Cisco

GUI management for small docker services - Specifically AAA.

David Chidell

3 min read

Introduction:

As stated before - I love docker. It's great. But I also run a number of virtual machines for various purposes.

One of those VMs happens to be Cisco ACS 5.8. This controls AAA functions for TACACS+ logins to my Cisco hardware, as well as RADIUS authentication for my VPN. The VPN uses specific RADIUS attributes, so I don't want to simply use TACACS+ and therefore have to maintain both protocols.

ACS is end of sale, soon to be end of life. Cisco Identity Services Engine (ISE) is it's replacement. I don't want to run ISE at home - it's a behemoth of an appliance, and is packed with huge numbers of features I don't need. Simplicity is required.

I found an answer, surprise surprise, in docker. I am using the tac_plus package and FreeRADIUS for my new authentication servers. The scope of this post is not to detail the functionality of these machines, but rather their administration. I naturally dockerised these services and they're running quite happily. Perhaps I'll do a post on their configuration later...

The Problem:

Each of these has some configuration files associated with them. Users, passwords, service definitions etc. It's not a huge amount but it's something you want to preserve. I use docker volumes to store these files outside the containers and preserve the config through container destruction & creation.

So, how to manage these configuration files? What if I want to add a user to my VPN? Well, I'll have to log in via SSH to my NAS (and for that I have to be on my network or VPN), or the docker host, navigate to the directory where the files are, edit & save the file, then either restart the container through 'docker restart' or use my compose UI instance to restart them via the web.

All that is a bit long winded - I've got administration through the compose UI (which is fantastic and can be found here: https://github.com/francescou/docker-compose-ui). So really I want to administrate these with a GUI. I want to edit a file, and that's pretty much it. Most of what I could find is rather cumbersome and heavy, heavier than the containers themselves!

Solution:

I found a rather small git repository which contained the answer and can be found here: https://github.com/jpillora/webproc

Essentially, the program contained actually runs a little webserver, and then invokes a process / program in the background. This means you can control restarts, and log output to stdout is redirected. It also allows you to specify configuration files within the container / environment which you can edit via a web gui. It even presents controls to restart the process, and does so automatically after you change the configuration files. It is uncanny how perfectly this fit my requirements!

Here's a view of the web interface. I've blanked out bits of my configuration. As you can see, there's some logs on the right, and config on the left!

I have the following Dockerfile to drive this:

FROM alpine:latest
MAINTAINER David Chidell <dchidell@cisco.com> 
ENV WEBPROC_VERSION 0.1.9
ENV WEBPROC_URL https://github.com/jpillora/webproc/releases/download/$WEBPROC_VERSION/webproc_linux_amd64.gz

RUN apk --no-cache add freeradius \
	&& apk add --no-cache --virtual .build-deps curl \
	&& curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc \
	&& chmod +x /usr/local/bin/webproc \
    && apk del .build-deps \
    && chmod -R o-w /etc/raddb/

EXPOSE 1812/udp
EXPOSE 1813/udp

ENTRYPOINT ["webproc","--on-exit","restart","--config","/etc/raddb/clients.conf,/etc/raddb/users","--","radiusd","-xx","-f","-l","stdout"]

The crux of this comes down to the last line. The rest is just installing packages and retrieving the webproc tool itself.

Let's focus on the following:

"webproc","--on-exit","restart","--config","/etc/raddb/clients.conf,/etc/raddb/users","--","radiusd","-xx","-f","-l","stdout"

The section prior to the double-dashes are the arguments to the webproc tool itself, and then after the double-sashes is the FreeRADIUS arguments I am using. The --config argument shows two files which are comma seperated which are editable in the GUI on the left hand pane.

All in all, when combined with my traefik load-balancer this is an excellent solution for managing these small containers with minimum configuration files. It saves me having to SSH to machines to edit files, and I can do it on the go with a smartphone.

References:

Compose UI: https://github.com/francescou/docker-compose-ui

Webproc: https://github.com/jpillora/webproc

Sign up for more like this.

Enter your email
Subscribe