Custodia Container
The Custodia Docker image allows the Custodia server to be easily run in a container. By locating the socket that Custodia listens on in a data volume that is located on the host, other containers and applications on the host itself can use your Custodia container to manage secrets.
Data Volumes
The following data volumes are defined in the Custodia Docker image:
/etc/custodia
/var/lib/custodia
/var/log/custodia
/var/run/custodia
When a new Custodia container is created, new mount points on the native host
will be automatically created for each of these volumes. You can use the
docker inspect command to display the location of the volume on the host
with the following command:
docker inspect -f '{{ range .Mounts }}{{ printf "%s -> %s\n" .Source .Destination }}{{ end }}' <container_id>
By default, the mount point on the host will use a very long unique name. This causes problems with the Custodia socket file, as a UNIX domain socket path is not allowed to be over 108 bytes in length. The Custodia socket file path will exceed this limit unless you specify a different host mount point when creating your container. This can be seen in the Example section below.
Systems using SELinux will need to use the Z mount option for the
/var/run/custodia volume to allow proper access to the socket file.
Example
The following example creates a Custodia container where Docker will
automatically create the local volume mount locations with the exception of
/var/run/custodia. This volume will be mounted from /var/run/custodia
on the host to allow other applications to access the Custodia socket file in
it’s standard location.
The Custodia container runs as a custodia user using the uid number
447. To allow the Custodia service in the container to create the socket
file on the host, we will create a local custodia user and group with the
expected uid and gid numbers, then use it to create the volume mount point on
the host with the proper permissions and ownership. The commands to do this
are:
$ sudo groupadd -r custodia -g 447
$ sudo useradd -u 447 -r -g custodia custodia
$ sudo mkdir -m 755 /var/run/custodia
$ sudo chown custodia /var/run/custodia
Now that the volume mount point for the socket file is created on the host, the container can be created using the following command:
$ sudo docker run -it -v /var/run/custodia:/var/run/custodia:Z <image_id>
The Custodia service should start successfully, and its logs will be displayed in the terminal where the container was created.
Once the container is created, you can list the location of the mounted volumes:
$ sudo docker inspect -f '{{ range .Mounts }}{{ printf "%s -> %s\n" .Source .Destination }}{{ end }}' <container_id>
/var/run/custodia -> /var/run/custodia
/var/lib/docker/volumes/a2eb52bc00586536b70a27b4395a8d4f0bd782290783132f7bdcf2bb16524250/_data -> /var/lib/custodia
/var/lib/docker/volumes/88d00edd2c7d6c2da94fa4b8eb97246450e39d108e7fb53cff2d832969482d1c/_data -> /var/log/custodia
You can test that your Custodia container is working from your host by running the following command:
$ sudo curl --unix-socket /var/run/custodia/custodia.sock -X GET http://localhost/
{"message": "Quis custodiet ipsos custodes?"}