Before you begin, you must download the latest custom BlueCat Gateway image that contains the Cloud Discovery & Visibility (CDV) workflow.
Prerequisites:
You must have at least 2 CPUs and 8GB of RAM allocated to the host machine that will be running the BlueCat Gateway instance.
You must have Docker installed on the host machine that will be running the BlueCat Gateway instance. For more information, refer to the 'Requirements' section of the BlueCat Gateway Installation Guide.
You must have an Address Manager server configured with the BlueCatGateway UDF and a BlueCat Gateway user. For more information, refer to the 'Configuring BlueCat Gateway' section of the BlueCat Gateway Installation Guide.
You must have purchased the Cloud Discovery & Visibility Adaptive Application from BlueCat.
You must have a Quay account that has been granted read access to the Cloud Discovery & Visibility private repository.
For more information on setting up your Quay account, refer to the information that was provided when you purchased the Cloud Discovery & Visibility Adaptive Application from BlueCat.
You must have a Docker CLI password.
You can create one by clicking Generate Encrypted Password under Docker CLI Password on the Account Settings page in Quay.
Defining the workspace and log directories
When you first install the Cloud Discovery & Visibility Adaptive Application, BlueCat recommends setting up your workspace and logs directory right away:
Define a workspace:
A workspace is the logical location for workflows and associated data, including configurations, libraries, requirements, permissions, and customizations. A workspace can be a Docker volume (recommended), or a volume on your local machine. For more details, see the Workspace section in the BlueCat Gateway Administration Guide.
Define a logs directory:
A logs directory can be a Docker volume (recommended), or a volume on your local machine
Why map to Docker volumes? Volumes are completely managed by Docker, so you typically do not need to set permissions manually when using Docker volumes. This is also the recommended practice for Docker containers.
If you prefer to mount data and log volumes to your local machine, you must manually set the appropriate permissions to those directories before running the container. Refer to the steps in Installing the CDV Docker image for details.
If you do not map data or log volumes to your local machine during installation, the Cloud Discovery & Visibility Adaptive Application will write all the data to the container by default. If you then stop or restart the container, all this data will be lost.
You can name the workspace and logs directory to anything.
The Cloud Discovery & Visibility Adaptive Application saves configuration and workflow data to the workspace, and all execution and session logs to the mapped logs directory. If you do not map a workspace or a logs directory, all the configuration and logging data is written to the container by default.
Minimum Docker permissions
The following are the minimum Docker privileges required for CDV to work:
CHOWN |
Can make arbitrary changes to file UIDs and GIDs. |
DAC_OVERRIDE |
DAC is short for "Discretionary Access Control". Can bypass kernel permission checks on file, write, and execute operations. |
FOWNER |
Can bypass permission checks that normally require file system UIDs to match the file UID (except for operations covered by DAC_OVERRIDE and DAC_READ_SEARCH). |
SETUID |
Can arbitrarily manipulate process GIDs, such as writing a group ID mapping in a namespace. |
SETGID |
Can arbitrarily manipulate process UIDs, such as writing a user ID mapping in a namespace. |
If you want to restrict CDV's privileges to the bare minimum, you can use the
cap-drop
and cap-add
attributes when
installing the image. First remove all privileges with cap-drop
,
then add the minimum priviliges with cap-add
:
docker run -d \
...
--cap-drop ALL \
--cap-add CHOWN \
--cap-add DAC_OVERRIDE \
--cap-add FOWNER \
--cap-add SETUID \
--cap-add SETGID \
...
quay.io/bluecat/cloud_discovery_visibility:24.1.1
Installing the CDV Docker image
To install the Cloud Discovery & Visibility image:
From the host machine, run the following command:
docker login quay.io
At the prompt, enter your Quay user name and password obtained when generating the encrypted password.
Download the Cloud Discovery & Visibility Adaptive Application from Quay using the following command:
docker pull quay.io/bluecat/cloud_discovery_visibility:24.1.1
-
Set the ownership of the logs directory and the workspace directory to either the user or the group under which CDV runs.
-
Setting ownership of the folders to the user: By default, CDV runs under the
flask
user with UID 9000. Enable the following permissions for this user:chown -R 9000 <Path to mapped log directory> chmod -R u=rwx <Path to mapped log directory> chown -R 9000 <Path to mapped workspace directory> chmod -R u=rwx <Path to mapped workspace directory>
-
Setting ownership of the folders to the group: By default, CDV runs under the
root
group (with GID 0). Enable the following permissions for this group:chgrp -R 0 <Path to mapped log directory> chmod -R g=rwx <Path to mapped log directory> chgrp -R 0 <Path to mapped workspace directory> chmod -R g=rwx <Path to mapped workspace directory>
-
Start the custom Gateway image using the following command:
docker run -d \ -p 80:8000 \ -p 443:44300 \ -v <Path to mapped log directory>:/logs/ \ -v <Path to mapped workspace directory>:/bluecat_gateway/ \ -e BAM_IP=<Your BAM IP address> \ --name <Gateway container name> \ quay.io/bluecat/cloud_discovery_visibility:24.1.1
If you are using Cloud Discovery & Visibility with custom certificates, do the following:
Create the folder
/certificates/server
in the <Path to mapped workspace directory> folder:mkdir -p <Path to mapped workspace directory>/certificates/server/
Generate your custom SSL certificate files (.
crt
and.key
).Copy your custom SSL certificate files to the
<Path to mapped workspace directory>/certificates/server/
folder, renaming them togateway.crt
andgateway.key
.Apply the same permissions that you set earlier to the
certificates
folder. To do so, depending on whether you set the ownership based on the user or the group under which CDV runs, do one of the following:If you set ownership of the
<Path to mapped workspace directory>
folder to the user: By default, CDV runs under theflask
user with UID 9000. Enable the following permissions for this user:chown -R 9000 <Path to mapped workspace directory>/certificates/ chmod -R u=rwx <Path to mapped workspace directory>/certificates/
If you set ownership of the
<Path to mapped workspace directory>
folder to the group: By default, CDV runs under theroot
group (with GID 0). Enable the following permissions for this group:chgrp -R 0 <Path to mapped workspace directory>/certificates/ chmod -R g=rwx <Path to mapped workspace directory>/certificates/
- Restart the Docker container.
If you are configuring the image with a proxy: When using a proxy, start the custom Gateway image using the following Docker command instead:
docker run -d \ -p 80:8000 \ -p 443:44300 \ -v <Path to mapped log directory>:/logs/ \ -v <Path to mapped workspace directory>:/bluecat_gateway/ \ -e BAM_IP=<Your BAM IP address> \ --env HTTP_PROXY=<Your proxy address> \ --env HTTPS_PROXY=<Your proxy address> \ --name <Gateway container name> \ quay.io/bluecat/cloud_discovery_visibility:24.1.1
Attention:When using a proxy, you must use registered certificates (instead of internally-created certificates). Your proxy configuration must allow access to the following sites as applicable:
AWS
.amazonaws.com
GCP
.googleapis.com
www.gstatic.com
Azure
.microsoftonline.com
.azure.com
.microsoft.com
.servicebus.windows.net