This is the draft of conjur-arm64 blog.
This blog is about my journey of building CyberArk Conjur container image that works on both ARM-based & Intel/AMD-based computer.
If you're looking for a solution to execute Conjur on Pi4, you can download docker-compose.yml & .env files to spin up a the quincycheng/conjur:latest
image that I built
As an IOT & single-board-computer lover, I recently pick up a Raspberry Pi 4 board as an upgrade of Pi2. Pi4 SDB is very nice SBC, that got enough processing power to execute container-based apps, while keep operating in low voltage powered by USB.
Considering the power consumed by homelab VM servers, guess it's a good idea to run the 7x24 systems on Pi 4 and power on my 220V VM systems only when I need them.
(left) Raspberry Pi 4 in Argon NEO Heatsink Case (right) Raspberry Pi 2 with 3.5" LCD HAT
One of the apps that I use is CyberArk Conjur. Together with summon, it's an awesome way to inject secrets to my container-based apps, CLI and automation tools like Ansible.
To run applications on Pi4, we need to make sure the applications are arm64 compatible.
Conjur is publicily avaliable as container image, let's check Docker Hub.
After a quick search, I found that link to the image is https://hub.docker.com/repository/docker/cyberark/conjur
Now, I have two news - good and bad.
The bad news is, as you can see in above screen capture, the offical repo got linux/amd64
images, and no linux/arm64
.
The good news is, Conjur is an open source ource project, meaning that we could build an container image with both linux/arm64
& linux/amd64
Okay, first thing first, let's get the source code. With the link from Docker Hub, I can quickly access GitHub project page.
Conjur project on GitHub
Let's create a folder to clone the project.
With git clone https://github.com/cyberark/conjur.git
, we got the source code less than a second, literally.
I notice that Conjur is written in Ruby, which should be portable and can easily port for arm64 using ruby
images, right?
Cloning Conjur project from GitHub
Container defination is located in Dockerfile
file, and the base image for assemble is set by FROM
statement
From
statement in Dockerfile
from conjur
project
14:37:56 13:59:23
*Built 38 mins and get an error *
*"Building on aarch64 with fips" issue from `openssl` on Github*Based on https://www.openssl.org/docs/fips.html, at the time of writing this blog, it said Neither validation will work with any release other than 1.0.2
.
So guess we need to stick with openssl 1.0.2
.
So back to the issue page, there is a workaround which does not require any source code modifications. Awesome! Shout to @alexw91
The solution to fix the compile issue
Updated Dockerfile
56 Minutes and 50 Seconds
*Built openssl-builder
successfully in 3410.1s
Below is the .env
CONJUR_DATA_KEY=<place your data key here, can be generated by `docker-compose exec conjur conjurctl account create default`>
POSTGRES_PASSWORD=<place your database password here, can be any random string>
Below is the docker-compose.yml
version: '3'
services:
database:
image: postgres:10.14
container_name: postgres_database
environment:
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
volumes:
- ./postgres-data:/var/lib/postgresql/data
conjur:
image: quincycheng/conjur
container_name: conjur_server
command: server
environment:
DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD}@database/postgres"
CONJUR_DATA_KEY: "${CONJUR_DATA_KEY}"
depends_on:
- database
restart: on-failure
ports:
- "8888:80"