Friday, August 9, 2019

Using Docker as an Admin tool on Windows

Have you ever tried to download openssl on Windows? You need to convert a cert, or just do some crypto work, so you google "openssl windows" and find the source forge entry. After a few minutes of scrolling around confused you finally accept that the page doesn't have a release more recent than several years ago.

So you go back to google and click on the link for openssl.org, and realize that they don't distribute any binaries at all (windows or otherwise).

You scroll a few entries further down, still looking for an executable or guide to get openssl on windows, and you click on a promising article heading. Perusing it tells you that it's actually just a guide for Cygwin (and it would work, but then you have Cygwin sitting on your machine, and you'll probably never use it again). You think to yourself, "There has to be an executable somewhere."

Next you jump to page 2 of the google results (personally it's the first time I've jumped to that page two in years) and scrolling you find more of the same. Linux fanatics using Cygwin, source code you could compile yourself, and obscure religious wars like schannel vs every other cryptography provider.

All you really want is to go from a .pfx to a .pem, and you're running in circles looking for the most popular tool in the world to do it.

Enter Docker.
At work a number of our services are deployed on Docker, so I already have Docker desktop installed, and it's often in Linux container mode on my workstation, so it was only a couple commands to get into openssl in an alpine container

Here are my commands for reference:

PS C:\Users\bolson\Documents> docker run -v "$((pwd).path)/keys:/keys" -it alpine
/ # cd keys/
/keys # ls -l | grep corp.pem
-rwxr-xr-x    1 root     root          1692 Jul  6 17:09 corp.pem
/keys # apk add openssl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/1) Installing openssl (1.1.1c-r0)
Executing busybox-1.30.1-r2.trigger
OK: 6 MiB in 15 packages
/keys # openssl
OpenSSL>

I realize there are plenty of other options for getting a Linux interpreter up and running on Windows. You could grab virtual box and a ubuntu ISO, you could open a Cloud9 environment on AWS and get to an Amazon Linux instance there, you could use the Windows Subsystem for Linux, you could dual boot your windows laptop with some linux distro, and the list could go on.

Those approaches are fine and would all work but they either take time, cost money, or are focused on one specific scenario, and wouldn't have much utility outside of getting your into openssl to convert your cert. If I realize that one of the certs I need to convert is a jks store instead of a .pfx, I can flip over to a docker image with the java keytool installed pretty easily

Cleanup is easy with a few powershell commands


$containers = docker ps -a
foreach ($container in $containers) {$id = ($container -split "[ ]+")[0];docker rm $id}

$images = docker images;
foreach ($image in $images) {$id = ($image -split "[ ]+")[2];docker rmi $id}


And that's why, as a windows user, I love Docker. You get simple, easy access to Linux environments for utilities and it's straightforward to map directories on your windows machines into the Linux containers.

Nowadays you can use the Windows Subsystem for Linux for easy command line SSH access from Windows, but before that went GA on Windows 10 I used Docker for an easy SSH client (I know that plink exists, so this time you can accuse me of forcing Docker to be a solution).

You can create a simple Dockerfile that adds open ssh to an alpine container like so

FROM alpine
RUN apk add openssh-client

And then run it with

docker build -t ssh .
docker run -v "$($env:userprofile)/documents/keys:/keys" -it ssh sh

And you're up and runing with an SSH client. Simple!

Again, there are other ways of accomplishing all of these tasks. But if you're organization is investing in Docker using it for a few simple management tasks can give you some familiarity with the mechanics, and make it easier for you to support on all kinds of development platforms.

No comments:

Post a Comment