Use ADCM Installer
ADCM Installer is a tool written in Go to help simplify the processes of installation, upgrade, and configuration of the ADCM installations. It also allows you to extend the Docker Compose functionality by secret storage.
ADCM Installer consists of the following packages:
-
Docker Compose — controls the life cycle of Docker containers.
-
age-encryption — encodes and decodes sensitive data (such as username and password to connect to the database).
For details of possible ADCM Installer use cases, see Use cases.
Quick start with ADCM Installer
NOTE
If you use CentOS, the operating system version must be at least version 8.
|
Follow the instructions below to install ADCM Installer:
-
Install Docker. For more information, refer to the Docker documentation.
-
Download the adi file to the /usr/local/bin directory and set permissions of the adi file as follows:
$ sudo wget -O /usr/local/bin/adi https://github.com/arenadata/adcm-installer/releases/latest/download/adi $ sudo chmod +x /usr/local/bin/adi
Wait for the file download to finish.
IMPORTANT
For offline installation, you need to use the URL of the local Container Registry:
|
To get a brief background on the ADCM Installer commands, use the following command:
$ adi --help
The expected command execution result:
Command line tool for installing Arenadata products Usage: adcm-installer [flags] adcm-installer [command] Available Commands: adcm-versions List versions of Arenadata products apply Apply a configuration by file name completion Generate the autocompletion script for the specified shell components Manage installed components delete Delete resources by file name or installation name help Help about any command init Initialize a new configuration list List running ADCM installation secrets Manage secrets Flags: -h, --help help for adcm-installer --version Print the version and exit
Use cases
ADCM Installer supports the following commands:
-
init
-
apply
-
completion
-
list
-
adcm-versions
-
secrets
-
delete
The command descriptions and examples of their usage are given below.
Initialize a configuration file
The init
command generates the configuration file described below, which is necessary for the ADCM installation deployment.
For example, to initialize the configuration file of the ADCM installation using PostgreSQL as a database, use the following command with the --adpg
flag:
$ adi init <installation_name> --adpg
where <installation_name>
is the name of the ADCM installation such as my-adcm
, that includes the Docker containers: my-adcm-adpg
and my-adcm-adcm
.
To specify the database credentials and configure the database connection settings, use the interactive mode by specifying the -i
or --interactive
flag:
$ adi init <installation_name> --adpg -i
NOTE
Without the --adpg flag, settings for connection to an external PostgreSQL database will be requested.
|
Database connection parameters can also be specified in a file using the --from-config
flag.
Parameters that can be specified in the file are presented in the table below. The table also describes a correlation between parameters that can be configured in the interactive mode and parameters that can be specified in the file.
Parameter used in the file | Parameter displayed in interactive mode | Type | Description | Default value |
---|---|---|---|---|
adcm-count |
Number of ADCM instances |
uint8 |
Number of the ADCM instances. The parameter is available in ADCM Installer starting with version 1.1 |
1 |
adcm-image |
ADCM image |
string |
ADCM container image repository (in the above example — |
hub.arenadata.io/adcm/adcm |
adcm-tag |
ADCM image tag |
string |
Docker image tag used for the ADCM container (in the above example — |
2.7.1 |
adcm-publish-port |
ADCM publish port |
uint16 |
Port of localhost on which the ADCM container runs (in the above example — |
If you have one ADCM instance, the default value is |
adcm-db-host |
ADCM database host |
string |
ADCM database server address. This parameter is ignored when specifying the |
— |
adcm-db-port |
ADCM database port |
uint16 |
Port number for connecting to the ADCM database. This parameter is ignored when specifying the |
5432 |
adcm-db-name |
ADCM database name |
string |
Name of the ADCM database |
If you have one ADCM instance, the default value is |
adcm-db-user |
ADCM database user |
string |
Username for connecting to the ADCM database |
If you have one ADCM instance, the default value is |
adcm-db-pass |
ADCM database password |
string |
Password for connecting to the ADCM database |
— |
adcm-db-ssl-mode |
Postgres SSL mode |
string |
Flag used to connect to the ADCM database for establishing a TLS connection. This parameter is ignored when specifying the
The description of each value is given in the Installation article |
disable |
adcm-db-ssl-ca-file |
ADCM database SSL CA file path |
string |
Path to the certificate authority (CA) certificate file for establishing a TLS connection to the ADCM database |
— |
adcm-db-ssl-cert-file |
ADCM database SSL certificate file path |
string |
Path to the certificate file in PEM format for establishing a TLS connection to the ADCM database |
— |
adcm-db-ssl-key-file |
ADCM database SSL private key file path |
string |
Path to the private key file in PEM format for establishing a TLS connection to the ADCM database |
— |
adcm-url |
ADCM url |
