diff --git a/security/remote_devices/ssh-tunneling/.gitignore b/security/remote_devices/ssh-tunneling/.gitignore new file mode 100644 index 00000000..d2115826 --- /dev/null +++ b/security/remote_devices/ssh-tunneling/.gitignore @@ -0,0 +1,3 @@ +id_rsa +id_rsa.pub +authorized_keys diff --git a/security/remote_devices/ssh-tunneling/Dockerfile-primary-ds-proxy b/security/remote_devices/ssh-tunneling/Dockerfile-primary-ds-proxy deleted file mode 100644 index f887fa10..00000000 --- a/security/remote_devices/ssh-tunneling/Dockerfile-primary-ds-proxy +++ /dev/null @@ -1,43 +0,0 @@ -# ---------------------------------------------------------------------------------- -# Copyright 2020 Intel Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0' -# ---------------------------------------------------------------------------------- - -FROM alpine:latest - -# tunneling host name or ip -ARG TUNNEL_HOST - -# ssh port in use, set this number if it is not the usually port 22 -# or there is a different ssh port mapping between local and remote -ARG TUNNEL_SSH_PORT - -# port number of service to forward -ARG SERVICE_PORT - -# remote sshd host name or ip address for services to listen on ssh tunneling -ARG SERVICE_HOST - -RUN apk add --update dumb-init openssh-client && rm -rf /var/cache/apk/* - -COPY entrypoint.sh /usr/local/bin/ -RUN chmod +x /usr/local/bin/entrypoint.sh \ - && ln -s /usr/local/bin/entrypoint.sh / - -ENV APP_PORT=49990 -EXPOSE $APP_PORT $SERVICE_PORT $TUNNEL_SSH_PORT - -ENTRYPOINT ["entrypoint.sh"] diff --git a/security/remote_devices/ssh-tunneling/Dockerfile-remote-sshd b/security/remote_devices/ssh-tunneling/Dockerfile-remote-sshd deleted file mode 100644 index 9f900574..00000000 --- a/security/remote_devices/ssh-tunneling/Dockerfile-remote-sshd +++ /dev/null @@ -1,43 +0,0 @@ -# ---------------------------------------------------------------------------------- -# Copyright 2020 Intel Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0' -# ---------------------------------------------------------------------------------- - -FROM ubuntu:16.04 - -ARG SSH_PUBLIC_KEY - - -RUN apt-get update && apt-get install -y openssh-server -RUN mkdir /var/run/sshd -RUN echo 'root:THEPASSWORDYOUCREATED' | chpasswd - -# pam_loginuid is used to set the loginuid audit attribute of a process when a user login through SSH -# see the reference in https://stackoverflow.com/questions/21391142/why-is-it-needed-to-set-pam-loginuid-to-its-optional-value-with-docker -RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config - -# Allow the openssh client to specify IP address from which connections to the port are allowed -RUN echo 'GatewayPorts clientspecified' >> /etc/ssh/sshd_config - -# SSH login fix. Otherwise user is kicked off after login -RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd - -RUN mkdir /root/.ssh && chmod 700 /root/.ssh - -RUN echo $SSH_PUBLIC_KEY >> "/root/.ssh/authorized_keys" - -EXPOSE 22 -CMD ["/usr/sbin/sshd", "-D"] diff --git a/security/remote_devices/ssh-tunneling/build.sh b/security/remote_devices/ssh-tunneling/build.sh deleted file mode 100644 index c34b46bf..00000000 --- a/security/remote_devices/ssh-tunneling/build.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# ---------------------------------------------------------------------------------- -# Copyright 2020 Intel Corp. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0' -# ---------------------------------------------------------------------------------- - -set -e - -DEFAULT_SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKvsFf5HocBOBWXdVJKfQzkhf0K8lSLjZn9PX84VdhHyP8n1mzfpZywA4vsz8+A3OsGHAr2xpkyzOS0YkwD7nrI3q1x0A0+ANhQNOaKbnfQRepTAES3FPm5n0AbNVfgOre3RR2NLOt6M5m3mA/MERNer1fEp6BM96sdU0o3KjqwFGkPufoQrVkpz2691MZ6/ACDc+lk7uQrinsB4YxM7ctiLNl4I1A3TJgVv0jkJImUCHaThYj3XoaqUqUjQFTS7SlFfkXuk13EjNfRzqPwKFnVvGTUaYzaBV5S4wt5XCxhLfs497M2k5zmNx3HFY/GEyeoroCpjsiXkm+HcgdIYb7 root" - -# override the new SSH public key from the environment variable if any; otherwise use default -SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY-"$DEFAULT_SSH_KEY"} -export SSH_PUBLIC_KEY - -echo "SSH_PUBLIC_KEY to be injected:" $SSH_PUBLIC_KEY - -docker build --build-arg SSH_PUBLIC_KEY="$SSH_PUBLIC_KEY" -t eg_sshd . diff --git a/security/remote_devices/ssh-tunneling/ds-proxy-entrypoint.sh b/security/remote_devices/ssh-tunneling/ds-proxy-entrypoint.sh deleted file mode 100644 index bddc4a15..00000000 --- a/security/remote_devices/ssh-tunneling/ds-proxy-entrypoint.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/dumb-init /bin/sh -# ---------------------------------------------------------------------------------- -# Copyright (c) 2020 Intel Corporation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0' -# ---------------------------------------------------------------------------------- - -set -e - -# Use dumb-init as PID 1 in order to reap zombie processes and forward system signals to -# all processes in its session. This can alleviate the chance of leaking zombies, -# thus more graceful termination of all sub-processes if any. - -# ssh key generated and put under /root/.ssh/ in the container -rm -rf /root/.ssh && mkdir /root/.ssh \ -&& cp -R /root/ssh/* /root/.ssh/ \ -&& chmod -R 700 /root/.ssh/* \ -&& chmod -R 600 /root/.ssh/id_rsa.* \ -&& ls -al /root/.ssh/* \ -&& cat /root/.ssh/id_rsa.pub - -# ssh tunneling for both ways -sshTunneling="ssh -vv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \ - -N $TUNNEL_HOST \ - -L *:$SERVICE_PORT:$SERVICE_HOST:$SERVICE_PORT \ - -R 0.0.0.0:48080:edgex-core-data:48080 \ - -R 0.0.0.0:5563:edgex-core-data:5563 \ - -R 0.0.0.0:48081:edgex-core-metadata:48081 \ - -R 0.0.0.0:8500:edgex-core-consul:8500 \ - -p $TUNNEL_SSH_PORT && while true; do sleep 60; done" - -echo "Executing $@" -"$@" - -#sleep for some time to wait for creating authorized_keys on remote side -sleep 3 - -echo "Executing hook=$sshTunneling" -eval $sshTunneling diff --git a/security/remote_devices/ssh-tunneling/edgex-core-ssh-proxy.yml b/security/remote_devices/ssh-tunneling/edgex-core-ssh-proxy.yml deleted file mode 100644 index 8f7e9a50..00000000 --- a/security/remote_devices/ssh-tunneling/edgex-core-ssh-proxy.yml +++ /dev/null @@ -1,590 +0,0 @@ -# /******************************************************************************* -# * Copyright 2020 Redis Labs -# * Copyright 2020 Intel Corporation. -# * -# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# * in compliance with the License. You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software distributed under the License -# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# * or implied. See the License for the specific language governing permissions and limitations under -# * the License. -# * -# * @author: Andre Srinivasan, Redis Labs -# * @author: Leonard Goodell, Intel -# * EdgeX Foundry, Geneva, version 1.2.0 -# * added: May 14, 2020 -# *******************************************************************************/ - -version: '3.4' - -# all common shared environment variables defined here: -x-common-env-variables: &common-variables - Registry_Host: edgex-core-consul - Clients_CoreData_Host: edgex-core-data - Clients_Notifications_Host: edgex-support-notifications - Clients_Metadata_Host: edgex-core-metadata - Clients_Command_Host: edgex-core-command - Clients_Scheduler_Host: edgex-support-scheduler - Clients_RulesEngine_Host: edgex-kuiper - Clients_VirtualDevice_Host: edgex-device-virtual - Databases_Primary_Type: redisdb - Databases_Primary_Host: edgex-redis - Databases_Primary_Port: 6379 - SecretStore_Host: edgex-vault - SecretStore_ServerName: edgex-vault - SecretStore_RootCaCertPath: /tmp/edgex/secrets/ca/ca.pem - # Required in case old configuration from previous release used. - # Change to "true" if re-enabling logging service for remote logging - Logging_EnableRemote: "false" - # Clients_Logging_Host: edgex-support-logging # un-comment if re-enabling logging service for remote logging - -# REDIS5_PASSWORD_PATHNAME must have the same value as -# security-secretstore-read/res/configuration.toml SecretStore.Passwordfile. Note edgex-go issue -# #2503 that will address this. -x-redis5-env-variables: &redis5-variables - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password - -volumes: - db-data: - log-data: - consul-config: - consul-data: - consul-scripts: - vault-init: - vault-config: - vault-file: - vault-logs: - # non-shared volumes - secrets-setup-cache: - -services: - consul: - image: edgexfoundry/docker-edgex-consul:1.2.0 - ports: - - "8400:8400" - - "8500:8500" - container_name: edgex-core-consul - hostname: edgex-core-consul - networks: - edgex-network: - aliases: - - edgex-core-consul - volumes: - - consul-config:/consul/config:z - - consul-data:/consul/data:z - - consul-scripts:/consul/scripts:z - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z - - /tmp/edgex/secrets/edgex-vault:/tmp/edgex/secrets/edgex-vault:ro,z - - /tmp/edgex/secrets/edgex-kong:/tmp/edgex/secrets/edgex-kong:ro,z - environment: - - "SECRETSTORE_SETUP_DONE_FLAG=/tmp/edgex/secrets/edgex-consul/.secretstore-setup-done" - - EDGEX_DB=redis - - EDGEX_SECURE=true - depends_on: - - security-secrets-setup - - vault: - image: vault:1.3.1 - container_name: edgex-vault - hostname: edgex-vault - networks: - edgex-network: - aliases: - - edgex-vault - ports: - - "127.0.0.1:8200:8200" - cap_add: - - "IPC_LOCK" - tmpfs: - - /vault/config - entrypoint: ["/vault/init/start_vault.sh"] - environment: - - VAULT_ADDR=https://edgex-vault:8200 - - VAULT_CONFIG_DIR=/vault/config - - VAULT_UI=true - volumes: - - vault-file:/vault/file:z - - vault-logs:/vault/logs:z - - vault-init:/vault/init:ro,z - - /tmp/edgex/secrets/edgex-vault:/tmp/edgex/secrets/edgex-vault:ro,z - depends_on: - - consul - - security-secrets-setup - - security-secrets-setup: - image: edgexfoundry/docker-edgex-secrets-setup-go:1.2.0 - container_name: edgex-secrets-setup - hostname: edgex-secrets-setup - environment: - <<: *redis5-variables - tmpfs: - - /tmp - - /run - command: "generate" - volumes: - - secrets-setup-cache:/etc/edgex/pki - - vault-init:/vault/init:z - - /tmp/edgex/secrets:/tmp/edgex/secrets:z - - vault-worker: - image: edgexfoundry/docker-edgex-security-secretstore-setup-go:1.2.0 - container_name: edgex-vault-worker - hostname: edgex-vault-worker - environment: - <<: *redis5-variables - SECRETSTORE_SETUP_DONE_FLAG: /tmp/edgex/secrets/edgex-consul/.secretstore-setup-done - networks: - edgex-network: - aliases: - - edgex-vault-worker - tmpfs: - - /run - volumes: - - vault-config:/vault/config:z - - consul-scripts:/consul/scripts:ro,z - - /tmp/edgex/secrets:/tmp/edgex/secrets:z - depends_on: - - security-secrets-setup - - consul - - vault - -# containers for reverse proxy - kong-db: - image: postgres:12.1-alpine - container_name: kong-db - hostname: kong-db - networks: - edgex-network: - aliases: - - kong-db - ports: - - "127.0.0.1:5432:5432" - environment: - - 'POSTGRES_DB=kong' - - 'POSTGRES_USER=kong' - - 'POSTGRES_PASSWORD=${KONG_POSTGRES_PASSWORD:-kong}' - depends_on: - - security-secrets-setup - - kong-migrations: - image: kong:${KONG_VERSION:-2.0.1} - container_name: kong-migrations - networks: - edgex-network: - aliases: - - kong-migrations - environment: - - 'KONG_DATABASE=postgres' - - 'KONG_PG_HOST=kong-db' - - 'KONG_PG_PASSWORD=${KONG_POSTGRES_PASSWORD:-kong}' - command: > - /bin/sh -cx - 'until /consul/scripts/consul-svc-healthy.sh kong-db; - do sleep 1; - done && kong migrations bootstrap; - kong migrations list; - code=$$?; - if [ $$code -eq 5 ]; then - kong migrations up && kong migrations finish; - fi' - volumes: - - consul-scripts:/consul/scripts:ro,z - depends_on: - - consul - - kong-db - - kong: - image: kong:${KONG_VERSION:-2.0.1} - container_name: kong - hostname: kong - networks: - edgex-network: - aliases: - - kong - ports: - - "8000:8000" - - "127.0.0.1:8001:8001" - - "8443:8443" - - "127.0.0.1:8444:8444" - tty: true - environment: - - 'KONG_DATABASE=postgres' - - 'KONG_PG_HOST=kong-db' - - 'KONG_PG_PASSWORD=${KONG_POSTGRES_PASSWORD:-kong}' - - 'KONG_PROXY_ACCESS_LOG=/dev/stdout' - - 'KONG_ADMIN_ACCESS_LOG=/dev/stdout' - - 'KONG_PROXY_ERROR_LOG=/dev/stderr' - - 'KONG_ADMIN_ERROR_LOG=/dev/stderr' - - 'KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl' - restart: on-failure - command: > - /bin/sh -c - "until /consul/scripts/consul-svc-healthy.sh kong-migrations; do sleep 1; done; - /docker-entrypoint.sh kong docker-start" - volumes: - - consul-scripts:/consul/scripts:ro,z - depends_on: - - consul - - kong-db - - kong-migrations - - edgex-proxy: - image: edgexfoundry/docker-edgex-security-proxy-setup-go:1.2.0 - container_name: edgex-proxy - hostname: edgex-proxy - entrypoint: > - /bin/sh -c - "until /consul/scripts/consul-svc-healthy.sh kong; do sleep 1; done; - until /consul/scripts/consul-svc-healthy.sh security-secretstore-setup; do sleep 1; done; - /edgex/security-proxy-setup --init=true" - networks: - edgex-network: - aliases: - - edgex-proxy - environment: - <<: *common-variables - KongURL_Server: kong - SecretService_Server: edgex-vault - SecretService_TokenPath: /tmp/edgex/secrets/edgex-security-proxy-setup/secrets-token.json - SecretService_CACertPath: /tmp/edgex/secrets/ca/ca.pem - SecretService_SNIS: "edgex-kong" - volumes: - - consul-scripts:/consul/scripts:ro,z - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-security-proxy-setup:/tmp/edgex/secrets/edgex-security-proxy-setup:ro,z - depends_on: - - consul - - vault-worker - - kong - -# end of containers for reverse proxy - - redis: - image: redis:5.0.8-alpine - ports: - - "127.0.0.1:6379:6379" - container_name: edgex-redis - hostname: edgex-redis - environment: - <<: *redis5-variables - command: | - /bin/sh -c " - until [ -r $${REDIS5_PASSWORD_PATHNAME} ] && [ -s $${REDIS5_PASSWORD_PATHNAME} ]; do sleep 1; done - exec /usr/local/bin/docker-entrypoint.sh --requirepass `cat $${REDIS5_PASSWORD_PATHNAME}` \ - --dir /data \ - --save 900 1 \ - --save 300 10 \ - --save 60 10000 - " - networks: - - edgex-network - volumes: - - db-data:/data:z - - /tmp/edgex/secrets/edgex-redis:/tmp/edgex/secrets/edgex-redis:z - depends_on: - - vault-worker - -# The logging service has been deprecated in Geneva release and will be removed in the Hanoi release. -# All services are configure to send logging to STDOUT, i.e. not remote which requires this logging service -# If you still must use remote logging, un-comment the block below, all the related depends that have been commented out -# and the related global override that are commented out at the top. -# -# logging: -# image: edgexfoundry/docker-support-logging-go:1.2.0 -# ports: -# - "127.0.0.1:48061:48061" -# container_name: edgex-support-logging -# hostname: edgex-support-logging -# networks: -# - edgex-network -# environment: -# <<: *common-variables -# SecretStore_TokenFile: /tmp/edgex/secrets/edgex-support-logging/secrets-token.json -# Service_Host: edgex-support-logging -# Writable_Persistence: file -# Databases_Primary_Type: file -# Logging_EnableRemote: "false" -# volumes: -# - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z -# - /tmp/edgex/secrets/edgex-support-logging:/tmp/edgex/secrets/edgex-support-logging:ro,z -# depends_on: -# - consul -# - vault-worker - - system: - image: edgexfoundry/docker-sys-mgmt-agent-go:1.2.0 - ports: - - "127.0.0.1:48090:48090" - container_name: edgex-sys-mgmt-agent - hostname: edgex-sys-mgmt-agent - networks: - - edgex-network - environment: - <<: *common-variables - Service_Host: edgex-sys-mgmt-agent - ExecutorPath: /sys-mgmt-executor - MetricsMechanism: executor - volumes: - - /var/run/docker.sock:/var/run/docker.sock:z - depends_on: - - consul -# - logging # uncomment if re-enabled remote logging - - scheduler - - notifications - - metadata - - data - - command - - notifications: - image: edgexfoundry/docker-support-notifications-go:1.2.0 - ports: - - "127.0.0.1:48060:48060" - container_name: edgex-support-notifications - hostname: edgex-support-notifications - networks: - - edgex-network - environment: - <<: *common-variables - Service_Host: edgex-support-notifications - SecretStore_TokenFile: /tmp/edgex/secrets/edgex-support-notifications/secrets-token.json - volumes: - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-support-notifications:/tmp/edgex/secrets/edgex-support-notifications:ro,z - depends_on: - - consul -# - logging # uncomment if re-enabled remote logging - - redis - - vault-worker - - metadata: - image: edgexfoundry/docker-core-metadata-go:1.2.0 - ports: - - "48081:48081" - container_name: edgex-core-metadata - hostname: edgex-core-metadata - networks: - - edgex-network - environment: - <<: *common-variables - Service_Host: edgex-core-metadata - Notifications_Sender: edgex-core-metadata - SecretStore_TokenFile: /tmp/edgex/secrets/edgex-core-metadata/secrets-token.json - volumes: - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-core-metadata:/tmp/edgex/secrets/edgex-core-metadata:ro,z - depends_on: - - consul -# - logging # uncomment if re-enabled remote logging - - redis - - notifications - - vault-worker - - data: - image: edgexfoundry/docker-core-data-go:1.2.0 - ports: - - "48080:48080" - - "5563:5563" - container_name: edgex-core-data - hostname: edgex-core-data - networks: - - edgex-network - environment: - <<: *common-variables - Service_Host: edgex-core-data - SecretStore_TokenFile: /tmp/edgex/secrets/edgex-core-data/secrets-token.json - volumes: - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-core-data:/tmp/edgex/secrets/edgex-core-data:ro,z - depends_on: - - consul -# - logging # uncomment if re-enabled remote logging - - redis - - metadata - - vault-worker - - command: - image: edgexfoundry/docker-core-command-go:1.2.0 - ports: - - "48082:48082" - container_name: edgex-core-command - hostname: edgex-core-command - networks: - - edgex-network - environment: - <<: *common-variables - Service_Host: edgex-core-command - SecretStore_TokenFile: /tmp/edgex/secrets/edgex-core-command/secrets-token.json - volumes: - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-core-command:/tmp/edgex/secrets/edgex-core-command:ro,z - depends_on: - - consul -# - logging # uncomment if re-enabled remote logging - - redis - - metadata - - vault-worker - - scheduler: - image: edgexfoundry/docker-support-scheduler-go:1.2.0 - ports: - - "48085:48085" - container_name: edgex-support-scheduler - hostname: edgex-support-scheduler - networks: - - edgex-network - environment: - <<: *common-variables - Service_Host: edgex-support-scheduler - IntervalActions_ScrubPushed_Host: edgex-core-data - IntervalActions_ScrubAged_Host: edgex-core-data - SecretStore_TokenFile: /tmp/edgex/secrets/edgex-support-scheduler/secrets-token.json - volumes: - - /tmp/edgex/secrets/ca:/tmp/edgex/secrets/ca:ro,z - - /tmp/edgex/secrets/edgex-support-scheduler:/tmp/edgex/secrets/edgex-support-scheduler:ro,z - depends_on: - - consul -# - logging # uncomment if