Guide
TrainingSupportCommunity

Install a Docker-based connector

Suggest Edits

EAA has supported using docker connectors for running HTTPs, RDP, and SSH apps for several releases on Linux, Windows, or MAC operating systems. See the STEP 1: Download the docker connector from EAA and STEP 2A: Use Docker connector for HTTP, RDP, and SSH applications.

From 2022.03.02 release onwards, you can install the new EAA docker connector and use it for running TCP-type or Tunnel-type client-access applications. It is supported on Linux only. Windows and MAC are not supported. See STEP 1: Download the docker connector from EAA and STEP 2B: Use Docker connector for TCP-type and Tunnel-type client-access applications.

If you were using docker connectors for running HTTPs, RDP, and SSH applications , prior to the 2022.03.02 release, you can continue to do so, with no changes. However, if you wish to use your existing docker connector for running TCP-type and Tunnel-type client-access applications, you need to contact Akamai support to upgrade your existing connectors to 2022.03.02 version with additional capabilities.

STEP 1: Download the docker connector from EAA

  1. Download the connector from EAA:

a. Log in to Enterprise Center.
b. In the Enterprise Center navigation menu, select Application Access > Clients & Connectors > Access and Identity Connectors.
c. Click Add New Connector (+).
d. Enter a connector name and an optional description.
e.Select the Package as Docker
f. You can enable Debugging, if you need to debug the connector and need detailed logs.
g. Click Save
Connector appears on the Connector list page.

  1. Select your connector to check the status.

  2. When the download link is available, click Download Template.
    The connector file opens in a new browser window.

  3. Download the connector file and save it in a secure location. The contents of the connector .tgz file is required to set up the connector in the virtual environment.

Note: It may take some time before your connector file is available for download.

STEP 2A: Use Docker connector for HTTP, RDP, and SSH applications

Prerequisite

Installed Docker. Enterprise Application Access (EAA) connectors installed as Docker containers require a Docker-ready OS environment on Windows, MAC, or Linux machine.

Computing capability:

  • CPU. Four virtual cores
  • Memory. 8 GB RAM
  • Storage. 16 GB hard drive disk space (4 GB allocated to swap space and 12 GB of free space).

Network:

  • A private IP address inside the Local Area Network (LAN), either DHCP or static. The connector should run close to internal applications, possibly in the same subnet as the application, and be able to communicate with the

📘

For RDP and SSH, make sure you choose browser-based applications for docker to support.

Installation

  1. Install the connector in a Docker environment.

a. In your Docker environment, open a terminal window.
b. Go to the downloaded Docker container.
c. Unzip the Docker image:

  $ gunzip <Connector_docker_image_filename.tar.gz>

d. Load the image into Docker:

  $ sudo docker load -i <Connector_docker_image_filename.tar>

Note: You can combine 1.c and 1.d to one step using the command:

$ sudo docker load < <Connector_docker_image_filename.tar.gz>

e. Check that the image is loaded properly and find the <docker_image_name>:

  $ sudo docker images

f. Create a docker volume to persist runtime updates:

  $ sudo docker volume create <Volume_Name>

g. Run the Docker image to start the docker container:

  $ sudo docker run --name <Connector_Name> --restart=always --volume <Volume_Name>:/opt/wapp -d <docker_image_name>

h. Confirm that the Docker-based container is running:

  $ sudo docker ps

Note down the CONTAINER ID, IMAGE name.

  1. Return to Enterprise Center and verify that the connector shows the private and public IP addresses assigned to it. The connector status will be, Checked in . Click on the hand icon, and click Approve, to approve the connector. Wait while the EAA service verifies the connector. A success message appears. The connector status changes to Ready and should see Connector is running. If any inline security updates are pending for the connector, perform the upgrades.

  2. Go back to your docker environment.
    a. Access the EAA connector in the running docker container:

 $ sudo docker exec -it <Connector_Name> /bin/sh

b. To prevent abnormal behavior in the event of the agent being restarted, commit the connector to a new image:

$ sudo docker commit <CONTAINER_ID> <NEW_IMAGE_NAME>

c. Replace <NEW_IMAGE_NAME> with the name of your connector.
Docker-based connector now runs as a container on your server, and you can add your applications and secure them with Enterprise Application Access.

STEP 2B: Use Docker connector for TCP-type and Tunnel-type client-access applications

Pre-requisites

  1. Make sure you have installed Docker on the Linux machine.
  2. Run this command to install libnetfilter-queue-dev package on the Linux machine (HOST OS):
 $ sudo apt install libnetfilter-queue-dev
  1. Use modprobe to load the kernel module with nfnetlink_queue and append it to end of /etc/modules file, so that it survives a reboot:
 $ sudo modprobe nfnetlink_queue && sudo echo "nfnetlink_queue" >> /etc/modules
  1. Check that the nfnetlink_queue module is loaded properly: 
 $ lsmod | grep nfnetlink_queue

SAMPLE OUTPUT:

root@bf119885b806:/# lsmod | grep nfnetlink_queue
nfnetlink_queue        24576  0
nfnetlink              16384  3 nfnetlink_queue,nf_conntrack_netlink
root@bf119885b806:/#

