Installing Cloud Discovery & Visibility into a Podman container - Adaptive Applications - BlueCat Gateway - 24.1.1

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
24.1.1

As of v24.1.1, Cloud Discovery & Visibility (CDV) supports installation into a Podman container. Before you begin, you must download the latest custom BlueCat Gateway image that contains the Cloud Discovery & Visibility (CDV) workflow.

Prerequisites:

  • You must have at least 2 CPUs and 8GB of RAM allocated to the host machine that will be running the BlueCat Gateway instance.

  • You must have Podman installed on the host machine that will be running the BlueCat Gateway instance. For more details, see the Requirements section of the BlueCat Gateway Installation Guide.

  • You must have an Address Manager server configured with the BlueCatGateway UDF and a BlueCat Gateway user. For more details, see the Configuring BlueCat Gateway section of the BlueCat Gateway Installation Guide.

  • You must have purchased the Cloud Discovery & Visibility Adaptive Application from BlueCat.

  • You must have a Quay account that has been granted read access to the Cloud Discovery & Visibility private repository.

    For more information on setting up your Quay account, refer to the information that was provided when you purchased the Cloud Discovery & Visibility Adaptive Application from BlueCat.

  • You must have a Docker CLI password.

    You can create one by clicking Generate Encrypted Password under Docker CLI Password on the Account Settings page in Quay.

Defining the workspace and log directories

When you first install the Cloud Discovery & Visibility Adaptive Application, BlueCat recommends setting up your workspace and logs directory right away:

  • Define a workspace:

    • A workspace is the logical location for workflows and associated data, including configurations, libraries, requirements, permissions, and customizations.

  • Define a logs directory:

    • A logs directory can be a Docker volume (recommended), or a volume on your local machine.

You must make sure certain permissions are available depending on where you will put your workspace and log directories.

If are going to mount data and log volumes to your local machine: You must manually set rwx (read, write, execute) permissions to those directories before running the container.

To set permissions for storing a workspace and/or log directories on external volumes: run the following command:

chmod -R g=rwx <mapped volume>
Important: If you do not map data or log volumes to your local machine during installation, the Cloud Discovery & Visibility Adaptive Application will write that data to the container by default. If you then stop or restart the container, all this data will be lost.
Tip: You can name the workspace and logs directory to anything.

Minimum container privileges

The following are the minimum privileges required for CDV to work:

CHOWN

Can make arbitrary changes to file UIDs and GIDs.

DAC_OVERRIDE DAC is short for "Discretionary Access Control". Can bypass kernel permission checks on file, write, and execute operations.
FOWNER

Can bypass permission checks that normally require file system UIDs to match the file UID (except for operations covered by DAC_OVERRIDE and DAC_READ_SEARCH).

SETUID Can arbitrarily manipulate process GIDs, such as writing a group ID mapping in a namespace.
SETGID Can arbitrarily manipulate process UIDs, such as writing a user ID mapping in a namespace.

If you want to restrict CDV's privileges to the bare minimum, you can use the cap-drop and cap-add attributes when installing the image. First remove all privileges with cap-drop, then add the minimum priviliges with cap-add:

podman run -d \
...
--cap-drop ALL \
--cap-add CHOWN \
--cap-add DAC_OVERRIDE \
--cap-add FOWNER \
--cap-add SETUID \
--cap-add SETGID \
...
quay.io/bluecat/cloud_discovery_visibility:24.1.1      

Installing the CDV Docker image

To install the Cloud Discovery & Visibility image:

  1. From the host machine, run the following command:
    podman login quay.io
  2. At the prompt, enter your Quay user name and password obtained when generating the encrypted password.

  3. Download the Cloud Discovery & Visibility Adaptive Application from Quay, using the following command:

    podman pull quay.io/bluecat/cloud_discovery_visibility:24.1.1
  4. Execute the following steps to ensure Podman can be bond to port 80 and 443:
    1. Add the line net.ipv4.ip_unprivileged_port_start = 80 to the file /etc/sysctl.conf.
    2. Run the command sudo sysctl -p to load the settings in /etc/sysctl.conf.
  5. If you are running the container with workspace and logs directories on the host machine: Do the following:

    chmod -R g=rwx <Path to mapped log directory>
    chmod -R g=rwx <Path to mapped workspace directory>
  6. Start the custom Gateway image using the following command:
    Note: If you are using RHEL, you must add :Z at the end of the file path for any mapped directory.
    podman run -d \
    -p 80:8000 \
    -p 443:44300 \
    -v <Path to mapped log directory>:/logs/:Z \
    -v <Path to mapped workspace directory>:/bluecat_gateway/:Z \
    -e BAM_IP=<Your BAM IP address> \
    --name <Gateway container name> \
    quay.io/bluecat/cloud_discovery_visibility:24.1.1

    If you are using Cloud Discovery & Visibility with custom certificates, do the following:

    1. Create the folder /certificates/server in the <Path to mapped workspace directory> folder:

      mkdir -p <Path to mapped workspace directory>/certificates/server/
    2. Generate your custom SSL certificate files (.crt and .key), if you don't have them already.

    3. Copy your custom SSL certificate files to the <Path to mapped workspace directory>/certificates/server/ folder, renaming them to gateway.crt and gateway.key.

    4. Apply the same permissions that you set earlier to the certificates folder:
      chmod -R g=rwx <Path to mapped workspace directory>/certificates/
    5. Restart the container:
      Podman restart <Gateway container name>

    If you are configuring the image with a proxy: When using a proxy, start the custom Gateway image using the following command instead:

    podman run -d \
    -p 80:8000 \
    -p 443:44300 \
    -v <Path to mapped log directory>:/logs/:Z \
    -v <Path to mapped workspace directory>:/bluecat_gateway/:Z \
    -e BAM_IP=<Your BAM IP address> \
    --env HTTP_PROXY=<Your proxy address> \
    --env HTTPS_PROXY=<Your proxy address> \
    --name <Gateway container name> \
    quay.io/bluecat/cloud_discovery_visibility:24.1.1