Teleport is an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.
Teleport provides an open source alternative. Open source Teleport was designed to provide access to the infrastructure you need without slowing you down. With a single tool, engineers get unified access to Linux and Windows servers, Kubernetes clusters, databases and DevOps applications like AWS Management Console, CI/CD, version control, and monitoring dashboards across all environments.
In this guide, we will learn how to run the open source version of Teleport on docker.
# Installation
Since we are going to be using docker and docker-compose, ensure that they are both installed. Teleport recommends docker version v20.10.7 or later and they currently only offer Docker images for x86_64
 architectures. Confirm your docker version:
$ docker version
Client: Docker Engine - Community
Version: 20.10.18
...
Server: Docker Engine - Community
Engine:
Version: 20.10.18
And docker-compose:
$ docker-compose --version
Docker Compose version v2.12.2
These images are hosted on Amazon ECR Public. All tags under public.ecr.aws/gravitational/teleport
 are Teleport Open Source images.
Checkout these content on how to set up docker:
- How to install and configure docker on Debian 11
- Using Ansible to install and configure docker In Rocky Linux 8/Alma Linux 8
- How to install and configure docker in Rocky Linux/Alma Linux 9
- How to install and configure docker In Rocky Linux/Centos 8
- How to install and configure docker In Fedora 34/35
- How to Install and Use Docker in Ubuntu 20.04
The first thing we will need to do is create Teleport configs and start the process with docker run
 commands.
Create local config and data directories for Teleport, which will be mounted into the container.
mkdir -p ~/teleport/config ~/teleport/data
Next, generate a sample Teleport config and write it to the local config directory. This container will write the config and immediately exit. This is expected.
docker run --hostname tele.citizix.io --rm \
--entrypoint=/bin/sh \
-v ~/teleport/config:/etc/teleport.d \
public.ecr.aws/gravitational/teleport:11.0.1 -c "teleport configure > /etc/teleport.d/teleport.yaml"
This is the configs generated for my set up:
version: v3
teleport:
nodename: tele.citizix.io
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
proxy_listener_mode: multiplex
ssh_service:
enabled: "yes"
commands:
- name: hostname
command: [hostname]
period: 1m0s
proxy_service:
enabled: "yes"
https_keypairs: []
acme: {}
Finally start Teleport with mounted config and data directories, plus all ports
docker run --rm --hostname tele.citizix.io \
--name teleport \
-v ~/teleport/config:/etc/teleport \
-v ~/teleport/data:/var/lib/teleport \
-p 3023:3023 -p 3025:3025 -p 3080:3080 \
public.ecr.aws/gravitational/teleport:11.0.1
This command should start teleport with the configurations we generated earlier.
For running this as code, we can create the following docker-compose.yaml
file:
version: '3.9'
services:
teleport:
image: public.ecr.aws/gravitational/teleport:11.0.1
hostname: tele.citizix.io
ports:
- 3023:3023
- 3025:3025
- 3080:3080
volumes:
- ~/teleport/config:/etc/teleport
- ~/teleport/data:/var/lib/teleport
networks:
- teleport_net
networks:
teleport_net:
Start the service:
docker-compose up -d
Confirm that the service is running as expected:
$ docker-compose ps
NAME COMMAND SERVICE STATUS PORTS
teleport-teleport-1 "/usr/bin/dumb-init …" teleport running 0.0.0.0:3023->3023/tcp, :::3023->3023/tcp, 0.0.0.0:3025->3025/tcp, :::3025->3025/tcp, 0.0.0.0:3080->3080/tcp, :::3080->3080/tcp
# Creating a Teleport user and setting up 2 factor authentication
This example command will create a Teleport user called citizix
 which is allowed to log in as either root
 , citizix
or ubuntu
 on the host operating system:
docker exec teleport tctl users addcitizix
--roles=editor,access --logins=root,citizix,ubuntu
When you run this command, Teleport will output a URL that you must open to complete the user signup process:
$ docker exec teleport tctl users add citizix --roles=editor,access --logins=root,ubuntu,rocky
User "citizix" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://tele.citizix.io:3080/web/invite/cc1bf0b9bb42fec07917f25bcb9e4b44
NOTE: Make sure tele.citizix.io:3080 points at a Teleport proxy which users can access.
