Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

TrueCommand Docker Container

JoshDW19

Community Moderator
Administrator
Moderator
iXsystems
Joined
May 16, 2016
Messages
466
TrueCommand 1.2 is now available as a Docker image on the Docker Hub.

A TrueCommand container should be deployable on any Container management platform that can support Docker Hub and its images.

Please respond to this post if you:
  • Have any deployment issues with the Docker image
  • Successfully validate on a new container environment
  • Have any container-related advice for the community
  • Have any container-related suggestions for the developers
 
Last edited:

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Hi,

Got it installed using Portainer as my container manager. Downloaded the image, create a dedicated volume, published 2 ports for HTTP and HTTPS and deployed the container.

For now, I am doing that from my iPad. TrueCommand's WebUI does not load in Chrome on my iPad. Once I provided the required credentiels (admin / admin), the page just load and load and load forever without ever succeeding. I had to take remote control of a Linux host to open the page from its browser and only then did TrueCommand loaded.

Will start playing with it right away!

Docker host is lubuntu LTS
Docker engine is 18.09.7
Container created and managed by Portainer
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Hi again,

It looks like TrueCommand is case sensitive when it should not. Or even worst, change the case itself.

Here, I imported my own CA and I can see it in TrueCommand config.
When I enter my FreeNAS as DNS name all lower case, TrueCommand re-prints it with an uppercase first letter.
It then complains that no certificate with matching name can be found (the cn is written all lower case...)
When I disable name check in TrueCommand SSL settings, the server finally connects.

From the container itself, I can do openssl s_client -connect atlas.local.lan:443 and it connects.

So the container can resolv the name, I know the cert is good and the CA is imported in TrueCommand. Still have to figure out how / why certificate validation fails and I need to disable it...

At the same time, HAProxy successfully validate the very same certificate, probing the very same SSL port on the very same server and validating with the very same CA. HAProxy even goes to validate the CRLs, what I am pretty sure TrueCommand does not do.
 
Last edited:

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Have any container-related suggestions for the developers
I would recommend you drop has many privileges as you can. As of now, the container uses NET_RAW, which allows to forge network packets. Usually, you need that one when you use PING for sending ICMP echo request. I recommend you do TCP or SSL probing for monitoring instead of ICMP and drop that capability.

In the same way, the containers has NET_BIND_SERVICE. That one is for listening to ports below 1024. Considering that a docker container requires port forwarding from the host, let the Docker Host listens on low port if required and wait for the socket on any high port (8080 and 8443 for example). That way, you can drop that capability as well.

In general, review every capability and drop as many as you can. The less you have, the more secure the container is.
 

anmnz

Senior Member
Joined
Feb 17, 2018
Messages
285
I'm getting my feet wet with Kubernetes so I brought this up on the cluster I have: 2 VMs on FreeNAS 11.2-U7, running Ubuntu 18.04.3 and microk8s 1.17.2.
Code:
apiVersion: v1
kind: Pod
metadata:
  name: truecommand
  labels:
    app: truecommand
spec:
  containers:
    - name: truecommand
      image: ixsystems/truecommand
      ports:
        - containerPort: 80
        - containerPort: 443
It came up OK and I was able to add the FreeNAS host to TrueCommand. There's a disconcertingly long wait of a minute or two after entering or modifying its IP address or hostname, during which the TrueCommand interface says that the FreeNAS host is "offline", which always makes me think I'd entered the data wrong.

I'm able to view the UI via a port forward. Can't present it through the ingress controller I have already set up for some other applications -- as far as I can see I can't specify a URL subpath for the TrueCommand interface to appear at, it wants to be at the root (i.e. http://host:port/, not e.g. http://host:port/truecommand/). I know there are ways to deal with that.

Haven't tried any TLS stuff, just unencrypted HTTP so far.

I've barely used TrueCommand (or Kubernetes) before but the UI seems like it's all working properly.
 
Last edited:

Adrian

Member
Joined
Jun 29, 2011
Messages
128
Have it running under Windows 10 using Docker Desktop.
Fairly painless as I have never docked before.
Set up from scratch, without migrating data, as I am only interested in alerts and "what are they doing now".
 

aervin

iXsystems
iXsystems
Joined
Jun 13, 2018
Messages
34
Hi,

Got it installed using Portainer as my container manager. Downloaded the image, create a dedicated volume, published 2 ports for HTTP and HTTPS and deployed the container.

For now, I am doing that from my iPad. TrueCommand's WebUI does not load in Chrome on my iPad. Once I provided the required credentiels (admin / admin), the page just load and load and load forever without ever succeeding. I had to take remote control of a Linux host to open the page from its browser and only then did TrueCommand loaded.

Will start playing with it right away!

Docker host is lubuntu LTS
Docker engine is 18.09.7
Container created and managed by Portainer
Thanks @Heracles , full mobile and tablet support is on the roadmap, but for now we recommend desktop browsers primarily.
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
So I give up about SSL and certificates. The error message complains that a certificate can not be validated against a known local authority. The local CA has been imported as a file and according to the WebUI, is present. I also see a corresponding file created in the /data volume mounted in the container. Still, TrueCommand is unable to use it. When I try to import it as text, it does not import at all. TrueCommand only mark a blue button as Import but the CA never appears in the list of known CA.

