Docker installation

Intro

This page will give you guidance on using the MIRACL Trust SSO Docker image. To get the miracl/sso image that is referenced in the following section, please contact MIRACL.

These instructions assume that you already followed the Installation / Quick Start instructions and learned how to successfully configure your SSO with a Service Provider.

Environment Variables

The following environment variables are available when using Docker:

MIRACLSSO_CONFIGPATH - sets the configuration file to start the service with MIRACLSSO_LOGLEVEL - sets the Log level to be one of EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO or DEBUG MIRACLSSO_DUMP - if set to JSON or YAML, outputs the full configuration, if set to SCHEMA - outputs the JSON schema

Docker quick guide

What follows is a quick step-by-step guide to getting a test Docker container running, which should give you an understanding of the necessary components and what command line options need to be passed in order to run the MIRACL Trust SSO docker image.

By default MIRACL Trust SSO service works with internal session storage and doesn't have any dependencies but if you want to use Redis as an external session storage, you could run it on your host machine by:

sudo apt update && sudo apt install redis-server

sudo service redis-server start

Assuming that you have your config files stored in a local directory such as /home/user/miracl-sso-test/ (as explained in the Installation / Quick Start instructions) you can now run:

docker run --name=sso --network host -v /home/user/miracl-sso-test/:/etc/miracl-sso miracl/sso:latest -c /etc/miracl-sso/config.yaml

As it is running on the host network, the service will be accessible at port 8000, unless you have changed the default port in the config. It will also access the Redis server on port 6379 if setup to be used (see session storage).

So you should now be able to access and test your running service at http://127.0.0.1:8000/services

Running Docker with Consul for config management

The steps below make use of a local config.yaml file to run a Docker container which references a set of config files stored in Consul. The local config.yaml has only one include which points to the Consul config url, while Consul stores config files just as described in the Overview and Installation / Quick Start instructions

Run consul in a docker container:

docker run -d --name=consul -p 8300:8300 -p 8500:8500 --net=host gliderlabs/consul-server -bootstrap -advertise=127.0.0.1

Note that the option –net=host means that it is connected to your host network and so will be accessible to the miracl-sso docker container.

Then visit http://127.0.0.1:8500 and set up the necessary config files in key/value, including config.yaml to list the includes, core.yaml to store the server details, client id and secret; plus server certificates. As well as the relevant Service Provider config in the service_providers sub-folder:

consul

Then run the miracl-sso container, assuming that you have your config file stored in a local directory such as /home/user/miracl-sso-consul/:

docker run --network host -v /home/user/miracl-sso-consul/config.yaml:/etc/config.yaml miracl/sso:latest -c /etc/config.yaml

The –net=host option means that the miracl/sso container will be able to talk to both redis and the consul container running on your host network.

The /home/user/miracl-sso-consul/config.yaml should contain the correct consul url as an include:

includes:
  - http://127.0.0.1:8500/v1/kv/config/miracl-sso/config.yaml?raw

Note that ?raw needs to be specified to access the contents of the file stored on consul

Notes on Docker usage

Setting log level

If the log parameter is included in any of your config files and the network parameter is set to ‘local’, for example:

log:
  level: ERROR
  network: local
  address: 127.0.0.1:514

then the running Docker container will attempt to connect to the local machine's syslog.

You can connect to the local machine's syslog either by setting the above network parameter and following with a command such as:

docker run --name=sso --network host -v /run/systemd/journal/syslog:/dev/log -v /home/user/miracl-sso-dockertest/:/etc/miracl-sso miracl/sso:latest -c /etc/miracl-sso/config.yaml

Or you can use the docker syslog driver. For this you do not need to supply the network parameter as it is managed entirely by docker e.g.:

docker run --name=sso --network host --log-driver=syslog --log-opt syslog-address=unixgram:///run/systemd/journal/syslog -v /home/user/miracl-sso-dockertest/config.yaml:/etc/config.yaml miracl/sso:latest -c /etc/config.yaml

More information on Docker syslog settings can be found at https://docs.docker.com/config/containers/logging/syslog/#options