The Web UI will be available at the displayed URL.
If you encounter an “Insecure Certificate Error” (or equivalent warning) that prevents the Teleport Web UI from opening, you can perform one of the following actions depending on your browser:
<ul> <li> In Safari’s “This Connection Is Not Private” page, click “Show Details,” then click “visit this website.” </li> <li> In Firefox, click “Advanced” from the warning page, then click “Accept the Risk and Continue.” </li> <li> In Chrome’s warning page, click “Advanced” then “Proceed to <code>URL</code>“. <ul> <li> If a server previously accessible from this URL set an HTTP Strict Transport Security (HSTS) header, the “Proceed to” link will not display. Type <code>thisisunsafe</code> to ignore the HSTS header and proceed. </li> </ul> </li> </ul> </blockquote>
# tsh into your Teleport container
After you have finished creating your user, open a second terminal and issue the command, which will log in to your Teleport cluster via the Proxy Service at localhost
.
For this to work you have to have tsh
installed.
tsh login --proxy=localhost --insecure --user=citizix
The --insecure
 flag is not recommended in production but can be used to bypass certain TLS and port requirements when testing locally.
You will be prompted to enter the password and One-Time Passcode you created for your user citizix
:
$ tsh login --proxy=localhost --insecure --user=citizix
Enter password for Teleport user citizix:
Enter your OTP token:
000000
After successfully authenticating you should see the following in your terminal:
WARNING: You are using insecure connection to SSH proxy https://localhost:3080
> Profile URL: https://localhost:3080
Logged in as: citizix
Cluster: tele.citizix.io
Roles: access, editor
Logins: root, ubuntu, rocky, -teleport-internal-join
Kubernetes: enabled
Valid until: 2022-11-05 02:23:42 +0000 UTC [valid for 12h0m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
Running the next command will display all Teleport Nodes youâre connected to:
$ tsh ls Node Name Address Labels ----------------------- -------------- -------------------------------- tele.citizix.io. 127.0.0.1:3022 hostname=tele.citizix.io
To SSH into the local Node called tele.citizix.io
:
tsh ssh root@tele.citizix.io
This will bring up the Linux command prompt where you can issue Bash commands, traverse the directory tree, and explore the container contents:
root@teleport:~#
# Adding a node to the cluster
To add a new node to the teleport cluster,
First login to the teleport
tsh login --proxy=tele.citizix.io --auth=local --insecure --user=citizix
Generate a token with a specified time limit, here we are limiting time for 1hour.
tctl tokens add --type=node --ttl=1h --insecure
Now download the teleport package to your new node. In our case, our new node is running with Ubuntu operating system. For that, go through the installation process as shown below.
Download Teleportâs PGP public key
sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
Source variables about OS version
source /etc/os-release
Add the Teleport APT repository for v11. Youâll need to update this file for each major release of Teleport.
Note: if using a fork of Debian or Ubuntu you may need to use â$ID_LIKEâ and the codename your distro was forked from instead of â$IDâ and â$VERSION_CODENAMEâ.
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v11" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null
Finally update and install
sudo apt-get update
sudo apt-get install teleport
Now run this command on the new node by using the token created with the above command. For further details, check the command as shown below.
teleport start \
--roles=node \
--token=76bc9477e50dc100944153b44bcf046e \
--ca-pin=sha256:b71a54711e9901a3e0ef83f70651687f17bed8f07a8ae1f7933d5853c760bc45 \
--auth-server=tele.citizix.io
As in our case, the hostname is ubuntusrv1 so we can verify it by browsing the site of Teleport WEB-UI and check on servers section.
# Accessing the added server
Now, the new node has been added successfully so it is easily accessible with the WEB UI or terminal by simply clicking on connect and accessing it with the preferred user option on the list.
In our case, we selected root as a user then the next tab will be open where the new node server can be accessed. You can execute the commands on the new node
# Conclusion
In this article, we were able to set up teleport with docker and docker compose. We were also able to add a new user and a node.