Close
logodocs

Add strongDM to Docker Containers

By using strongDM to control access management for your container deployments, you can have the same ease of mind as when using your local strongDM client. StrongDM can be deployed in fully-automated workflows, ETL jobs and more. This document describes adding the strongDM client to an existing Docker container. For a pre-built container solution please see Deploying the strongDM Client Docker Container.

Dockerfile strongDM Layer

To help you get started, the examples below demonstrate how to add strongDM as a single layer to a Dockerfile. Each of the examples below has been tested and is recommended by strongDM. If you need help determining the dependecies for your particular stack please reach out to support@strongdm.com for assistance.

Ubuntu

FROM ubuntu:18.04
RUN useradd sdm -m \
&& apt-get update \
# Install build and runtime dependencies
&& apt-get install --no-install-recommends -y \
curl \
unzip \
psmisc \
ca-certificates \
# Download SDM binary
&& curl -J -O -L https://app.strongdm.com/releases/cli/linux \
# Unzip it
&& unzip sdmcli* \
# Remove no longer needed build dependencies
&& apt-get remove -y \
curl \
unzip \
ca-certificates \
# Delete the zip file
&& rm sdmcli* \
# Clean up APT
&& apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/*
ADD start.sh /start.sh
ENTRYPOINT ["/start.sh"]

CentOS

FROM centos:7
RUN useradd sdm -m \
&& yum update -y \
# Install build and runtime dependencies
&& yum install -y \
unzip \
psmisc \
initscripts \
# Download SDM binary
&& curl -J -O -L https://app.strongdm.com/releases/cli/linux \
# Unzip it
&& unzip sdmcli* \
# Remove no longer needed build dependencies
&& yum erase -y \
unzip \
# Remove zip file
&& rm -f sdmcli*\
# Clean up yum
&& yum clean all
ADD start.sh /start.sh
ENTRYPOINT ["/start.sh"]

Entrypoint script

#!/bin/bash
# sdm logs in with service token
./sdm login
# updates sdm binary to latest version
./sdm update
# installs sdm as the sdm user
./sdm install --user sdm
# attempts sdm status until successful
until sdm status &> /dev/null;
do
sleep 1
echo "waiting for SDM to start"
done
/path/to/original/entrypoint

Build the Docker image

  1. Create a new directory containing the start.sh script and Dockerfile of choice

  2. Make start.sh executable: $ chmod +x start.sh

  3. Build the image: $ docker build -t sdmimage .

  4. Check for the image

    $ docker images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    sdmimage latest defd8aa002ed 6 hours ago 51.6MB

Authenticate the SDM client

When using strongDM in an automated fashion, access is validated and managed using a Service Account.

For the automated service to work effectively, Port Overrides and Auto-Connect should both be enabled. These settings ensure a consistent login procedure for your container during runtime. As these settings will effect your entire organization please review our documentation and contact your strongDM administrator before making any changes.

The strongDM client will look for the environment variable SDM_ADMIN_TOKEN when authenticating requests. This variable can be added to the environment in a few different ways. If you've followed the instructions above you can start the image you've just created and add the variable during runtime with the -e flag.

$ docker run -d -e SDM_ADMIN_TOKEN=strongDM_token sdmimage

Alternatively to simplify the runtime command the service token can be added to either the Dockerfile or start.sh script. Either of these options will require building a new Docker image once you have made this change.

Dockerfile

ENV SDM_ADMIN_TOKEN=strongDM_token

Start script

export SDM_ADMIN_TOKEN=strongDM_token


If you have any questions about the steps listed above, or suggestions on how it can be improved, please reach out to support@strongdm.com.

Automation — Previous
Self registering relay
Next — Automation
Configuration Management Tools