How to run Open source teleport docker

Teleport is an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.

Teleport provides an open source alternative. Open source Teleport was designed to provide access to the infrastructure you need without slowing you down. With a single tool, engineers get unified access to Linux and Windows servers, Kubernetes clusters, databases and DevOps applications like AWS Management Console, CI/CD, version control, and monitoring dashboards across all environments.

In this guide, we will learn how to run the open source version of Teleport on docker.

Installation

Since we are going to be using docker and docker-compose, ensure that they are both installed. Teleport recommends docker version v20.10.7 or later and they currently only offer Docker images for x86_64 architectures. Confirm your docker version:

$ docker version
Client: Docker Engine - Community
 Version:           20.10.18
...

Server: Docker Engine - Community
 Engine:
  Version:          20.10.18

And docker-compose:

$ docker-compose --version
Docker Compose version v2.12.2

These images are hosted on Amazon ECR Public. All tags under public.ecr.aws/gravitational/teleport are Teleport Open Source images.

Checkout these content on how to set up docker:

The first thing we will need to do is create Teleport configs and start the process with docker run commands.

Create local config and data directories for Teleport, which will be mounted into the container.

mkdir -p ~/teleport/config ~/teleport/data

Next, generate a sample Teleport config and write it to the local config directory. This container will write the config and immediately exit. This is expected.

docker run --hostname tele.citizix.io --rm \
  --entrypoint=/bin/sh \
  -v ~/teleport/config:/etc/teleport.d \
  public.ecr.aws/gravitational/teleport:11.0.1 -c "teleport configure > /etc/teleport.d/teleport.yaml"

This is the configs generated for my set up:

version: v3
teleport:
  nodename: tele.citizix.io
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  https_keypairs: []
  acme: {}

Finally start Teleport with mounted config and data directories, plus all ports

docker run --rm --hostname tele.citizix.io \
  --name teleport \
  -v ~/teleport/config:/etc/teleport \
  -v ~/teleport/data:/var/lib/teleport \
  -p 3023:3023 -p 3025:3025 -p 3080:3080 \
  public.ecr.aws/gravitational/teleport:11.0.1

This command should start teleport with the configurations we generated earlier.

For running this as code, we can create the following docker-compose.yaml file:

version: '3.9'

services:
  teleport:
    image: public.ecr.aws/gravitational/teleport:11.0.1
    hostname: tele.citizix.io
    ports:
      - 3023:3023
      - 3025:3025
      - 3080:3080
    volumes:
      - ~/teleport/config:/etc/teleport
      - ~/teleport/data:/var/lib/teleport
    networks:
      - teleport_net

networks:
  teleport_net:

Start the service:

docker-compose up -d

Confirm that the service is running as expected:

$ docker-compose ps
NAME                  COMMAND                  SERVICE             STATUS              PORTS
teleport-teleport-1   "/usr/bin/dumb-init …"   teleport            running             0.0.0.0:3023->3023/tcp, :::3023->3023/tcp, 0.0.0.0:3025->3025/tcp, :::3025->3025/tcp, 0.0.0.0:3080->3080/tcp, :::3080->3080/tcp

Creating a Teleport user and setting up 2 factor authentication

This example command will create a Teleport user called citizix which is allowed to log in as either root , citizix or ubuntu on the host operating system:

docker exec teleport tctl users addcitizix --roles=editor,access --logins=root,citizix,ubuntu

When you run this command, Teleport will output a URL that you must open to complete the user signup process:

$ docker exec teleport tctl users add citizix --roles=editor,access --logins=root,ubuntu,rocky
User "citizix" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://tele.citizix.io:3080/web/invite/cc1bf0b9bb42fec07917f25bcb9e4b44

NOTE: Make sure tele.citizix.io:3080 points at a Teleport proxy which users can access.

The Web UI will be available at the displayed URL.

If you encounter an “Insecure Certificate Error” (or equivalent warning) that prevents the Teleport Web UI from opening, you can perform one of the following actions depending on your browser:

  <ul>
    <li>
      In Safari&#8217;s &#8220;This Connection Is Not Private&#8221; page, click &#8220;Show Details,&#8221; then click &#8220;visit this website.&#8221;
    </li>
    <li>
      In Firefox, click &#8220;Advanced&#8221; from the warning page, then click &#8220;Accept the Risk and Continue.&#8221;
    </li>
    <li>
      In Chrome&#8217;s warning page, click &#8220;Advanced&#8221; then &#8220;Proceed to&nbsp;<code>URL</code>&#8220;. <ul>
        <li>
          If a server previously accessible from this URL set an HTTP Strict Transport Security (HSTS) header, the &#8220;Proceed to&#8221; link will not display. Type&nbsp;<code>thisisunsafe</code>&nbsp;to ignore the HSTS header and proceed.
        </li>
      </ul>
    </li>
  </ul>
</blockquote>

tsh into your Teleport container

After you have finished creating your user, open a second terminal and issue the command, which will log in to your Teleport cluster via the Proxy Service at localhost.

For this to work you have to have tsh installed.

tsh login --proxy=localhost --insecure --user=citizix

The --insecure flag is not recommended in production but can be used to bypass certain TLS and port requirements when testing locally.

You will be prompted to enter the password and One-Time Passcode you created for your user citizix:

$ tsh login --proxy=localhost --insecure --user=citizix
Enter password for Teleport user citizix:
Enter your OTP token:
000000

After successfully authenticating you should see the following in your terminal:

WARNING: You are using insecure connection to SSH proxy https://localhost:3080
> Profile URL:        https://localhost:3080
  Logged in as:       citizix
  Cluster:            tele.citizix.io
  Roles:              access, editor
  Logins:             root, ubuntu, rocky, -teleport-internal-join
  Kubernetes:         enabled
  Valid until:        2022-11-05 02:23:42 +0000 UTC [valid for 12h0m0s]
  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Running the next command will display all Teleport Nodes you’re connected to:

$ tsh ls
Node Name               Address        Labels
----------------------- -------------- --------------------------------
tele.citizix.io.        127.0.0.1:3022 hostname=tele.citizix.io

To SSH into the local Node called tele.citizix.io:

tsh ssh root@tele.citizix.io

This will bring up the Linux command prompt where you can issue Bash commands, traverse the directory tree, and explore the container contents:

root@teleport:~#

Adding a node to the cluster

To add a new node to the teleport cluster,

First login to the teleport

tsh login --proxy=tele.citizix.io --auth=local --insecure --user=citizix

Generate a token with a specified time limit, here we are limiting time for 1hour.

tctl tokens add --type=node --ttl=1h --insecure

Now download the teleport package to your new node. In our case, our new node is running with Ubuntu operating system. For that, go through the installation process as shown below.

Download Teleport’s PGP public key

sudo curl https://apt.releases.teleport.dev/gpg \
  -o /usr/share/keyrings/teleport-archive-keyring.asc

Source variables about OS version

source /etc/os-release

Add the Teleport APT repository for v11. You’ll need to update this file for each major release of Teleport.

Note: if using a fork of Debian or Ubuntu you may need to use ‘$ID_LIKE’ and the codename your distro was forked from instead of ‘$ID’ and ‘$VERSION_CODENAME’.

echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
  https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v11" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null

Finally update and install

sudo apt-get update
sudo apt-get install teleport

Now run this command on the new node by using the token created with the above command. For further details, check the command as shown below.

teleport start \
   --roles=node \
   --token=76bc9477e50dc100944153b44bcf046e \
   --ca-pin=sha256:b71a54711e9901a3e0ef83f70651687f17bed8f07a8ae1f7933d5853c760bc45 \
   --auth-server=tele.citizix.io

As in our case, the hostname is ubuntusrv1 so we can verify it by browsing the site of Teleport WEB-UI and check on servers section.

Accessing the added server

Now, the new node has been added successfully so it is easily accessible with the WEB UI or terminal by simply clicking on connect and accessing it with the preferred user option on the list.

In our case, we selected root as a user then the next tab will be open where the new node server can be accessed. You can execute the commands on the new node

Conclusion

In this article, we were able to set up teleport with docker and docker compose. We were also able to add a new user and a node.

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy