Add strongDM to Docker Containers
By using strongDM to control access management for your container deployments, you can have the same ease of mind as when using your local strongDM client. StrongDM can be deployed in fully-automated workflows, ETL jobs and more. This document describes adding the strongDM client to an existing Docker container. For a pre-built container solution please see Deploying the strongDM Client Docker Container.
Dockerfile strongDM Layer
To help you get started, the examples below demonstrate how to add strongDM as a single layer to a Dockerfile. Each of the examples below has been tested and is recommended by strongDM. If you need help determining the dependecies for your particular stack please reach out to firstname.lastname@example.org for assistance.
FROM ubuntu:18.04RUN useradd sdm -m \&& apt-get update \# Install build and runtime dependencies&& apt-get install --no-install-recommends -y \curl \unzip \psmisc \ca-certificates \# Download SDM binary&& curl -J -O -L https://app.strongdm.com/releases/cli/linux \# Unzip it&& unzip sdmcli* \# Remove no longer needed build dependencies&& apt-get remove -y \curl \unzip \ca-certificates \# Delete the zip file&& rm sdmcli* \# Clean up APT&& apt-get autoremove -y \&& rm -rf /var/lib/apt/lists/*ADD start.sh /start.shENTRYPOINT ["/start.sh"]
FROM centos:7RUN useradd sdm -m \&& yum update -y \# Install build and runtime dependencies&& yum install -y \unzip \psmisc \initscripts \# Download SDM binary&& curl -J -O -L https://app.strongdm.com/releases/cli/linux \# Unzip it&& unzip sdmcli* \# Remove no longer needed build dependencies&& yum erase -y \unzip \# Remove zip file&& rm -f sdmcli*\# Clean up yum&& yum clean allADD start.sh /start.shENTRYPOINT ["/start.sh"]
#!/bin/bash# sdm logs in with service token./sdm login# updates sdm binary to latest version./sdm update# installs sdm as the sdm user./sdm install --user sdm# attempts sdm status until successfuluntil sdm status &> /dev/null;dosleep 1echo "waiting for SDM to start"done/path/to/original/entrypoint
Build the Docker image
Create a new directory containing the start.sh script and Dockerfile of choice
Make start.sh executable:
$ chmod +x start.sh
Build the image:
$ docker build -t sdmimage .
Check for the image$ docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEsdmimage latest defd8aa002ed 6 hours ago 51.6MB
Authenticate the SDM client
When using strongDM in an automated fashion, access is validated and managed using a Service Account.
For the automated service to work effectively, Port Overrides and Auto-Connect should both be enabled. These settings ensure a consistent login procedure for your container during runtime. As these settings will effect your entire organization please review our documentation and contact your strongDM administrator before making any changes.
The strongDM client will look for the environment variable
SDM_ADMIN_TOKEN when authenticating requests. This variable can be added to the environment in a few different ways. If you've followed the instructions above you can start the image you've just created and add the variable during runtime with the
$ docker run -d -e SDM_ADMIN_TOKEN=strongDM_token sdmimage
Alternatively to simplify the runtime command the service token can be added to either the Dockerfile or start.sh script. Either of these options will require building a new Docker image once you have made this change.
If you have any questions about the steps listed above, or suggestions on how it can be improved, please reach out to email@example.com.