Creating a Docker Gateway

  1. Generate a gateway token. Log into the Admin UI and select Gateways on the left navigation bar. Click on the add gateway button in the upper right, and a box will pop up. You can rename the gateway here, or do it later. Advertised host should be the IP address or host that the gateway will be listening on. Select a TCP port (default 5000) for the service to listen on. Bind IP should be unless you only want the gateway to listen on one specific interface. Finally, the second port field should match the first unless you need to map the Docker ports differently in step five below.

    Click on create and the gateway token will appear onscreen.

    New Gateway

    Copy the gateway token and put it aside, being careful to capture every character. You will need it again below.

    Note: See sdm relay create-gateway if you want to generate a token via the CLI.

  2. If you have not already done so, install Docker

  3. Please note that the gateway MUST be installed on an ‘always up’ machine, as it will form the connection to strongDM for all users accessing the database. You may repurpose a pre-existing machine (e.g. bastion host), or in AWS parlance, any general purpose instance with at least 2 CPU and 4 GBs memory (e.g. the M3 or M4s are a solid choice).

  4. Execute the docker command

    $ docker pull

  5. To activate your relay, type the following Docker command replacing XXX with the actual token you created:

    $ docker run --restart=always [--net=host] --name sdm-relay -e SDM_RELAY_TOKEN=XXX -p 5000:5000 -d

    Note: The “net=host” option is only necessary if the destination database is known as “localhost” (running sdm-relay colocated with the DB), otherwise the Docker default will work fine. If the destination database is already in a container, we can provide a separate pattern for configuring Docker container linking

  6. Login to the Admin UI. In that section, the gateway you created should appear Online, with a heartbeat.

    "Relay status in Admin UI"

    If any errors occur or if the gateway does not report “online” status, please contact for assistance.