RotherOSS / otobo-docker

OTOBO Docker and Docker Compose files.
GNU General Public License v3.0
32 stars 16 forks source link

NGINX Kerberos seems broken #81

Closed wornet-aer closed 2 years ago

wornet-aer commented 3 years ago

I am currently trying to get OTOBO running with working Kerberos auth using docker-compose/otobo-override-https-kerberos.yml. Unfortunately this seems to be more complicated, than it seems. Probably we need to add some more documentation about this.

What did I try: I prepared the krb5.conf and the krb5.keytab file to make it available within the NGINX container. Of course I also added the additional ENV vars to my .env file.

What happens? When I start the compose setup, it seems as the NGINX wouldn't even have Kerberos enabled. A quick look into /etc/nginx/conf.d/otobo_nginx.conf showed, that Kerberus is commented out by default. As a side note: there seems to be a bug in the template, but I didn't find the git repo for this docker image. The line # auth_gss_keytab ${OTOBO_NGINX_KERBEROS_KEYTAB}; should probably be auth_gss_keytab /etc/krb5.keytab;, as the ENV variable is only used outside the NGINX container and used for mounting the keytab to /etc/krb5.keytab.

When trying to modify the otobo_nginx.conf within the container and restart it for debugging, the file gets overwritten by the template. In order to fix this, I tried to mount my own config as read-only into the NGINX container. Unfortunately this doesn't work as the init script within the container bails out:

nginx_1    | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_1    | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_1    | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1    | 20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/otobo_nginx.conf.template to /etc/nginx/conf.d/otobo_nginx.conf
nginx_1    | /docker-entrypoint.d/20-envsubst-on-templates.sh: 26: /docker-entrypoint.d/20-envsubst-on-templates.sh: cannot create /etc/nginx/conf.d/otobo_nginx.conf: Read-only file system

How is the intended use for this and where is the correct location to add some documentation about OTOBO with Kerberos?

Cheers, Andreas

bschmalhofer commented 3 years ago

Hi Andreas,

I aggree that the Kerberos configuration is not well documented. You are the trailblazer here.

Documentation about Nginx configuration can be added in the installation manual: https://github.com/RotherOSS/doc-otobo-installation/blob/master/content/installation-docker.rst#custom-configuration-of-the-nginx-webproxy. I think that Kerberos configuration warrants its own chapter in the advanced topics.

Thanks also for your pull request. I enhanced it a little bit, as the sample .env files are actually generated from the template file _etc/templates/dotenv.m4 . Yes, it's templates and substitution all the way down.

wornet-aer commented 3 years ago

Hi Bernhard,

thanks for the adjustment with the dot_env.m4. I already knew about its existance, but somehow forgot it when preparing the change request. 😇

I'm still struggeling with the Kerberos setup, as the login via Basic Auth seems to be working, but automatic login from Windows clients is not working yet. As soon as I have the process completely understood and working, I will try to add some advanced documentation section for setting up Kerberos.

What I found quite challenging, is the fact that you have to copy the template file from within the container to an external volume in order to override its contents. This could be a real showstopper for admins without docker experience. Do you know the reason, why the sources for the NGINX container and the templates directory can't be found on GitHub?

I'd love to fix the issue with ${OTOBO_NGINX_KERBEROS_KEYTAB} in the otobo_nginx.conf.template file and it may be easier for documentation, if we could point to that template file on GitHub and advise to copy it into a volume and mounting it into the NGINX container. Because right now it's a lot of jumping around between container and host shell with multiple container restarts in between. ;-)

bschmalhofer commented 3 years ago

Hi Andreas, I understand your sentiment that this is too complicated for the standard use case.

First, which sources are missing? The images are built from https://github.com/RotherOSS/otobo/blob/rel-10_0/otobo.nginx.dockerfile and https://github.com/RotherOSS/otobo/blob/rel-10_0/otobo.nginx-kerberos.dockerfile . The templates are in https://github.com/RotherOSS/otobo/tree/rel-10_0/scripts/nginx . As far as I remember we thougth about separate repositories for the individua images. The result was that it appeared to be more simple if all images can be built from a single sandbox.

Actually I don't know much about the installation with Kerberos. I know that a seperate image is used for Kerberos because Nginx needs the ngx_http_auth_spnegomodule.so plugin for supporting Kerberos. I'm wondering whether there is a good reason that this plugin can't be made part of the regular Nginx image. If there is no good reason I see the possibility to merge the two images and to provide a configuration that can be adapted via environment variables that are set up in .env_. Then it could be that a single volume suffices for all needs. But then I haven't thought about any security implications.

I'll raise this topic tomorrow at the weekly OTOBO develoment meeting.

wornet-aer commented 3 years ago

Hi Bernhard, thanks for pointing me in the right direction!

https://github.com/RotherOSS/otobo/tree/rel-10_0/scripts/nginx seems to be the missing piece for me. I will further test and debug my Kerberos setup and then contribute the right changes there. What was most confusing for me is the fact, that even when you set up all the required .env variables, Kerberos will be still disabled by the default nginx template. IMHO this should be definitely changed, such that you can use Kerberos with the default settings or override it with your own nginx config/template if needed. And of course: we need at least some short documentation about how to use Kerberos with OTOBO.

Greetings to the OTOBO development team. You are awesome! :)

bschmalhofer commented 3 years ago

Danke für die Blumen!

bschmalhofer commented 3 years ago

See also https://github.com/RotherOSS/otobo/issues/1239.

bschmalhofer commented 2 years ago

This issue was discussed at the OTOBO devel meeting on Friday. The assessment that the path forward is to concentrate on the authentication with OpenID which was recently added by @svenoe in #1389. This means, that the recommended way to implement Kerberos authentication will be via KeyCloak. I'm not sure whether authentication already in Nginx will be recommended too. In the short run we won't merge the Docker images for plain Nginx and for Nginx with Kerberos. But there is room for improvement:

bschmalhofer commented 2 years ago

See also https://github.com/RotherOSS/otobo/issues/1462 and https://github.com/RotherOSS/otobo/issues/1465.

Regarding "Find out whether krb5.cnf needs to be adaptable too.", this is already because the file resides on the Docker host and is mounted into the container.

bschmalhofer commented 2 years ago

Hi Andreas, @wornet-aer,

could you try the new version of the nginx-kerberos Docker image? The Kerberos settings should now be activated per default in this image.

Best regards, Bernhard

bschmalhofer commented 2 years ago

Hi Andreas, @wornet-aer ,

I'm still struggling with the simplified setup of OTOBO with Kerberos support. Providing a /etc/krb5.conf via a template is not a problem. But now I ran into a problem with the file compose file docker-compose/otobo-override-https-kerberos.yml . My understanding is that krb5.keytab file would still have to be provided via the host, because the content is site specific. Is my understanding correct? If so, could the file krb5.keytab also be stored in the same volume as .crt and the .key file? This would simplify things as no bind mount would be needed in that case.

After more investigating I found that mounting /etc/krb5.keytab into the container is no problem. So storing it in the volume _otobo_nginxssl is probably not sensible.

Best regards, Servus, Bernhard

wornet-aer commented 2 years ago

Hi Bernhard, @bschmalhofer, sorry for the late reply, but I've been busy doing other projects as I'm currently waiting for some more Kerberos information from my client. But I'll definitely try your updated version, as soon as I'm into this topic again.

Yes, the krb5.conf as well as the krb5.keytab are site-specific and should bemounted into the docker container using the compose file.

As the NGINX SSL stuff is a different topic than Kerberos, I'd personally put those files in a seperate volume. Thanks again for your efforts to get this sorted out!

Cheers, Andreas

bschmalhofer commented 2 years ago

Thanks for the feedback. Mounting krb5.keytab seems to be fine then. For krb5.conf I think I will add a switch so that the user will have a choice. Either mount a user defined krb5.conf into the container or use the standard template where env vars are replaced with the setup in the .env file.

wornet-aer commented 2 years ago

Hi Bernhard,

sorry for the late reply, but our Kerberos implementation had been delayed by other stuff.

I tried to give it another shot today and am currently struggeling with the following error message while starting the nginx container: nginx_1 | /docker-entrypoint.d/21-envsubst-on-krb5-conf.sh: 25: cannot open /etc/nginx/templates/../../kerberos/templates/krb5.conf.template: No such file The message made me curious and so I started digging for the template file within the nginx container. Here it is: /etc/nginx/kerberos/templates/krb5.conf.template

So from my point of view the default path used in 21-envsubst-on-krb5-conf.sh is wrong. Could you please check this on your side? I'm a little bit uncertain, because I fiddled around with several options during debugging.

bschmalhofer commented 2 years ago

Hi Andreas,

I didn't take a deep dive, but I recall that @StefanRother-OTOBO fixed a couple of problems with that script. You might want to compare your version with the latest version at https://github.com/RotherOSS/otobo/blob/rel-10_1/scripts/nginx/docker-entrypoint.d/21-envsubst-on-krb5-conf.sh

Best regards, Bernhard

wornet-aer commented 2 years ago

Yes, I'm already using this version. The path specified /etc/nginx/templates/../../kerberos/templates/krb5.conf.template resolves to /etc/kerberos/templates/krb5.conf.template, but the template is actually located here: /etc/nginx/kerberos/templates/krb5.conf.template

bschmalhofer commented 2 years ago

Closing this old issue. Let's handle still remaining or new problems in new issues.