re-enabled remote logging - - redis - - vault-worker - -################################################################# -# Device Services -################################################################# - -# NOTE: all device micro services are commented out on the primary machine -# or host to demonstrate that the SSH tunneling is actually utilizing the -# secondary or remote running device services - -# device-virtual: -# image: edgexfoundry/docker-device-virtual-go:1.2.0 -# ports: -# - "127.0.0.1:49990:49990" -# container_name: edgex-device-virtual -# hostname: edgex-device-virtual -# networks: -# edgex-network: -# aliases: -# - edgex-device-virtual -# environment: -# <<: *common-variables -# Service_Host: edgex-device-virtual -# depends_on: -# - consul -# # - logging # uncomment if re-enabled remote logging -# - data -# - metadata - - # device-rest: - # image: edgexfoundry/docker-device-rest-go:1.1.0 - # ports: - # - "127.0.0.1:49986:49986" - # container_name: edgex-device-rest - # hostname: edgex-device-rest - # networks: - # edgex-network: - # aliases: - # - edgex-device-rest - # environment: - # <<: *common-variables - # Service_Host: edgex-device-rest - # depends_on: - # - data - # - command - # - logging # uncomment if re-enabled remote logging - - # device-random: - # image: edgexfoundry/docker-device-random-go:1.2.0 - # ports: - # - "127.0.0.1:49988:49988" - # container_name: edgex-device-random - # hostname: edgex-device-random - # networks: - # - edgex-network - # aliases: - # - edgex-device-random - # environment: - # <<: *common-variables - # Service_Host: edgex-device-random - # depends_on: - # - data - # - command - # - # device-mqtt: - # image: edgexfoundry/docker-device-mqtt-go:1.2.0 - # ports: - # - "127.0.0.1:49982:49982" - # container_name: edgex-device-mqtt - # hostname: edgex-device-mqtt - # networks: - # - edgex-network - # aliases: - # - edgex-device-mqtt - # environment: - # <<: *common-variables - # Service_Host: edgex-device-mqtt - # depends_on: - # - data - # - command - # - # device-modbus: - # image: edgexfoundry/docker-device-modbus-go:1.2.0 - # ports: - # - "127.0.0.1:49991:49991" - # container_name: edgex-device-modbus - # hostname: edgex-device-modbus - # networks: - # - edgex-network - # aliases: - # - edgex-device-modbus - # environment: - # <<: *common-variables - # Service_Host: edgex-device-modbus - # depends_on: - # - data - # - command - # - # device-snmp: - # image: edgexfoundry/docker-device-snmp-go:1.2.0 - # ports: - # - "127.0.0.1:49993:49993" - # container_name: edgex-device-snmp - # hostname: edgex-device-snmp - # networks: - # - edgex-network - # aliases: - # - edgex-device-snmp - # environment: - # <<: *common-variables - # Service_Host: edgex-device-snmp - # depends_on: - # - data - # - command - -########################################################## -# ssh tunneling proxy service for device-virtual -########################################################## - device-ssh-proxy: - image: device-ssh-proxy:test - container_name: edgex-device-ssh-proxy - hostname: edgex-device-ssh-proxy - volumes: - - $HOME/.ssh:/root/ssh:ro - ports: - - "49990:49990" - networks: - edgex-network: - aliases: - - edgex-device-virtual - environment: - TUNNEL_HOST: 192.168.1.190 - TUNNEL_SSH_PORT: 2223 - SERVICE_HOST: edgex-device-virtual - SERVICE_PORT: 49990 - -networks: - edgex-network: - driver: "bridge" diff --git a/security/remote_devices/ssh-tunneling/edgex-device-sshd-remote.yml b/security/remote_devices/ssh-tunneling/edgex-device-sshd-remote.yml deleted file mode 100644 index cda42faa..00000000 --- a/security/remote_devices/ssh-tunneling/edgex-device-sshd-remote.yml +++ /dev/null @@ -1,182 +0,0 @@ -# /******************************************************************************* -# * Copyright 2020 Redis Labs -# * -# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except -# * in compliance with the License. You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software distributed under the License -# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express -# * or implied. See the License for the specific language governing permissions and limitations under -# * the License. -# * -# * Andre Srinivasan -# * added: April, 2020 -# *******************************************************************************/ - -version: '3.4' - -# all common shared environment variables defined here: -x-common-env-variables: &common-variables - Registry_Host: edgex-core-consul - Clients_CoreData_Host: edgex-core-data - Clients_Notifications_Host: edgex-support-notifications - Clients_Metadata_Host: edgex-core-metadata - Clients_Command_Host: edgex-core-command - Clients_Scheduler_Host: edgex-support-scheduler - Clients_RulesEngine_Host: edgex-kuiper - Clients_VirtualDevice_Host: edgex-device-virtual - Databases_Primary_Type: redisdb - Databases_Primary_Host: edgex-redis - Databases_Primary_Port: 6379 - SecretStore_Host: edgex-vault - SecretStore_ServerName: edgex-vault - SecretStore_RootCaCertPath: /tmp/edgex/secrets/ca/ca.pem - # Require in case old configuration from previous release used. - # Change to "true" if re-enabling logging service for remote logging - Logging_EnableRemote: "false" - # Clients_Logging_Host: edgex-support-logging # un-comment if re-enabling logging service for remote logging - -# REDIS5_PASSWORD_PATHNAME must have the same value as -# security-secretstore-read/res/configuration.toml SecretStore.Passwordfile. Note edgex-go issue -# #2503 that will address this. -x-redis5-env-variables: &redis5-variables - REDIS5_PASSWORD_PATHNAME: /tmp/edgex/secrets/edgex-redis/redis5-password - -volumes: - db-data: - log-data: - consul-config: - consul-data: - consul-scripts: - vault-init: - vault-config: - vault-file: - vault-logs: - # non-shared volumes - secrets-setup-cache: - -services: -# only device services on the remote machine -# the other dependencies of EdgeX core-servcies are served from -# the Reverse tunneling of the primary machine - -################################################################# -# Device Services -################################################################# - - device-virtual: - image: edgexfoundry/docker-device-virtual-go:1.2.0 - container_name: edgex-device-virtual - hostname: edgex-device-virtual - networks: - edgex-network: - aliases: - - edgex-device-virtual - environment: - <<: *common-variables - Service_Host: edgex-device-virtual - - # device-rest: - # image: edgexfoundry/docker-device-rest-go:1.1.0 - # ports: - # - "49986:49986" - # container_name: edgex-device-rest - # hostname: edgex-device-rest - # networks: - # edgex-network: - # aliases: - # - edgex-device-rest - # environment: - # <<: *common-variables - # Service_Host: edgex-device-rest - - # device-random: - # image: nexus3.edgexfoundry.org:10004/docker-device-random-go:master - # ports: - # - "127.0.0.1:49988:49988" - # container_name: edgex-device-random - # hostname: edgex-device-random - # networks: - # - edgex-network - # aliases: - # - edgex-device-random - # environment: - # <<: *common-variables - # Service_Host: edgex-device-random - # depends_on: - # - data - # - command - # - # device-mqtt: - # image: nexus3.edgexfoundry.org:10004/docker-device-mqtt-go:master - # ports: - # - "127.0.0.1:49982:49982" - # container_name: edgex-device-mqtt - # hostname: edgex-device-mqtt - # networks: - # - edgex-network - # aliases: - # - edgex-device-mqtt - # environment: - # <<: *common-variables - # Service_Host: edgex-device-mqtt - # depends_on: - # - data - # - command - # - # device-modbus: - # image: nexus3.edgexfoundry.org:10004/docker-device-modbus-go:master - # ports: - # - "127.0.0.1:49991:49991" - # container_name: edgex-device-modbus - # hostname: edgex-device-modbus - # networks: - # - edgex-network - # aliases: - # - edgex-device-modbus - # environment: - # <<: *common-variables - # Service_Host: edgex-device-modbus - # depends_on: - # - data - # - command - # - # device-snmp: - # image: nexus3.edgexfoundry.org:10004/docker-device-snmp-go:master - # ports: - # - "127.0.0.1:49993:49993" - # container_name: edgex-device-snmp - # hostname: edgex-device-snmp - # networks: - # - edgex-network - # aliases: - # - edgex-device-snmp - # environment: - # <<: *common-variables - # Service_Host: edgex-device-snmp - # depends_on: - # - data - # - command - -################################################################ -# SSH Daemon -################################################################ - sshd-remote: - image: eg_sshd - ports: - - "2223:22" - container_name: edgex-sshd-remote - hostname: edgex-sshd-remote - networks: - edgex-network: - aliases: - - edgex-core-consul - - edgex-core-data - - edgex-core-metadata - - -networks: - edgex-network: - driver: "bridge" diff --git a/security/remote_devices/ssh-tunneling/generate-keys.sh b/security/remote_devices/ssh-tunneling/generate-keys.sh new file mode 100755 index 00000000..7522befa --- /dev/null +++ b/security/remote_devices/ssh-tunneling/generate-keys.