Installation

  1. Install the connector in a Docker environment.

a. In your Docker environment, open a terminal window.
b. Go to the downloaded Docker container.
c. Unzip the Docker image:

  $ gunzip <Connector_docker_image_filename.tar.gz>

d. Load the image into Docker:

  $ sudo docker load -i <Connector_docker_image_filename.tar>

Note: You can combine 1.c and 1.d to one step using the command:

$ sudo docker load < <Connector_docker_image_filename.tar.gz>

e. Check that the image is loaded properly and find the <docker_image_name>:

  $ sudo docker images

SAMPLE OUTPUT:

root@localhost:~/new-alpha265# docker images
REPOSITORY       TAG       IMAGE ID       CREATED          SIZE
akamai_connector latest    0e118c7c287f   33 minutes ago   3.64GB

Note down the IMAGE ID.
f. Create a docker volume to persist runtime updates:

  $ sudo docker volume create <Volume_Name>

g. Run the Docker image to start the docker container with the Client capabilities, since after restarting docker host VM, client capabilities are not present.

$ sudo docker run --cap-add=NET_RAW --cap-add=NET_ADMIN --name <Connector_Name> --volume <Volume_Name>:/opt/wapp -v /lib/modules:/lib/modules -d <IMAGE_ID>

h. Confirm that the docker container is running:

$ sudo docker ps

Note down the CONTAINER ID, NAME of the IMAGE.

  1. Return to Enterprise Center and verify that the connector shows the private and public IP addresses assigned to it. The connector status will be, Checked in . Click on the hand icon, and click Approve, to approve the connector. Wait while the EAA service verifies the connector. A success message appears. The connector status changes to Ready and should see Connector is running. If any inline security updates are pending for the connector, perform the upgrades.

  2. Go back to your docker environment. Access the EAA connector in the running docker container and perform minimum validations.

 $ sudo docker exec -it <Connector_Name> /bin/sh

Also, validate the following:

I. Check the connector version, you should see Version: AGENT-22.03.02-265

$ cat /opt/wapp/conf/version

Version: AGENT-22.03.02-265

II. Check the log file for any NGINX errors using the tail command on the error.log file in /var/log/wapp/nginx

tail -f /var/log/wapp/nginx/error.log

III. Check the master process and worker process for nginx are running properly.

$ ps -aux | grep nginx

Sample output:

root@d300cee58fb0:/# ps -aux | grep nginx
root          47  0.0  0.5 188048 47268 ?        S    11:03   0:00 nginx: supervisor
root         122  0.0  0.0 777540  5896 ?        Sl   11:03   0:00 /opt/wapp/nginx/reporter/bin/reporter 127.0.0.1 8099
root         185  0.3  0.2 188048 24008 ?        S    11:03   0:00 nginx: nfqpoolmgr
root        1821  0.0  0.3 203028 28024 ?        S    11:03   0:00 nginx: master process /opt/wapp/nginx/sbin/nginx -g daemon off;
nobody      1827  0.0  0.6 254112 53904 ?        S    11:03   0:00 nginx: worker process is shutting down
root        4675  0.0  0.4 179556 36876 ?        S    11:05   0:00 nginx: master process /opt/wapp/nginx/sbin/nginx -g daemon off;
nobody      4676  0.0  0.6 222064 54044 ?        S    11:05   0:00 nginx: worker process
nobody      4677  0.0  0.6 222064 54044 ?        S    11:05   0:00 nginx: worker process
nobody      4678  0.0  0.6 222064 53948 ?        S    11:05   0:00 nginx: worker process
nobody      4679  0.0  0.6 222064 54044 ?        S    11:05   0:00 nginx: worker process
root        4737  0.0  0.0  11464  1008 pts/0    R+   11:06   0:00 grep --color=auto nginx

IV. After you configure a TCP-type or Tunnel-type Client-access application, you must see active dialouts:

$ /opt/wapp/nginx/cli/nginx-cli dialout get connections

V. Check that the docker connector has the client capabilities cap_net, cap_net_raw:

$ capsh --print

Sample output:

root@74c98dc9a0b4:/# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
root@74c98dc9a0b4:/#
  1. To prevent abnormal behavior in the event of the agent being restarted, commit the connector to a new image:
$ sudo docker commit <CONTAINER_ID> <NEW_IMAGE_NAME>
  1. Replace <NEW_IMAGE_NAME> with the name of your connector.

Docker-based connector now runs as a container on your Linux server, and you can add your TCP-type or Tunnel-type applications and secure them with Enterprise Application Access. When you associate the docker connector to Client-access (TCP-type or Tunnel-type) applications, you should see (docker connector associated with client-access apps) for the connector on the Connector list page.

Limitations

The docker connector is running with client capabilities. When you reboot the host machine containing the docker connector, the loaded kernel module is lost. As a work-around, you should load the kernel module with the command, sudo modprobe nfnetlink_queue, and restart the docker connector.

Updated about 1 year ago