I tried going through my HAProxy but received an error about "invalid statusline in response".

It really looks like TrueCommand can not be secured at all using SSL... I will have to disable all SSL Checks, meaning that TrueCommand will now accept any crap as a valid SSL certificate, completely defeating the purpose.

First thing to fix : importing a CA from plain text (will probably fix the second point...)
Second point to fix : using the CA provided by the operator to validate the SSL certificate on managed systems
 

kenmoore

TrueCommand Project Lead
iXsystems
Joined
May 1, 2019
Messages
40
@Heracles : I just looked through the SSL import code in TrueCommand itself and it is taking the CA/Certificate information from you and applying it directly - no text formatting or reading/converting of the strings at all.

Could you please open up a bug ticket about this and give details about your SSL certs (you can make attachments on the bug ticket private as needed). Also, please check the contents of the certs that are put into the /data dir (which you mentioned), just to verify that they match what you "imported" via the UI (should be a 1:1 match). That will help us narrow down where the problem may be.
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Could you please open up a bug ticket about this and give details about your SSL certs (you can make attachments on the bug ticket private as needed)
Ticket created. Did not see where to put it as private but no big deal. There is a reason we call them public keys :)
I also gave you a pair of keys (private and cert) signed by my private CA for your own testing. Keys are long (4096) and SHA is SHA-512...

Also confirmed the perfect 1:1 match. Not only by looking at it but md5sum check on both file returned the same MD5 hash. No doubt possible here.
 

geoff.jukes

Member
Joined
Feb 6, 2020
Messages
40
Same issue here. I had to disable the HTTP->HTTPS redirect just to get the system to work. If I force SSL in the TrueCommand Admin preferences, all my servers go offline.
I use a wildcard SSL certificate on all my servers. It's a valid SSL cert, signed by Comodo.
 

Brezlord

Member
Joined
Jan 7, 2017
Messages
123
Running as docker container but can't login. On first login I used the required credentials admin / admin and the page just load and load and load forever without ever moving onto to create a new admin user. Does any one know how to solve this. I have tried chrome and firefox.
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Hey Brezlord,

Well... I would say that you did not searched for long...

A little higher I posted exactly this case. You wrote your case with a wording so close to mine that I actually thought that you copied - paste my own post.

I said that I was trying to access from an iPad and that I had to do it from a full fledge Linux host to get it work. Little further, @aervin confirmed that mobile support was planned but not achieved yet.

So from these posts, you are trying to reach TrueCommand from a mobile platform. Switch to a desktop browser and you should be good. If you are not from a mobile platform, you should have specified it in your post because this case is precisely described right under your nose here....
 

Brezlord

Member
Joined
Jan 7, 2017
Messages
123
I did read your post and I am using a desktop client that is in the same sub net so no routing or firewall issues.
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Ok; because you did not mentioned the desktop part in your first post, the first obvious thing to check was that.

Can you try with and without incognito mode ? Any kind of blocker installed as plugins in your browsers ? What Desktop platform are you using and what version of Firefox / Chrome did you used ?

Please, give us as much details as possible to help us identify what can be wrong here
 

geoff.jukes

Member
Joined
Feb 6, 2020
Messages
40
Same issue here. I had to disable the HTTP->HTTPS redirect just to get the system to work. If I force SSL in the TrueCommand Admin preferences, all my servers go offline.
I use a wildcard SSL certificate on all my servers. It's a valid SSL cert, signed by Comodo.
Replying to myself; In order to get SSL working between TrueCommand and my FreeNAS instances, I had to update the FreeNAS SSL Certificates,
appemding the certificate chain to the certificate. I've had to do this in the past for server-to-server SSL connections, to ensure the certificates work.
Windows masks the issue because it has a wider range of trusted roots and intermediaries.

I'm SSL end-to-end now.
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
I had to update the FreeNAS SSL Certificates,
appemding the certificate chain to the certificate.
Thanks for the info. I will test it here but in my case, should it makes the difference, it would means TrueCommand is not RFC compliant. Here, I do not have intermediate CA in my chain. The CA itself signed directly all server certificates. The RFC says that the server must provide the certificate chain down to its own certificate but that the Root certificate may be omitted because it has no value. The client must already know about it and must trust it from a different channel. So indeed, I do send only the server's certificate and not the Root CA, but that is RFC compliant. It it is what TrueCommand refuses, then the bug is known completely defined.

I will update on that later today...
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
Confirmed : TrueCommand is not RFC Compliant and requires the top root CA to be present in the certificate chain sent by the server.

See RFC 5246 section 7.4.2 about that for TLS v1.2. There is an equivalent for TLS v1.3
 

Heracles

Neophyte Sage
Joined
Feb 2, 2018
Messages
674
FYI : IXSystems updated their container with the required fix. TrueCommand is now RFC Compliant when validating SSL certificates :smile:

New version is available on Docker Hub.
 

boltworks

Newbie
Joined
Feb 21, 2020
Messages
1
Running as docker container but can't login. On first login I used the required credentials admin / admin and the page just load and load and load forever without ever moving onto to create a new admin user. Does any one know how to solve this. I have tried chrome and firefox.
I'm having the same issue. MacOS, tried Safari and Chrome with admin/admin. TrueCommand seems to load indefinitely.
 
Top