[0.18] Issues running inside Alpine Linux

[skyzyx]

We use Docker containers for pop-up development environments (e.g., as opposed to a VM). Trying to run it inside a Docker container, but since I can't open a second tab in my terminal (since the container session is tied to the terminal session), I can't follow the README instructions.

I've tried running it in the background, however, I keep ending up with the basic Action: null policy after running Terraform to standup my infrastructure, then kill $PID.

1. Since Terraform calls out to the AWS APIs, I would think that this tool could read the same things going over the wire as the AWS CLI.

2. Is there something about Docker or Alpine Linux which would prevent it from working?

[iann0036]

Hi @skyzyx,

I can't think of any specific reason why iamlive wouldn't work within Docker. I assume you're not using the new proxy mode and instead relying on the CSM?

If so, the traffic runs over UDP, so do make sure that both sessions are privileged enough to send/receive that traffic. iamlive also requires a TTY to be available, so perhaps using screen or similar may yield better results than a pure background process.

Let me know if you find anything interesting.

[skyzyx]

Correct. Relying on CSM. Let me keep poking at it.

Thanks.

[skyzyx]

Does this tool support the AWS SDK/CLI environment variables? My ~/.aws/config file is on the Mac side, and I'm passing AWS credentials as environment variables into docker run.

[iann0036]

The tool doesn't require any access to credentials themselves, but using the --set-ini does attempt to manipulate the config file to add csm_enabled = true. Using:

export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1

is a valid alternative, but you should set these immediately before running Terraform.

[skyzyx]

I couldn't get CSM mode to work on my Mac either. Switching to proxy mode appears to have worked.

Thanks!

[unfor19]

@skyzyx did it work?

[unfor19]

Hi @iann0036 , I've tried running it in Docker, tried a lot of stuff but nothing worked. Here's how I did it-

I'm on Windows 20H2 + WSL2, so Docker and Linux work properly.

git clone https://github.com/iann0036/iamlive.git

Dockerfile

Expand/Collapse

ARG GO_VERSION=1.16.3
ARG REPO_NAME=""
ARG APP_NAME="iamlive"
ARG APP_PATH="/go/src/iamlive"


# Dev
FROM golang:${GO_VERSION}-alpine AS dev
RUN apk add --update git
ARG APP_NAME
ARG APP_PATH
ENV APP_NAME="${APP_NAME}" \
    APP_PATH="${APP_PATH}" \
    GOOS="linux"
WORKDIR "${APP_PATH}"
COPY . "${APP_PATH}"
ENTRYPOINT ["sh"]


# Build
FROM dev as build
RUN go install
ENTRYPOINT [ "sh" ]

# App
FROM alpine:3.12 AS app
RUN apk --update upgrade && \
    apk add --update ca-certificates && \
    update-ca-certificates
WORKDIR "/app/"
COPY --from=build "/go/bin/iamlive" ./iamlive
RUN addgroup -S "appgroup" && adduser -S "appuser" -G "appgroup" && \
    chown "appuser:appgroup" "./iamlive"

USER "appuser"
EXPOSE 10080
ENTRYPOINT ["./iamlive"]
CMD ""

Build the image

docker build -t iamlive-test  .

Run container

docker run  -p 10080:10080   --name iamlive-test --rm  -it iamlive-test --mode proxy --bind-addr 0.0.0.0:10080
# Runs in the background ...

New terminal

# Using env vars for AWS credentials
export HTTPS_PROXY=https://127.0.0.1:10080
export HTTP_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem"

# Copy CA certificates from container to Host
docker cp iamlive-test:/home/appuser/.iamlive/ ~/

# Run AWS command
aws s3 ls --debug
...
botocore.exceptions.HTTPClientError: An HTTP Client raised an unhandled exception: check_hostname requires server_hostname

An HTTP Client raised an unhandled exception: check_hostname requires server_hostname

Some notes

• Adding the flag --no-verify-ssl in aws s3 ls --no-verify-ssl generates the same error.
• I also tried using the arguments --ca-bundle and --ca-keyon existing certificates, but it didn't work, this is why I decided to usedocker cp` and just copy the generated certificates from the container to the Host machine.
• Everything works properly outside of Docker.

Any thoughts on how to resolve this?

[iann0036]

For this line:

export HTTPS_PROXY=https://127.0.0.1:10080

Could you try to change it to:

export HTTPS_PROXY=http://127.0.0.1:10080

?

If that doesn't help, there's a thread that mentions the NO_PROXY env, so check that there are no proxy settings on your machine that may redirect traffic also.

[unfor19]

Thank you, I'll check it out and report back. Let me know if you want me to create a new issue, if not, I'll keep posting in here.

[unfor19]

@iann0036 IT WORKS! 🎉

Tested with aws-cli and terraform.

Here's the updated (working) process

git clone https://github.com/iann0036/iamlive.git
cd iamlive

Dockerfile

Expand/Collapse

ARG GO_VERSION=1.16.3
ARG REPO_NAME=""
ARG APP_NAME="iamlive"
ARG APP_PATH="/go/src/iamlive"


# Dev
FROM golang:${GO_VERSION}-alpine AS dev
RUN apk add --update git
ARG APP_NAME
ARG APP_PATH
ENV APP_NAME="${APP_NAME}" \
    APP_PATH="${APP_PATH}" \
    GOOS="linux"
WORKDIR "${APP_PATH}"
COPY . "${APP_PATH}"
ENTRYPOINT ["sh"]


# Build
FROM dev as build
RUN go install
ENTRYPOINT [ "sh" ]

# App
FROM alpine:3.12 AS app
RUN apk --update upgrade && \
    apk add --update ca-certificates && \
    update-ca-certificates
WORKDIR "/app/"
COPY --from=build "/go/bin/iamlive" ./iamlive
RUN addgroup -S "appgroup" && adduser -S "appuser" -G "appgroup" && \
    chown "appuser:appgroup" "./iamlive"

USER "appuser"
EXPOSE 10080
ENTRYPOINT ["./iamlive"]
CMD ""

Build the image

docker build -t iamlive-test  .
# Uncompressed Docker Image Size: 61.7MB

Run a container

docker run  -p 443:10080 -p 80:10080   --name iamlive-test --rm  -it iamlive-test --mode proxy --bind-addr 0.0.0.0:10080
# Runs in the background ...
# Average Memory Usage: 88MB

New WSL2 terminal

# I'm using env vars for AWS credentials
export HTTP_PROXY=http://127.0.0.1:80 HTTPS_PROXY=http://127.0.0.1:443 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem"

# Copy CA certificates from container to Host
docker cp iamlive-test:/home/appuser/.iamlive/ ~/

# Run AWS command
aws s3 ls

Valid output of iamlive container

Expand/Collapse

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        }
    ]
}

NOTE:

With terraform, you must unset the proxy for the init command

unset HTTP_PROXY HTTPS_PROXY AWS_CA_BUNDLE
terraform init

# Assuming iamlive Docker container is running in the background ...

export HTTP_PROXY=http://127.0.0.1:80 HTTPS_PROXY=http://127.0.0.1:443 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem"
terraform apply

[iann0036]

Neato!

Thanks for sharing your update.

[unfor19]

@iann0036 I got excited and wrote a blog-post about it - Determining AWS IAM Policies According To Terraform And AWS CLI.

Thank you for creating and sharing this amazing tool.