search

cyberark / conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
https://conjur.org
Other
757 stars 122 forks source link

Unable to create an account using conjurctl from the Conjur Server Docker container #506

Closed anshumanbh closed 6 years ago

anshumanbh commented 6 years ago

I am using cyberark/conjur Docker image for the Conjur server. The conjurctl version is 0.2.0. When I am trying to create an account, I am seeing the following error:

anshuman_bhartiya@conjur-poc:~/conjur-poc$ docker-compose exec conjur /bin/bash
root@060550ca7c6e:/opt/conjur-server# conjurctl account create test | tee test.out
rake aborted!
OpenSSL::Cipher::CipherError: key length too short
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/symmetric.rb:18:in `key='
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/symmetric.rb:18:in `encrypt'
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/attr_encrypted.rb:55:in `encrypt'
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/attr_encrypted.rb:37:in `block (3 levels) in attr_encrypted'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:2406:in `block in set_restricted'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:2403:in `each'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:2403:in `set_restricted'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:1791:in `set'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:2359:in `initialize_set'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:1379:in `initialize'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:281:in `new'
/var/lib/gems/2.2.0/gems/sequel-4.46.0/lib/sequel/model/base.rb:281:in `create'
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/adapters/sequel_adapter.rb:26:in `put_key'
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/keystore.rb:12:in `put'
/var/lib/gems/2.2.0/gems/slosilo-2.1.1/lib/slosilo/keystore.rb:43:in `[]='
/opt/conjur-server/app/models/account.rb:6:in `find_or_create_accounts_resource'
/opt/conjur-server/lib/tasks/account.rake:13:in `block (2 levels) in <top (required)>'
/var/lib/gems/2.2.0/gems/rake-12.0.0/exe/rake:27:in `<top (required)>'
Tasks: TOP => account:create
(See full trace by running task with --trace)

Any idea why this is happening?

jvanderhoof commented 6 years ago

This error happens when Conjur is started without the CONJUR_DATA_KEY environment variable being set.

This needs to be set prior to sending the container. It can be done with the following:

$ docker-compose run --no-deps --rm conjur data-key generate > data_key
$ export CONJUR_DATA_KEY="$(< data_key)"
$ docker-compose up -d

Please note, save the CONJUR_DATA_KEY somewhere safe. It will need to be set to restart the container.

anshumanbh commented 6 years ago

Hi @jvanderhoof I tried running my script again and it looked it downloaded a newer image and it worked. I am not sure what was causing it to fail yesterday but I did have the CONJUR_DATA_KEY set before I started the container. If this happens again, I will reopen this ticket. Thanks!

jayatwork commented 5 years ago

@jvanderhoof @anshumanbh this issue has resurfaced on https://www.conjur.org/get-started/quick-start/oss-environment/#step-5 . what I did to overcome was fallback to prior image version 4 client Conjur. Unsure why worked. Also found some other subtle issue in Quickstart steps to define policy..will address in PR. Thanks gents `client: image: cyberark/conjur-cli:4 container_name: conjur_client depends_on: [ proxy ] entrypoint: sleep command: infinity volumes: