Implementation Steps
This document will guide you through the installation steps for installing the CSE service on one host using Podman as an alternative to Docker.
- This document assumes you have completed the Google Admin/Console Changes.
Installation steps on CSE server
This is the installation of the CSE podman container and can be done with guidance from Virtru on a call.
Podman
CSE is distributed as a podman
image via Virtru's Google Artifact Registry.
- Quick Install
#Podman
yum install podman
Create alias to align Docker and Podman commands
Follow the steps below to add an alias and reload your .bashrc
file.
- Run the following command to add the alias to your
.bashrc
file:printf "\nalias docker=podman\n" >> ~/.bashrc
- Reload your bash config:
source ~/.bashrc
-
Create a working directory for cse and cd into that directory
mkdir /var/virtru/scripts
cd /var/virtru/scripts
-
Download the CSE setup script
curl -s https://api.github.com/repos/virtru/cse-install-script/releases/latest \
| grep "browser_download_url.*sh" \
| cut -d : -f 2,3 \
| tr -d \" \
| wget -qi - - Follow steps in the script to input the following information
- CSE Version (hit enter for latest version)
- CSE Domain (FQDN of your CSE server)
- CSE HMAC ID (Provided by Virtru)
- CSE HMAC Secret (Provided by Virtru)
- CKS option (yes if you are using a Virtru CKS)
- CKS Domain (FQDN of your Virtru CKS server)
- CKS HMAC ID (From your Virtru CKS server)
- CKS HMAC Secret (From your Virtru CKS server)
- IDP Provider (Google or Other)
- If "google" you will need to provide your Google OAuth Client ID string on the next step
- If "other" you will need to get the Authentication issuer ids (from the authentication JWT) to the URL where the issuer publishes its JSON Web Keyset from your IDP.
- Auth N Key (Map of accepted Authentication issuer ids)
- Auth N Value (URL where the issuer publishes its JSON Web keyset)
- JWT Auth N Value (OAuth Client ID String)
- Add your CA certs to the "/var/virtru/cse" directory
cat [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-root-cert] > server.cert
cat [path-to-private-key] > server.key
Modify Scripts
- Navigate to the scripts folder, open the setup script in Vim, nano or any editor of your choice, and replace 'docker' commands with 'podman';
cd /var/virtru/scripts
vim run.sh
- Add the bolded text(s) to your existing
run.sh
file. This is the file path to the container log. (CSE Latest Version) - Use the following 'podman run' command to deploy a CSE container:
podman run --detach\
--env-file ./cse.env\
-p 443:9000 \
-v /var/virtru/cse/server.cert:/run/secrets/server.cert \
-v /var/virtru/cse/server.key:/run/secrets/server.key \
--restart unless-stopped \
--name cse-v<Latest Tagged Version> \ --log-opt path=/var/log/cse-v<Latest Tagged Version>.log \
containers.virtru.com/cse:v<Latest Tagged Version> - Run the setup script to create the container:
cd /var/virtru/scripts
sh run.sh
Managing Your Podman Container
Here are commands to help you view, manage logs, stop, start, and remove your Podman container:
- To list all running containers:
podman ps
- To list all containers (including stopped ones):
podman ps -a
- To view and follow logs for a specific container:
podman logs -f <container-name>
- If you set up a log file, use:
tail -f /var/log/podman-<container-name>.log
- To stop a running container:
podman stop <container-name>
- To start a stopped container:
podman start <container-name>
- Remove a stopped container:
podman rm <container-name>
- To forcefully remove a container (running or stopped):
podman rm -f <container-name>
Additional Tips
- Check Container Logs from Start: View all logs from the beginning by omitting the '-f' flag:
podman logs <container-name>
- Check Resource Usage: Monitor container stats with:
podman stats <container-name>
This setup will guide you through managing your Virtru CSE container on a Podman-hosted Linux server effectively.
Google Workspace Configuration
Follow the steps to connect your CSE server to your Google Workspace.
Please refer to Google’s official documentation when configuring your application.