Install connector for Podman
Podman is an open source platform for managing containers, pods, and images. It offers several advantages like being fast and lightweight, since it is daemonless. In addition, it is more secure since you create rootless containers. Also, it is compatible with other OCI (open-container initiative) formats like Docker, making it easy to install the EAA podman-based connector on Linux.
EAA Connector is supported on Podman versions of RHEL 8, RHEL 9 and CentOS 8, 9. The same commands can be used on both RHEL and CentOS platforms.
For using Podman based connector to run HTTPs, RDP, and SSH apps see the STEP 1: Download the Podman connector from EAA and STEP 2A: Use Podman connector for HTTP, RDP, and SSH applications.
For using Podman based connector to run all applications see the STEP 1: Download the Podman connector from EAA and STEP 2B: Use Podman connector for all applications (including TCP-type and Tunnel-type client-access applications).
STEP 1: Download the Podman connector from EAA
- Download the connector from EAA:
a. Log in to Enterprise Center.
b. In the Enterprise Center navigation menu, select Application Access > Clients & Connectors > Access and Identity Connectors.
c. Click Add New Connector (+).
d. Enter a connector name and an optional description.
e.Select the Package as Docker
f. You can enable Debugging, if you need to debug the connector and need detailed logs.
g. Click Save
Connector appears on the Connector list page.
-
Select your connector to check the status.
-
When the download link is available, click Download Template.
The connector file opens in a new browser window. -
Download the connector file and save it in a secure location. The contents of the connector .tgz file is required to set up the connector in the virtual environment.
Note: It may take some time before your connector file is available for download. Although it's a docker connector, it can be used for Podman as well.
STEP 2A:Use Podman connector for HTTP, RDP, and SSH applications only
Prerequisite:
Podman installed on Linux distributions RHEL 8 or 9 versions, CentOS 8 or 9 versions..
Note: For RDP, SSH applications, make sure you choose browser-based applications for podman to support.
-
Install the connector in a Podman environment.
a. In your Podman environment, open a terminal window.
b. Go to the downloaded location of the connector for Podman.
c. Unzip the connector image:$ gunzip <Connector_podman_image_filename.tar.gz>
d. Load the image into Podman:
$ sudo podman load -i <Connector_podman_image_filename.tar>
Note: You can combine 1.c and 1.d to one step using the command:
$ sudo podman load < <Connector_podman_image_filename.tar.gz>
e. Check that the image is loaded properly and find the <podman_image_name>:
$ sudo podman images
f. Create a podman volume to persist runtime updates:
$ sudo podman volume create <Volume_Name>
g. Run the podman image to start the podman container:
$ sudo podman run --name <Connector_Name> -d <IMAGE_ID> --volume <Volume_Name>:/opt/
h. Confirm that the podman container is running:
$ sudo podman ps
Note down the CONTAINER ID, IMAGE name.
-
Return to the Enterprise Center and verify that the connector shows the private and public IP addresses assigned to it. The connector status will be, Checked in . Click on the hand icon, and click Approve, to approve the connector. Wait while the EAA service verifies the connector. A success message appears. Podman-based connector runs as a container. If any inline security updates are pending for the connector, perform the upgrades.
-
Go back to your podman environment.
Access the EAA connector in the running podman container:
$ sudo podman exec -it <Connector_Name> /bin/sh
To prevent abnormal behavior in the event of agent being restarted, commit the connector to a new image:
$ sudo podman commit -i <CONTAINER ID> <NEW_IMAGE_NAME>
Replace <NEW_IMAGE_NAME> with the name of your connector.
Podman-based connector now runs as a container on your server, and you can add your applications and secure them with Enterprise Application Access.
STEP 2B:Use Podman connector for all applications (including TCP-type and Tunnel-type client-access applications)
Prerequisites:
-
Podman installed on Linux distributions RHEL 8 or 9 versions, CentOS 8 or 9 versions..
-
Use modprobe to load these kernel modules:
$ sudo modprobe nfnetlink_queue
$ sudo modprobe xt_NFQUEUE
Run these commands to check the modules are present:
$ lsmod | grep nfnetlink_queue
$ lsmod | grep xt_NFQUEUE
Installation:
-
Install the connector in a Podman environment.
a. In your Podman environment, open a terminal window.
b. Go to the downloaded location of the connector for Podman
c. Unzip the connector image:$ gunzip <Connector_podman_image_filename.tar.gz>
d. Load the image into Podman:
$ sudo podman load -i <Connector_podman_image_filename.tar>
Note: You can combine 1.c and 1.d to one step using the command:
$ sudo podman load < <Connector_podman_image_filename.tar.gz>
e. Check that the image is loaded properly and find the <podman_image_name>:
$ sudo podman images
f. Create a podman volume to persist runtime updates:
$ sudo podman volume create <Volume_Name>
g. Load the kernel modules nfnetlink_queue
and xt_NFQUEUE
in the host and also add it to /etc/modules
to make them persistent after a host reboot:
sudo modprobe nfnetlink_queue && sudo echo "nfnetlink_queue" >> /etc/modules-load.d/eaa-connector-modules.conf
sudo modprobe xt_NFQUEUE && sudo echo "xt_NFQUEUE" >> /etc/modules-load.d/eaa-connector-modules.conf
h. Run the podman image to start the podman container with the Client capabilities, since after restarting the post host VM, client capabilities are not present.
sudo podman run -e CAP_NET_ENABLED=1 --security-opt unmask=ALL --security-opt seccomp=unconfined --security-opt label:disable --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=CAP_AUDIT_WRITE --name <Connector_Name> --volume <Volume_Name>:/opt/ -v /lib/modules:/lib/modules -d <IMAGE_ID>
i. Confirm that the podman container is running:
$ sudo podman ps
Note down the CONTAINER ID, NAME of the IMAGE.
-
Return to the Enterprise Center and verify that the connector shows the private and public IP addresses assigned to it. The connector status will be, Checked in . Click on the hand icon, and click Approve, to approve the connector. Wait while the EAA service verifies the connector. A success message appears. The Podman-based connector runs as a container. If any inline security updates are pending for the connector, perform the upgrades.
-
Go back to the podman environment. Access the EAA connector in the running podman container and perform minimum validations.
$ sudo podman exec -it <Connector_Name> /bin/sh
Also, validate the following:
I. Check the connector version, you should see Version: AGENT-24.01.00-329
$ cat /opt/wapp/conf/version
Version: AGENT-24.01.00-329
II. Check the log file for any NGINX errors using the tail command on the error.log file in /var/log/wapp/nginx
tail -f /var/log/wapp/nginx/error.log
III. Check the master process and worker process for nginx are running properly.
$ ps -aux | grep nginx
Sample output:
root@d300cee58fb0:/# ps -aux | grep nginx
root 47 0.0 0.5 188048 47268 ? S 11:03 0:00 nginx: supervisor
root 122 0.0 0.0 777540 5896 ? Sl 11:03 0:00 /opt/wapp/nginx/reporter/bin/reporter 127.0.0.1 8099
root 185 0.3 0.2 188048 24008 ? S 11:03 0:00 nginx: nfqpoolmgr
root 1821 0.0 0.3 203028 28024 ? S 11:03 0:00 nginx: master process /opt/wapp/nginx/sbin/nginx -g daemon off;
nobody 1827 0.0 0.6 254112 53904 ? S 11:03 0:00 nginx: worker process is shutting down
root 4675 0.0 0.4 179556 36876 ? S 11:05 0:00 nginx: master process /opt/wapp/nginx/sbin/nginx -g daemon off;
nobody 4676 0.0 0.6 222064 54044 ? S 11:05 0:00 nginx: worker process
nobody 4677 0.0 0.6 222064 54044 ? S 11:05 0:00 nginx: worker process
nobody 4678 0.0 0.6 222064 53948 ? S 11:05 0:00 nginx: worker process
nobody 4679 0.0 0.6 222064 54044 ? S 11:05 0:00 nginx: worker process
root 4737 0.0 0.0 11464 1008 pts/0 R+ 11:06 0:00 grep --color=auto nginx
IV. After you configure a TCP-type or Tunnel-type Client-access application, you must see active dialouts:
$ /opt/wapp/nginx/cli/nginx-cli dialout get connections
V. Check that the podman connector has the client capabilities cap_net
, cap_net_raw
$ capsh --print
Sample output:
root@74c98dc9a0b4:/# capsh --print
capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: UNCERTAIN (0)
- To prevent abnormal behavior in the event of the agent being restarted, commit the connector to a new image:
$ sudo podman commit <Connector_Container_ID> <new_image_name>
- Replace <new_image_name> with the name of your connector.
Podman-based connector now runs as a container on your linux server, and you can add your TCP-type or Tunnel-type applications and secure them with Enterprise Application Access. When you associate the podman connector to Client-access (TCP-type or Tunnel-type) application
s, you should see(
) for the connector on the Connector list page.
Updated 6 months ago