1

I have been reading the documentation and still cannot work out how to get the IBM/Secure-Gateway-client to run with an ACL file option within docker.

I have pulled the client docker image, and have been using the following syntax:

bash -c 'nohup docker run ibmcom/secure-gateway-client --F aclfile.txt xxx_stage_ng  > tmp/run_sgc.log 2>&1 &'

All I get in the log is the following:

[2015-09-30 11:30:41.764] [ERROR] An exception occurred reading or processing the ACL file, error is Error: ENOENT, no such file or directory 'aclfile.txt'
[2015-09-30 11:30:41.764] [WARN] The ACL has been set to DENY ALL until this is fixed.
[2015-09-30 11:30:43.779] [INFO] The Secure Gateway tunnel is connected

I have given the full path to the file, no path (as above) and any interim option I can think of. The container runs, but not with the options I want to specify in the ACL file.

Alex da Silva
  • 4,552
  • 2
  • 17
  • 25
sternLiz
  • 13
  • 3

2 Answers2

1

This is what I did:

1) Created a Dockerfile to include the aclfile.txt

FROM ibmcom/secure-gateway-client
ADD aclfile.txt /tmp/aclfile.txt

2) Built a new docker image

docker build -t ads-secure-gateway-client .

3) Run new docker image (need to specify -t and -i options, otherwise would get error file not found):

docker run -t -i ads-secure-gateway-client  --F /tmp/aclfile.txt

4) Got the following output:

[2015-09-30 16:50:32.084] [INFO] The current access control list is being reset and replaced by the user provided batch file: /tmp/aclfile.txt
[2015-09-30 16:50:32.086] [INFO] The ACL batch file process accepts acl allow :8000
[2015-09-30 16:50:32.087] [INFO] The ACL batch file process accepts acl deny localhost:22

I hope that helps.

Alex da Silva
  • 4,552
  • 2
  • 17
  • 25
  • @sternLiz, you can also launch your docker container, then in a separate terminal issue a docker ps command to get the instance of the docker container running the secure gateway client. Then in that same terminal use the docker cp command to push your file into the container. Once in the container you can use the interactive secure gateway shell command to load it. – doktoroblivion Sep 30 '15 at 20:55
  • Thank you @ErickGriffin. I see that the file needs to be in the container and not outside of it as I had it. I will give that a go. – sternLiz Oct 01 '15 at 07:54
  • @sternLiz, actually I have found the docker 1.7.0 does not support 'cp' command from host to docker instance. That is only supported in 1.8.0+. After you upgrade your docker engine to that level it should work, I will put the steps in an additional answer. – doktoroblivion Oct 01 '15 at 12:14
0

To use the interactive 'cp' support in docker from your host to the docker instance you must be at docker 1.8.0. You can check this using:

docker --version

Once you have done this, your version should display as follows. It is recommended that you allow docker to run as non-root user, so run the command that is suggested after you have upgraded you engine to 1.8.0 or 1.8.2.

Client:
 Version:      1.8.2
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   0a8c2e3
 Built:        Thu Sep 10 19:21:21 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.8.2
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   0a8c2e3
 Built:        Thu Sep 10 19:21:21 UTC 2015
 OS/Arch:      linux/amd64

Then to push out your acl file list to the docker image follow these steps:

  1. Run 'docker ps' command to find your container ID

    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 764aadce386b ibmcom/secure-gateway-client "node lib/secgwclient" 27 seconds ago Up 26 seconds condescending_nobel

  2. Copy your acl.list using the 'docker cp' command using either the container ID or name:

    docker cp 01_client.list 764aadce386b:/root/01_client.list

  3. Next, in the secure gateway client running in docker:

    cli> F /root/01_client.list

     [2015-10-01 08:12:30.091] [INFO] The current access control list is being reset and replaced by the user provided batch file: /root/01_client.list
 [2015-10-01 08:12:30.093] [INFO] The ACL batch file process accepts acl allow 127.0.0.1:27017
 [2015-10-01 08:12:30.094] [INFO] The ACL batch file process accepts acl allow 127.0.0.1:22
doktoroblivion
  • 428
  • 3
  • 14
  • Thank you for the additional info Eric, I had not realised that I can use cp... I have, on previous versions of docker, been using tar to get files to/from the running container. I have actually used your Dockerfile option, especially now that I realised I can actually call that file any name and put it in any location. This is now working for me with your help! Thank you! – sternLiz Oct 02 '15 at 08:22