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +test -f id_rsa || ssh-keygen -N '' -C device-ssh-proxy -t rsa -b 4096 -f id_rsa +test -d local/ssh_keys || mkdir local/ssh_keys +cp -f id_rsa* local/ssh_keys +cp -f id_rsa.pub remote/sshd-remote/authorized_keys diff --git a/security/remote_devices/ssh-tunneling/local/device-ssh-proxy/Dockerfile b/security/remote_devices/ssh-tunneling/local/device-ssh-proxy/Dockerfile new file mode 100644 index 00000000..76022e55 --- /dev/null +++ b/security/remote_devices/ssh-tunneling/local/device-ssh-proxy/Dockerfile @@ -0,0 +1,13 @@ +# Copyright (C) 2020-2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +FROM alpine:latest + +RUN apk add --no-cache --update dumb-init openssh-client && rm -rf /var/cache/apk/* + +COPY docker-entrypoint.sh /usr/local/bin/ + +RUN chmod +x /usr/local/bin/docker-entrypoint.sh + +ENTRYPOINT [ "docker-entrypoint.sh" ] diff --git a/security/remote_devices/ssh-tunneling/local/device-ssh-proxy/docker-entrypoint.sh b/security/remote_devices/ssh-tunneling/local/device-ssh-proxy/docker-entrypoint.sh new file mode 100755 index 00000000..6ffc494c --- /dev/null +++ b/security/remote_devices/ssh-tunneling/local/device-ssh-proxy/docker-entrypoint.sh @@ -0,0 +1,47 @@ +#!/usr/bin/dumb-init /bin/sh + +# Copyright (C) 2020-2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +set -ex + +if [ "`stat -c '%u %g %a' /root/.ssh`" != "0 0 700" ]; then + chown 0:0 /root/.ssh + chmod 700 /root/.ssh +fi +if [ "`stat -c '%u %g %a' /root/.ssh/id_rsa`" != "0 0 600" ]; then + chown 0:0 /root/.ssh/id_rsa + chmod 600 /root/.ssh/id_rsa +fi +if [ "`stat -c '%u %g %a' /root/.ssh/id_rsa.pub`" != "0 0 600" ]; then + chown 0:0 /root/.ssh/id_rsa.pub + chmod 600 /root/.ssh/id_rsa.pub +fi + +while true; do + scp -p \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -P $TUNNEL_SSH_PORT \ + /tmp/edgex/secrets/device-virtual/secrets-token.json $TUNNEL_HOST:/tmp/edgex/secrets/device-virtual/secrets-token.json + ssh \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -p $TUNNEL_SSH_PORT \ + $TUNNEL_HOST -- \ + chown -Rh 2002:2001 /tmp/edgex/secrets/device-virtual + ssh -N \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + -L *:$SERVICE_PORT:$SERVICE_HOST:$SERVICE_PORT \ + -R 0.0.0.0:$SECRETSTORE_PORT:$SECRETSTORE_HOST:$SECRETSTORE_PORT \ + -R 0.0.0.0:6379:$MESSAGEQUEUE_HOST:6379 \ + -R 0.0.0.0:8500:$REGISTRY_HOST:8500 \ + -R 0.0.0.0:5563:$CLIENTS_CORE_DATA_HOST:5563 \ + -R 0.0.0.0:59880:$CLIENTS_CORE_DATA_HOST:59880 \ + -R 0.0.0.0:59881:$CLIENTS_CORE_METADATA_HOST:59881 \ + -p $TUNNEL_SSH_PORT \ + $TUNNEL_HOST + sleep 1 +done diff --git a/security/remote_devices/ssh-tunneling/local/docker-compose.original b/security/remote_devices/ssh-tunneling/local/docker-compose.original new file mode 100644 index 00000000..b936d316 --- /dev/null +++ b/security/remote_devices/ssh-tunneling/local/docker-compose.original @@ -0,0 +1,1024 @@ +# * Copyright 2021 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# * +# * EdgeX Foundry, Hanoi, version "master" +# *******************************************************************************/ +# +# +# +# ************************ This is a generated compose file **************************** +# +# DO NOT MAKE CHANGES that are intended to be permanent to EdgeX edgex-compose repo. +# +# Permanent changes can be made to the source compose files located in the compose-builder folder +# at the top level of the edgex-compose repo. +# +# From the compose-builder folder use `make build` to regenerate all standard compose files variations +# +networks: + edgex-network: + driver: bridge +services: + app-service-rules: + command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-app-rules-engine + depends_on: + - consul + - data + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_PROFILE: rules-engine + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-app-rules-engine + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis + TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis + hostname: edgex-app-rules-engine + image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59701:59701/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z + command: + command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-command + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-command + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-command + image: nexus3.edgexfoundry.org:10004/core-command:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59882:59882/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z + consul: + command: agent -ui -bootstrap -server -client 0.0.0.0 + container_name: edgex-core-consul + depends_on: + - security-bootstrapper + - vault + entrypoint: + - /edgex-init/consul_wait_install.sh + environment: + ADD_REGISTRY_ACL_ROLES: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json + STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-consul + image: consul:1.10 + networks: + edgex-network: {} + ports: + - 8500:8500/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - consul-config:/consul/config:z + - consul-data:/consul/data:z + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z + - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z + data: + command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-data + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json + SERVICE_HOST: edgex-core-data + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-data + image: nexus3.edgexfoundry.org:10004/core-data:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:5563:5563/tcp + - 127.0.0.1:59880:59880/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z + database: + container_name: edgex-redis + depends_on: + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/redis_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASECONFIG_NAME: redis.conf + DATABASECONFIG_PATH: /run/redis/conf + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-redis + image: redis:6.2-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:6379:6379/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - db-data:/data:z + - edgex-init:/edgex-init:ro,z + - redis-config:/run/redis/conf:z + - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z + device-rest: + command: /device-rest -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-rest + depends_on: + - consul + - data + - metadata + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-device-rest + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-rest + image: nexus3.edgexfoundry.org:10004/device-rest:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59986:59986/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/device-rest:/tmp/edgex/secrets/device-rest:ro,z + device-virtual: + command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-virtual + depends_on: + - consul + - data + - metadata + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-device-virtual + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-virtual + image: nexus3.edgexfoundry.org:10004/device-virtual:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59900:59900/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z + kong: + container_name: edgex-kong + depends_on: + - kong-db + - security-bootstrapper + entrypoint: + - /edgex-init/kong_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + KONG_ADMIN_ACCESS_LOG: /dev/stdout + KONG_ADMIN_ERROR_LOG: /dev/stderr + KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl + KONG_DATABASE: postgres + KONG_DNS_ORDER: LAST,A,CNAME + KONG_DNS_VALID_TTL: '1' + KONG_NGINX_WORKER_PROCESSES: '1' + KONG_PG_HOST: edgex-kong-db + KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + KONG_PROXY_ACCESS_LOG: /dev/stdout + KONG_PROXY_ERROR_LOG: /dev/stderr + KONG_SSL_CIPHER_SUITE: modern + KONG_STATUS_LISTEN: 0.0.0.0:8100 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong + image: kong:2.6 + networks: + edgex-network: {} + ports: + - 8000:8000/tcp + - 127.0.0.1:8100:8100/tcp + - 8443:8443/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /tmp + tty: true + user: kong:nogroup + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + - postgres-config:/tmp/postgres-config:z + - kong:/usr/local/kong:z + kong-db: + container_name: edgex-kong-db + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/postgres_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + POSTGRES_DB: kong + POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + POSTGRES_USER: kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong-db + image: postgres:13.5-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:5432:5432/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /var/run + - /tmp + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - postgres-config:/tmp/postgres-config:z + - postgres-data:/var/lib/postgresql/data:z + metadata: + command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-metadata + depends_on: + - consul + - database + - notifications + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + NOTIFICATIONS_SENDER: edgex-core-metadata + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-metadata + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-metadata + image: nexus3.edgexfoundry.org:10004/core-metadata:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59881:59881/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z + notifications: + command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-notifications + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-notifications + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-notifications + image: nexus3.edgexfoundry.org:10004/support-notifications:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59860:59860/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z + proxy-setup: + container_name: edgex-security-proxy-setup + depends_on: + - kong + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/proxy_setup_wait_install.sh + environment: + ADD_PROXY_ROUTE: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + KONGURL_SERVER: edgex-kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + ROUTES_CORE_COMMAND_HOST: edgex-core-command + ROUTES_CORE_CONSUL_HOST: edgex-core-consul + ROUTES_CORE_DATA_HOST: edgex-core-data + ROUTES_CORE_METADATA_HOST: edgex-core-metadata + ROUTES_DEVICE_VIRTUAL_HOST: device-virtual + ROUTES_RULES_ENGINE_HOST: edgex-kuiper + ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-proxy-setup + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + networks: + edgex-network: {} + read_only: true + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + rulesengine: + container_name: edgex-kuiper + depends_on: + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/kuiper_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX__DEFAULT__PORT: 6379 + EDGEX__DEFAULT__PROTOCOL: redis + EDGEX__DEFAULT__SERVER: edgex-redis + EDGEX__DEFAULT__TOPIC: rules-events + EDGEX__DEFAULT__TYPE: redis + KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__RESTPORT: 59720 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kuiper + image: lfedge/ekuiper:1.3.1-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:59720:59720/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: kuiper:kuiper + volumes: + - edgex-init:/edgex-init:ro,z + - kuiper-data:/kuiper/data:z + - kuiper-connections:/kuiper/etc/connections:z + - kuiper-sources:/kuiper/etc/sources:z + scheduler: + command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-scheduler + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data + INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-scheduler + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-scheduler + image: nexus3.edgexfoundry.org:10004/support-scheduler:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59861:59861/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z + secretstore-setup: + container_name: edgex-security-secretstore-setup + depends_on: + - security-bootstrapper + - vault + environment: + ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],redisdb[device-virtual] + ADD_SECRETSTORE_TOKENS: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECUREMESSAGEBUS_TYPE: redis + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-secretstore-setup + image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /vault + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets:/tmp/edgex/secrets:z + - kong:/tmp/kong:z + - kuiper-sources:/tmp/kuiper:z + - kuiper-connections:/tmp/kuiper-connections:z + - vault-config:/vault/config:z + security-bootstrapper: + container_name: edgex-security-bootstrapper + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-bootstrapper + image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:z + system: + command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-sys-mgmt-agent + depends_on: + - command + - consul + - data + - metadata + - notifications + - scheduler + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + EXECUTORPATH: /sys-mgmt-executor + METRICSMECHANISM: executor + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-sys-mgmt-agent + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-sys-mgmt-agent + image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:58890:58890/tcp + read_only: true + restart: always + security_opt: + - label:disable + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z + - /var/run/docker.sock:/var/run/docker.sock:z + ui: + container_name: edgex-ui-go + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + hostname: edgex-ui-go + image: nexus3.edgexfoundry.org:10004/edgex-ui:latest + networks: + edgex-network: {} + ports: + - 4000:4000/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + vault: + cap_add: + - IPC_LOCK + command: server + container_name: edgex-vault + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/vault_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + VAULT_ADDR: http://edgex-vault:8200 + VAULT_CONFIG_DIR: /vault/config + VAULT_UI: "true" + hostname: edgex-vault + image: vault:1.8.5 + networks: + edgex-network: {} + ports: + - 127.0.0.1:8200:8200/tcp + restart: always + tmpfs: + - /vault/config + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - vault-file:/vault/file:z + - vault-logs:/vault/logs:z +version: '3.7' +volumes: + consul-acl-token: {} + consul-config: {} + consul-data: {} + db-data: {} + edgex-init: {} + kong: {} + kuiper-connections: {} + kuiper-data: {} + kuiper-sources: {} + postgres-config: {} + postgres-data: {} + redis-config: {} + vault-config: {} + vault-file: {} + vault-logs: {} + diff --git a/security/remote_devices/ssh-tunneling/local/docker-compose.yml b/security/remote_devices/ssh-tunneling/local/docker-compose.yml new file mode 100644 index 00000000..62a1170e --- /dev/null +++ b/security/remote_devices/ssh-tunneling/local/docker-compose.yml @@ -0,0 +1,1078 @@ +# * Copyright 2021 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# * +# * EdgeX Foundry, Hanoi, version "master" +# *******************************************************************************/ +# +# +# +# ************************ This is a generated compose file **************************** +# +# DO NOT MAKE CHANGES that are intended to be permanent to EdgeX edgex-compose repo. +# +# Permanent changes can be made to the source compose files located in the compose-builder folder +# at the top level of the edgex-compose repo. +# +# From the compose-builder folder use `make build` to regenerate all standard compose files variations +# +networks: + edgex-network: + driver: bridge +services: + app-service-rules: + command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-app-rules-engine + depends_on: + - consul + - data + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_PROFILE: rules-engine + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-app-rules-engine + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis + TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis + hostname: edgex-app-rules-engine + image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59701:59701/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z + command: + command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-command + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-command + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-command + image: nexus3.edgexfoundry.org:10004/core-command:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59882:59882/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z + consul: + command: agent -ui -bootstrap -server -client 0.0.0.0 + container_name: edgex-core-consul + depends_on: + - security-bootstrapper + - vault + entrypoint: + - /edgex-init/consul_wait_install.sh + environment: + ADD_REGISTRY_ACL_ROLES: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json + STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-consul + image: consul:1.10 + networks: + edgex-network: {} + ports: + - 8500:8500/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - consul-config:/consul/config:z + - consul-data:/consul/data:z + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z + - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z + data: + command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-data + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json + SERVICE_HOST: edgex-core-data + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-data + image: nexus3.edgexfoundry.org:10004/core-data:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:5563:5563/tcp + - 127.0.0.1:59880:59880/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z + database: + container_name: edgex-redis + depends_on: + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/redis_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASECONFIG_NAME: redis.conf + DATABASECONFIG_PATH: /run/redis/conf + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-redis + image: redis:6.2-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:6379:6379/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - db-data:/data:z + - edgex-init:/edgex-init:ro,z + - redis-config:/run/redis/conf:z + - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z + device-rest: + command: /device-rest -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-rest + depends_on: + - consul + - data + - metadata + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-device-rest + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-rest + image: nexus3.edgexfoundry.org:10004/device-rest:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59986:59986/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/device-rest:/tmp/edgex/secrets/device-rest:ro,z + ### =============== + ### BEGIN REMOVED CONTENT + ### =============== +# device-virtual: +# command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res +# container_name: edgex-device-virtual +# depends_on: +# - consul +# - data +# - metadata +# - security-bootstrapper +# entrypoint: +# - /edgex-init/ready_to_run_wait_install.sh +# environment: +# API_GATEWAY_HOST: edgex-kong +# API_GATEWAY_STATUS_PORT: '8100' +# CLIENTS_CORE_COMMAND_HOST: edgex-core-command +# CLIENTS_CORE_DATA_HOST: edgex-core-data +# CLIENTS_CORE_METADATA_HOST: edgex-core-metadata +# CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications +# CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler +# DATABASES_PRIMARY_HOST: edgex-redis +# EDGEX_SECURITY_SECRET_STORE: "true" +# MESSAGEQUEUE_HOST: edgex-redis +# PROXY_SETUP_HOST: edgex-security-proxy-setup +# REGISTRY_HOST: edgex-core-consul +# SECRETSTORE_HOST: edgex-vault +# SECRETSTORE_PORT: '8200' +# SERVICE_HOST: edgex-device-virtual +# STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper +# STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' +# STAGEGATE_DATABASE_HOST: edgex-redis +# STAGEGATE_DATABASE_PORT: '6379' +# STAGEGATE_DATABASE_READYPORT: '6379' +# STAGEGATE_KONGDB_HOST: edgex-kong-db +# STAGEGATE_KONGDB_PORT: '5432' +# STAGEGATE_KONGDB_READYPORT: '54325' +# STAGEGATE_READY_TORUNPORT: '54329' +# STAGEGATE_REGISTRY_HOST: edgex-core-consul +# STAGEGATE_REGISTRY_PORT: '8500' +# STAGEGATE_REGISTRY_READYPORT: '54324' +# STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup +# STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' +# STAGEGATE_WAITFOR_TIMEOUT: 60s +# hostname: edgex-device-virtual +# image: nexus3.edgexfoundry.org:10004/device-virtual:latest +# networks: +# edgex-network: {} +# ports: +# - 127.0.0.1:59900:59900/tcp +# read_only: true +# restart: always +# security_opt: +# - no-new-privileges:true +# user: 2002:2001 +# volumes: +# - edgex-init:/edgex-init:ro,z +# - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z + ### =============== + ### END REMOVED CONTENT + ### =============== + kong: + container_name: edgex-kong + depends_on: + - kong-db + - security-bootstrapper + entrypoint: + - /edgex-init/kong_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + KONG_ADMIN_ACCESS_LOG: /dev/stdout + KONG_ADMIN_ERROR_LOG: /dev/stderr + KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl + KONG_DATABASE: postgres + KONG_DNS_ORDER: LAST,A,CNAME + KONG_DNS_VALID_TTL: '1' + KONG_NGINX_WORKER_PROCESSES: '1' + KONG_PG_HOST: edgex-kong-db + KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + KONG_PROXY_ACCESS_LOG: /dev/stdout + KONG_PROXY_ERROR_LOG: /dev/stderr + KONG_SSL_CIPHER_SUITE: modern + KONG_STATUS_LISTEN: 0.0.0.0:8100 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong + image: kong:2.6 + networks: + edgex-network: {} + ports: + - 8000:8000/tcp + - 127.0.0.1:8100:8100/tcp + - 8443:8443/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /tmp + tty: true + user: kong:nogroup + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + - postgres-config:/tmp/postgres-config:z + - kong:/usr/local/kong:z + kong-db: + container_name: edgex-kong-db + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/postgres_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + POSTGRES_DB: kong + POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + POSTGRES_USER: kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong-db + image: postgres:13.5-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:5432:5432/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /var/run + - /tmp + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - postgres-config:/tmp/postgres-config:z + - postgres-data:/var/lib/postgresql/data:z + metadata: + command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-metadata + depends_on: + - consul + - database + - notifications + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + NOTIFICATIONS_SENDER: edgex-core-metadata + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-metadata + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-metadata + image: nexus3.edgexfoundry.org:10004/core-metadata:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59881:59881/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z + notifications: + command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-notifications + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-notifications + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-notifications + image: nexus3.edgexfoundry.org:10004/support-notifications:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59860:59860/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z + proxy-setup: + container_name: edgex-security-proxy-setup + depends_on: + - kong + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/proxy_setup_wait_install.sh + environment: + ADD_PROXY_ROUTE: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + KONGURL_SERVER: edgex-kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + ROUTES_CORE_COMMAND_HOST: edgex-core-command + ROUTES_CORE_CONSUL_HOST: edgex-core-consul + ROUTES_CORE_DATA_HOST: edgex-core-data + ROUTES_CORE_METADATA_HOST: edgex-core-metadata + ROUTES_DEVICE_VIRTUAL_HOST: device-virtual + ROUTES_RULES_ENGINE_HOST: edgex-kuiper + ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-proxy-setup + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + networks: + edgex-network: {} + read_only: true + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + rulesengine: + container_name: edgex-kuiper + depends_on: + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/kuiper_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX__DEFAULT__PORT: 6379 + EDGEX__DEFAULT__PROTOCOL: redis + EDGEX__DEFAULT__SERVER: edgex-redis + EDGEX__DEFAULT__TOPIC: rules-events + EDGEX__DEFAULT__TYPE: redis + KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__RESTPORT: 59720 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kuiper + image: lfedge/ekuiper:1.3.1-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:59720:59720/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: kuiper:kuiper + volumes: + - edgex-init:/edgex-init:ro,z + - kuiper-data:/kuiper/data:z + - kuiper-connections:/kuiper/etc/connections:z + - kuiper-sources:/kuiper/etc/sources:z + scheduler: + command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-scheduler + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data + INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-scheduler + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-scheduler + image: nexus3.edgexfoundry.org:10004/support-scheduler:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59861:59861/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z + secretstore-setup: + container_name: edgex-security-secretstore-setup + depends_on: + - security-bootstrapper + - vault + environment: + ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],redisdb[device-virtual] + ADD_SECRETSTORE_TOKENS: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECUREMESSAGEBUS_TYPE: redis + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-secretstore-setup + image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /vault + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets:/tmp/edgex/secrets:z + - kong:/tmp/kong:z + - kuiper-sources:/tmp/kuiper:z + - kuiper-connections:/tmp/kuiper-connections:z + - vault-config:/vault/config:z + security-bootstrapper: + container_name: edgex-security-bootstrapper + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-bootstrapper + image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:z + system: + command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-sys-mgmt-agent + depends_on: + - command + - consul + - data + - metadata + - notifications + - scheduler + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + EXECUTORPATH: /sys-mgmt-executor + METRICSMECHANISM: executor + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-sys-mgmt-agent + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-sys-mgmt-agent + image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:58890:58890/tcp + read_only: true + restart: always + security_opt: + - label:disable + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z + - /var/run/docker.sock:/var/run/docker.sock:z + ui: + container_name: edgex-ui-go + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + hostname: edgex-ui-go + image: nexus3.edgexfoundry.org:10004/edgex-ui:latest + networks: + edgex-network: {} + ports: + - 4000:4000/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + vault: + cap_add: + - IPC_LOCK + command: server + container_name: edgex-vault + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/vault_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + VAULT_ADDR: http://edgex-vault:8200 + VAULT_CONFIG_DIR: /vault/config + VAULT_UI: "true" + hostname: edgex-vault + image: vault:1.8.5 + networks: + edgex-network: {} + ports: + - 127.0.0.1:8200:8200/tcp + restart: always + tmpfs: + - /vault/config + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - vault-file:/vault/file:z + - vault-logs:/vault/logs:z + ### ================= + ### BEGIN NEW CONTENT + ### ================= + device-ssh-proxy: + build: + context: device-ssh-proxy + command: docker-entrypoint.sh + container_name: edgex-device-ssh-proxy + depends_on: + - consul + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + MESSAGEQUEUE_HOST: edgex-redis + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_WAITFOR_TIMEOUT: '60s' + # Unique for ssh-proxy + SERVICE_HOST: edgex-device-virtual + SERVICE_PORT: 59900 + TUNNEL_HOST: 192.168.122.193 + TUNNEL_SSH_PORT: 2223 + hostname: edgex-device-ssh-proxy + image: device-ssh-proxy:latest + networks: + edgex-network: + aliases: + - edgex-device-virtual + ports: + - 127.0.0.1:59900:59900/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z + - $PWD/ssh_keys:/root/.ssh + ### =============== + ### END NEW CONTENT + ### =============== +version: '3.7' +volumes: + consul-acl-token: {} + consul-config: {} + consul-data: {} + db-data: {} + edgex-init: {} + kong: {} + kuiper-connections: {} + kuiper-data: {} + kuiper-sources: {} + postgres-config: {} + postgres-data: {} + redis-config: {} + vault-config: {} + vault-file: {} + vault-logs: {} + diff --git a/security/remote_devices/ssh-tunneling/remote/docker-compose.original b/security/remote_devices/ssh-tunneling/remote/docker-compose.original new file mode 100644 index 00000000..b936d316 --- /dev/null +++ b/security/remote_devices/ssh-tunneling/remote/docker-compose.original @@ -0,0 +1,1024 @@ +# * Copyright 2021 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# * +# * EdgeX Foundry, Hanoi, version "master" +# *******************************************************************************/ +# +# +# +# ************************ This is a generated compose file **************************** +# +# DO NOT MAKE CHANGES that are intended to be permanent to EdgeX edgex-compose repo. +# +# Permanent changes can be made to the source compose files located in the compose-builder folder +# at the top level of the edgex-compose repo. +# +# From the compose-builder folder use `make build` to regenerate all standard compose files variations +# +networks: + edgex-network: + driver: bridge +services: + app-service-rules: + command: /app-service-configurable -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-app-rules-engine + depends_on: + - consul + - data + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_PROFILE: rules-engine + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-app-rules-engine + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis + TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis + hostname: edgex-app-rules-engine + image: nexus3.edgexfoundry.org:10004/app-service-configurable:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59701:59701/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/app-rules-engine:/tmp/edgex/secrets/app-rules-engine:ro,z + command: + command: /core-command -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-command + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-command + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-command + image: nexus3.edgexfoundry.org:10004/core-command:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59882:59882/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-command:/tmp/edgex/secrets/core-command:ro,z + consul: + command: agent -ui -bootstrap -server -client 0.0.0.0 + container_name: edgex-core-consul + depends_on: + - security-bootstrapper + - vault + entrypoint: + - /edgex-init/consul_wait_install.sh + environment: + ADD_REGISTRY_ACL_ROLES: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json + STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH: /consul/config/consul_acl_done + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-consul + image: consul:1.10 + networks: + edgex-network: {} + ports: + - 8500:8500/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - consul-config:/consul/config:z + - consul-data:/consul/data:z + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:z + - /tmp/edgex/secrets/edgex-consul:/tmp/edgex/secrets/edgex-consul:ro,z + data: + command: /core-data -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-data + depends_on: + - consul + - database + - metadata + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECRETSTORE_TOKENFILE: /tmp/edgex/secrets/core-data/secrets-token.json + SERVICE_HOST: edgex-core-data + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-data + image: nexus3.edgexfoundry.org:10004/core-data:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:5563:5563/tcp + - 127.0.0.1:59880:59880/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-data:/tmp/edgex/secrets/core-data:ro,z + database: + container_name: edgex-redis + depends_on: + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/redis_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASECONFIG_NAME: redis.conf + DATABASECONFIG_PATH: /run/redis/conf + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-redis + image: redis:6.2-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:6379:6379/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + user: root:root + volumes: + - db-data:/data:z + - edgex-init:/edgex-init:ro,z + - redis-config:/run/redis/conf:z + - /tmp/edgex/secrets/security-bootstrapper-redis:/tmp/edgex/secrets/security-bootstrapper-redis:ro,z + device-rest: + command: /device-rest -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-rest + depends_on: + - consul + - data + - metadata + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-device-rest + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-rest + image: nexus3.edgexfoundry.org:10004/device-rest:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59986:59986/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/device-rest:/tmp/edgex/secrets/device-rest:ro,z + device-virtual: + command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-virtual + depends_on: + - consul + - data + - metadata + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-device-virtual + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-virtual + image: nexus3.edgexfoundry.org:10004/device-virtual:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59900:59900/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual:ro,z + kong: + container_name: edgex-kong + depends_on: + - kong-db + - security-bootstrapper + entrypoint: + - /edgex-init/kong_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + KONG_ADMIN_ACCESS_LOG: /dev/stdout + KONG_ADMIN_ERROR_LOG: /dev/stderr + KONG_ADMIN_LISTEN: 127.0.0.1:8001, 127.0.0.1:8444 ssl + KONG_DATABASE: postgres + KONG_DNS_ORDER: LAST,A,CNAME + KONG_DNS_VALID_TTL: '1' + KONG_NGINX_WORKER_PROCESSES: '1' + KONG_PG_HOST: edgex-kong-db + KONG_PG_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + KONG_PROXY_ACCESS_LOG: /dev/stdout + KONG_PROXY_ERROR_LOG: /dev/stderr + KONG_SSL_CIPHER_SUITE: modern + KONG_STATUS_LISTEN: 0.0.0.0:8100 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong + image: kong:2.6 + networks: + edgex-network: {} + ports: + - 8000:8000/tcp + - 127.0.0.1:8100:8100/tcp + - 8443:8443/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /tmp + tty: true + user: kong:nogroup + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + - postgres-config:/tmp/postgres-config:z + - kong:/usr/local/kong:z + kong-db: + container_name: edgex-kong-db + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/postgres_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + POSTGRES_DB: kong + POSTGRES_PASSWORD_FILE: /tmp/postgres-config/.pgpassword + POSTGRES_USER: kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kong-db + image: postgres:13.5-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:5432:5432/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /var/run + - /tmp + - /run + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - postgres-config:/tmp/postgres-config:z + - postgres-data:/var/lib/postgresql/data:z + metadata: + command: /core-metadata -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-core-metadata + depends_on: + - consul + - database + - notifications + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + NOTIFICATIONS_SENDER: edgex-core-metadata + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-core-metadata + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-core-metadata + image: nexus3.edgexfoundry.org:10004/core-metadata:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59881:59881/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/core-metadata:/tmp/edgex/secrets/core-metadata:ro,z + notifications: + command: /support-notifications -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-notifications + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-notifications + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-notifications + image: nexus3.edgexfoundry.org:10004/support-notifications:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59860:59860/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-notifications:/tmp/edgex/secrets/support-notifications:ro,z + proxy-setup: + container_name: edgex-security-proxy-setup + depends_on: + - kong + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/proxy_setup_wait_install.sh + environment: + ADD_PROXY_ROUTE: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_SECURITY_SECRET_STORE: "true" + KONGURL_SERVER: edgex-kong + PROXY_SETUP_HOST: edgex-security-proxy-setup + ROUTES_CORE_COMMAND_HOST: edgex-core-command + ROUTES_CORE_CONSUL_HOST: edgex-core-consul + ROUTES_CORE_DATA_HOST: edgex-core-data + ROUTES_CORE_METADATA_HOST: edgex-core-metadata + ROUTES_DEVICE_VIRTUAL_HOST: device-virtual + ROUTES_RULES_ENGINE_HOST: edgex-kuiper + ROUTES_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + ROUTES_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + ROUTES_SYS_MGMT_AGENT_HOST: edgex-sys-mgmt-agent + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-proxy-setup + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + networks: + edgex-network: {} + read_only: true + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - consul-acl-token:/tmp/edgex/secrets/consul-acl-token:ro,z + - /tmp/edgex/secrets/security-proxy-setup:/tmp/edgex/secrets/security-proxy-setup:ro,z + rulesengine: + container_name: edgex-kuiper + depends_on: + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/kuiper_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX__DEFAULT__PORT: 6379 + EDGEX__DEFAULT__PROTOCOL: redis + EDGEX__DEFAULT__SERVER: edgex-redis + EDGEX__DEFAULT__TOPIC: rules-events + EDGEX__DEFAULT__TYPE: redis + KUIPER__BASIC__CONSOLELOG: "true" + KUIPER__BASIC__RESTPORT: 59720 + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-kuiper + image: lfedge/ekuiper:1.3.1-alpine + networks: + edgex-network: {} + ports: + - 127.0.0.1:59720:59720/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: kuiper:kuiper + volumes: + - edgex-init:/edgex-init:ro,z + - kuiper-data:/kuiper/data:z + - kuiper-connections:/kuiper/etc/connections:z + - kuiper-sources:/kuiper/etc/sources:z + scheduler: + command: /support-scheduler -cp=consul.http://edgex-core-consul:8500 --registry + --confdir=/res + container_name: edgex-support-scheduler + depends_on: + - consul + - database + - secretstore-setup + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + INTERVALACTIONS_SCRUBAGED_HOST: edgex-core-data + INTERVALACTIONS_SCRUBPUSHED_HOST: edgex-core-data + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-support-scheduler + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-support-scheduler + image: nexus3.edgexfoundry.org:10004/support-scheduler:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59861:59861/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/support-scheduler:/tmp/edgex/secrets/support-scheduler:ro,z + secretstore-setup: + container_name: edgex-security-secretstore-setup + depends_on: + - security-bootstrapper + - vault + environment: + ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],redisdb[device-virtual] + ADD_SECRETSTORE_TOKENS: '' + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_SECURITY_SECRET_STORE: "true" + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SECUREMESSAGEBUS_TYPE: redis + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-secretstore-setup + image: nexus3.edgexfoundry.org:10004/security-secretstore-setup:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + tmpfs: + - /run + - /vault + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets:/tmp/edgex/secrets:z + - kong:/tmp/kong:z + - kuiper-sources:/tmp/kuiper:z + - kuiper-connections:/tmp/kuiper-connections:z + - vault-config:/vault/config:z + security-bootstrapper: + container_name: edgex-security-bootstrapper + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + EDGEX_GROUP: '2001' + EDGEX_USER: '2002' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-security-bootstrapper + image: nexus3.edgexfoundry.org:10004/security-bootstrapper:latest + networks: + edgex-network: {} + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:z + system: + command: /sys-mgmt-agent -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-sys-mgmt-agent + depends_on: + - command + - consul + - data + - metadata + - notifications + - scheduler + - security-bootstrapper + entrypoint: + - /edgex-init/ready_to_run_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + EXECUTORPATH: /sys-mgmt-executor + METRICSMECHANISM: executor + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-sys-mgmt-agent + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-sys-mgmt-agent + image: nexus3.edgexfoundry.org:10004/sys-mgmt-agent:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:58890:58890/tcp + read_only: true + restart: always + security_opt: + - label:disable + - no-new-privileges:true + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - /tmp/edgex/secrets/sys-mgmt-agent:/tmp/edgex/secrets/sys-mgmt-agent:ro,z + - /var/run/docker.sock:/var/run/docker.sock:z + ui: + container_name: edgex-ui-go + environment: + EDGEX_SECURITY_SECRET_STORE: "true" + hostname: edgex-ui-go + image: nexus3.edgexfoundry.org:10004/edgex-ui:latest + networks: + edgex-network: {} + ports: + - 4000:4000/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + vault: + cap_add: + - IPC_LOCK + command: server + container_name: edgex-vault + depends_on: + - security-bootstrapper + entrypoint: + - /edgex-init/vault_wait_install.sh + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + PROXY_SETUP_HOST: edgex-security-proxy-setup + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + VAULT_ADDR: http://edgex-vault:8200 + VAULT_CONFIG_DIR: /vault/config + VAULT_UI: "true" + hostname: edgex-vault + image: vault:1.8.5 + networks: + edgex-network: {} + ports: + - 127.0.0.1:8200:8200/tcp + restart: always + tmpfs: + - /vault/config + user: root:root + volumes: + - edgex-init:/edgex-init:ro,z + - vault-file:/vault/file:z + - vault-logs:/vault/logs:z +version: '3.7' +volumes: + consul-acl-token: {} + consul-config: {} + consul-data: {} + db-data: {} + edgex-init: {} + kong: {} + kuiper-connections: {} + kuiper-data: {} + kuiper-sources: {} + postgres-config: {} + postgres-data: {} + redis-config: {} + vault-config: {} + vault-file: {} + vault-logs: {} + diff --git a/security/remote_devices/ssh-tunneling/remote/docker-compose.yml b/security/remote_devices/ssh-tunneling/remote/docker-compose.yml new file mode 100644 index 00000000..74cd31b9 --- /dev/null +++ b/security/remote_devices/ssh-tunneling/remote/docker-compose.yml @@ -0,0 +1,104 @@ +# * Copyright 2021 Intel Corporation. +# * +# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# * in compliance with the License. You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software distributed under the License +# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# * or implied. See the License for the specific language governing permissions and limitations under +# * the License. +# * +# * EdgeX Foundry, Hanoi, version "master" +# *******************************************************************************/ +# +# +# +# ************************ This is a generated compose file **************************** +# +# DO NOT MAKE CHANGES that are intended to be permanent to EdgeX edgex-compose repo. +# +# Permanent changes can be made to the source compose files located in the compose-builder folder +# at the top level of the edgex-compose repo. +# +# From the compose-builder folder use `make build` to regenerate all standard compose files variations +# +networks: + edgex-network: + driver: bridge +services: + device-virtual: + command: /device-virtual -cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res + container_name: edgex-device-virtual + depends_on: + - sshd-remote + environment: + API_GATEWAY_HOST: edgex-kong + API_GATEWAY_STATUS_PORT: '8100' + CLIENTS_CORE_COMMAND_HOST: edgex-core-command + CLIENTS_CORE_DATA_HOST: edgex-core-data + CLIENTS_CORE_METADATA_HOST: edgex-core-metadata + CLIENTS_SUPPORT_NOTIFICATIONS_HOST: edgex-support-notifications + CLIENTS_SUPPORT_SCHEDULER_HOST: edgex-support-scheduler + DATABASES_PRIMARY_HOST: edgex-redis + EDGEX_SECURITY_SECRET_STORE: "true" + MESSAGEQUEUE_HOST: edgex-redis + PROXY_SETUP_HOST: edgex-security-proxy-setup + REGISTRY_HOST: edgex-core-consul + SECRETSTORE_HOST: edgex-vault + SECRETSTORE_PORT: '8200' + SERVICE_HOST: edgex-device-virtual + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper + STAGEGATE_BOOTSTRAPPER_STARTPORT: '54321' + STAGEGATE_DATABASE_HOST: edgex-redis + STAGEGATE_DATABASE_PORT: '6379' + STAGEGATE_DATABASE_READYPORT: '6379' + STAGEGATE_KONGDB_HOST: edgex-kong-db + STAGEGATE_KONGDB_PORT: '5432' + STAGEGATE_KONGDB_READYPORT: '54325' + STAGEGATE_READY_TORUNPORT: '54329' + STAGEGATE_REGISTRY_HOST: edgex-core-consul + STAGEGATE_REGISTRY_PORT: '8500' + STAGEGATE_REGISTRY_READYPORT: '54324' + STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup + STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: '54322' + STAGEGATE_WAITFOR_TIMEOUT: 60s + hostname: edgex-device-virtual + image: nexus3.edgexfoundry.org:10004/device-virtual:latest + networks: + edgex-network: {} + ports: + - 127.0.0.1:59900:59900/tcp + read_only: true + restart: always + security_opt: + - no-new-privileges:true + user: 2002:2001 + volumes: + - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual + sshd-remote: + image: edgex-sshd-remote:latest + build: + context: sshd-remote + container_name: edgex-sshd-remote + hostname: edgex-sshd-remote + ports: + - "2223:22" + read_only: true + restart: always + security_opt: + - no-new-privileges:true + networks: + edgex-network: + aliases: + - edgex-core-consul + - edgex-core-data + - edgex-core-metadata + - edgex-redis + - edgex-vault + tmpfs: + - /run + volumes: + - /tmp/edgex/secrets/device-virtual:/tmp/edgex/secrets/device-virtual +version: '3.7' diff --git a/security/remote_devices/ssh-tunneling/remote/sshd-remote/Dockerfile b/security/remote_devices/ssh-tunneling/remote/sshd-remote/Dockerfile new file mode 100644 index 00000000..bd8e1dd4 --- /dev/null +++ b/security/remote_devices/ssh-tunneling/remote/sshd-remote/Dockerfile @@ -0,0 +1,24 @@ +# Copyright (C) 2020-2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +FROM ubuntu:latest + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && \ + apt-get install -y --no-install-recommends openssh-server && \ + rm -fr /var/lib/apt/lists/* + +# Allow the openssh client to specify IP address from which connections to the port are allowed +RUN echo 'GatewayPorts clientspecified' >> /etc/ssh/sshd_config + +# SSH login fix. Otherwise user is kicked off after login +# pam_loginuid is used to set the loginuid audit attribute of a process when a user login through SSH +RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd + +RUN mkdir /root/.ssh && chmod 700 /root/.ssh +COPY authorized_keys /root/.ssh/authorized_keys +RUN chmod 400 /root/.ssh/authorized_keys + +CMD [ "sh" , "-c", "mkdir /var/run/sshd; exec /usr/sbin/sshd -D" ]