As stated before - I love docker. It's great. But I also run a number of virtual machines for various purposes.
One of those VMs happens to be Cisco ACS 5.8. This controls AAA functions for TACACS+ logins to my Cisco hardware, as well as RADIUS authentication for my VPN. The VPN uses specific RADIUS attributes, so I don't want to simply use TACACS+ and therefore have to maintain both protocols.
ACS is end of sale, soon to be end of life. Cisco Identity Services Engine (ISE) is it's replacement. I don't want to run ISE at home - it's a behemoth of an appliance, and is packed with huge numbers of features I don't need. Simplicity is required.
I found an answer, surprise surprise, in docker. I am using the tac_plus package and FreeRADIUS for my new authentication servers. The scope of this post is not to detail the functionality of these machines, but rather their administration. I naturally dockerised these services and they're running quite happily. Perhaps I'll do a post on their configuration later...
Each of these has some configuration files associated with them. Users, passwords, service definitions etc. It's not a huge amount but it's something you want to preserve. I use docker volumes to store these files outside the containers and preserve the config through container destruction & creation.
So, how to manage these configuration files? What if I want to add a user to my VPN? Well, I'll have to log in via SSH to my NAS (and for that I have to be on my network or VPN), or the docker host, navigate to the directory where the files are, edit & save the file, then either restart the container through 'docker restart' or use my compose UI instance to restart them via the web.
All that is a bit long winded - I've got administration through the compose UI (which is fantastic and can be found here: https://github.com/francescou/docker-compose-ui). So really I want to administrate these with a GUI. I want to edit a file, and that's pretty much it. Most of what I could find is rather cumbersome and heavy, heavier than the containers themselves!
I found a rather small git repository which contained the answer and can be found here: https://github.com/jpillora/webproc
Essentially, the program contained actually runs a little webserver, and then invokes a process / program in the background. This means you can control restarts, and log output to stdout is redirected. It also allows you to specify configuration files within the container / environment which you can edit via a web gui. It even presents controls to restart the process, and does so automatically after you change the configuration files. It is uncanny how perfectly this fit my requirements!
Here's a view of the web interface. I've blanked out bits of my configuration. As you can see, there's some logs on the right, and config on the left!
I have the following Dockerfile to drive this:
FROM alpine:latest MAINTAINER David Chidell <firstname.lastname@example.org> ENV WEBPROC_VERSION 0.1.9 ENV WEBPROC_URL https://github.com/jpillora/webproc/releases/download/$WEBPROC_VERSION/webproc_linux_amd64.gz RUN apk --no-cache add freeradius \ && apk add --no-cache --virtual .build-deps curl \ && curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc \ && chmod +x /usr/local/bin/webproc \ && apk del .build-deps \ && chmod -R o-w /etc/raddb/ EXPOSE 1812/udp EXPOSE 1813/udp ENTRYPOINT ["webproc","--on-exit","restart","--config","/etc/raddb/clients.conf,/etc/raddb/users","--","radiusd","-xx","-f","-l","stdout"]
The crux of this comes down to the last line. The rest is just installing packages and retrieving the webproc tool itself.
Let's focus on the following:
The section prior to the double-dashes are the arguments to the webproc tool itself, and then after the double-sashes is the FreeRADIUS arguments I am using. The
--config argument shows two files which are comma seperated which are editable in the GUI on the left hand pane.
All in all, when combined with my traefik load-balancer this is an excellent solution for managing these small containers with minimum configuration files. It saves me having to SSH to machines to edit files, and I can do it on the go with a smartphone.
Compose UI: https://github.com/francescou/docker-compose-ui