Introduction to StrongDM and Docker
Last modified on October 4, 2023
This section provides general information about using StrongDM software with your containers. Although the documentation in this section is for use with Docker containers, it is possible to use StrongDM with any containerization software.
About Containers and StrongDM
Two general reasons exist for running StrongDM in containers:
- To monitor the containers in your cluster that perform specific jobs, either on a persistent basis or on an as-needed basis. For example, your application periodically accesses your database to perform tasks, and you want your application to do this via StrongDM for auditability.
- To deploy and monitor StrongDM gateways or relays in your cluster.
For both reasons, StrongDM provides the accompanying deployment and configuration steps, specifically the following:
- If you want to monitor specific jobs, you may use either the downloadable StrongDM Docker Service Client Container, which contains the StrongDM client binary, or install the StrongDM client on your preexisting containers.
- If you want to deploy StrongDM gateways or relays, you can use either the downloadable StrongDM Docker Gateway Container, which contains the StrongDM relay binary, or you can install it on your own Docker container. Note that the relay binary is used for both gateways and relays.
The StrongDM Client Binary
Using the StrongDM Docker Service Client Container is an ideal way to audit access to the containers running your tasks. For example, you may have a container with a job that runs to access a specific datasource. Rather than having the container directly access the datasource, it can use our StrongDM client within the Docker container to do so. This solution makes it easier to audit access for that job. Ultimately, the StrongDM Docker Service Client Container is perfect if you want to get set up quickly and have StrongDM preconfigured in a container.
If you are looking to implement the StrongDM client but want to manage everything within your containers yourself, the best option is to add the StrongDM client to your existing containers. Some benefits of adding the StrongDM client on your existing containers are as follows:
- The StrongDM Docker Service Client Container uses libraries that StrongDM controls for its own image. Adding only the StrongDM client to your existing containers gives you control over what specific image libraries are used.
- We provide instructions for installing the StrongDM client in your existing container using several Linux distributions, including Ubuntu 22.04, CentOS 7, and the latest version of Alpine, whereas the StrongDM Docker Service Client Container uses only Ubuntu 22.04.
- The StrongDM Docker Service Client Container must run as root. If you install the StrongDM client in your containers, you can use a specific service account so that the StrongDM client does not have root access to the containers.
- Installing certain software or configuring the containers to send telemetry somewhere is easier to do when you install the StrongDM client in existing containers.
The StrongDM Relay Binary
Gateways and relays are deployed via the StrongDM Docker Gateway Container. That is, once the premade container is up and running, you can provide it a relay or gateway token generated from the Admin UI and it will begin working as a gateway or relay. It is also possible to install the StrongDM relay binary on your own Docker container. When you install the StrongDM relay binary, note that the relay binary is used for both gateways and relays.
You can find resources and information about the following StrongDM topics in this section: