "[redacted]@[redacted].com"
#------------------------------------------------------------------------------
# Server settings
#------------------------------------------------------------------------------
[server]
# Address and port to listen
listen = "0.0.0.0:8080"
# Times out the session after inactivity (in seconds)
session_idle_timeout = 900
# Path to ssl certificate
# ssl_cert = ""
# Path to ssl key
# ssl_key = ""
# Require secure cookies
secure_cookies = true
# CSRF token secret key. Should be a random string
csrf_secret = ""
# Timeouts
read_timeout = 5
write_timeout = 5
idle_timeout = 120
# Rate limiter
# Expiration time in seconds on how long to keep records of requests
rate_limit_expiration = 60
# Max number of recent connections during rate_limit_expiration seconds before sending a 429 response
rate_limit_max = 25
# Enable prometheus metrics endpoint. WARNING: there is no authentication
# required for this endpoint and it's recommended to proxy this behind
# something like nginx and enable appropriate access controls.
enable_metrics = true
#------------------------------------------------------------------------------
# Storage
#------------------------------------------------------------------------------
[storage]
# Storage driver. Supported drivers: memory, sqlite3, and redis
driver = "redis"
[storage.sqlite3]
# Path to sqlite3 database used for session storage
#dbpath = "/data/storage/mokey.db"
[storage.redis]
# Redis URL
url = "redis://[redacted]:6379"
#------------------------------------------------------------------------------
# Hydra
#------------------------------------------------------------------------------
[hydra]
# admin_url: "http://locahost:4445"
# login_timeout: 3600
# fake_tls_termination: true
If there's any additional files, or context that's required, let me know
EDIT 1
If anyone has a similar setup working, I'd greatly appreciate any config files or pointers for how to alter the behavior of Mokey to work in a more reliable fashion. If removing the use of systemd is possible, I'd also like to explore that
Metadata
Metadata
Assignees
Labels
No labels