uint16 |
URL of the host where the ADCM container is deployed. Use the following format: |
If you have one ADCM instance, the default value is |
adcm-volume |
ADCM volume name or path |
string |
Name of the ADCM container volume (in the above example — |
<installation_name>-adcm-<instance_serial_number> |
adcm-publish-ssl-port |
ADCM publish SSL port |
uint16 |
Localhost port for the ADCM container (in the above example — |
8443 |
adcm-ssl-cert-file |
ADCM SSL Certificate file path |
string |
Path to the certificate file in PEM format for establishing a TLS connection to ADCM |
— |
adcm-ssl-key-file |
ADCM SSL Private Key file path |
string |
Path to the private key file in PEM format for establishing a TLS connection to ADCM |
— |
adpg-pass |
ADPG superuser password |
string |
Password of the superuser role which is set during the PostgreSQL database initialization. The parameter is available when specifying the |
— |
adpg-image |
ADPG image |
string |
ADPG container image repository (in the above example — |
hub.arenadata.io/adcm/postgres |
adpg-tag |
ADPG image tag |
string |
Docker image tag used for the ADPG container (in the above example — |
v16.3.1 |
adpg-publish-port |
ADPG publish port |
uint16 |
Port of localhost on which the ADPG container runs (in the above example — |
5432 |
adpg-volume |
ADPG volume name or path |
string |
Name of the ADPG container volume (in the above example — |
<installation_name>-adpg |
consul-image |
Consul image |
string |
Consul container image repository. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
hub.arenadata.io/adcm/consul |
consul-tag |
Consul image tag |
string |
Docker image tag used for the Consul container. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
v0.0.0 |
consul-publish-port |
Consul publish port |
uint16 |
Port of localhost on which the Consul container runs. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
8500 |
vault-mode |
Vault Deployment mode |
boolean |
Flag used to select the mode in which OpenBao will be launched. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the
Description of the modes is given below |
non-ha |
vault-ui |
Vault enable UI |
boolean |
Flag used to enable access to the OpenBao web interface (for example, to create or update secrets). The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the
|
true |
vault-image |
Vault image |
string |
OpenBao container image repository. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
openbao/openbao |
vault-tag |
Vault image tag |
string |
Docker image tag used for the OpenBao container. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
2.2.0 |
vault-publish-port |
Vault publish port |
uint16 |
Port of localhost on which the OpenBao container runs. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
8200 |
vault-db-host |
Vault database host |
string |
OpenBao database server address. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
1 |
vault-db-port |
Vault database port |
uint16 |
Port number for connecting to the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
5432 |
vault-db-name |
Vault database name |
string |
Name of the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
vault |
vault-db-user |
Vault database user |
string |
Username for connecting to the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
vault |
vault-db-pass |
Vault database password |
string |
Password for connecting to the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
— |
vault-db-ssl-mode |
Postgres SSL mode |
string |
Flag used to connect to the OpenBao database for establishing a TLS connection. The parameter is available when specifying the
|
disable |
vault-db-ssl-ca-file |
Vault database SSL CA file path |
string |
Path to the certificate authority (CA) certificate file for establishing a TLS connection to the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
— |
vault-db-ssl-cert-file |
Vault database SSL certificate file path |
string |
Path to the certificate file in PEM format for establishing a TLS connection to the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
— |
vault-db-ssl-key-file |
Vault database SSL private key file path |
string |
Path to the private key file in PEM format for establishing a TLS connection to the OpenBao database. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
— |
vault-ssl-cert-file |
Vault SSL Certificate file path |
string |
Path to the certificate file in PEM format for establishing a TLS connection to OpenBao. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
— |
vault-ssl-key-file |
Vault SSL Private Key file path |
string |
Path to the private key file in PEM format for establishing a TLS connection to OpenBao. The parameter is available in ADCM Installer starting with version 1.1 (in the interactive mode, you need to specify the |
— |
If parameter values are not specified, default values will be used for names and Docker container configuration parameters and passwords will be generated automatically.
After the command mentioned above is executed, the following files will be created:
-
adcm.yaml (or adcm.yml) is the ADCM installation configuration file in the YAML format;
-
age.key is the file with the private key in the
AGE-SECRET-KEY-1…
format to access sensitive data (secrets) stored in the adcm.yaml (or adcm.yml) file.
To take advantage of additional command options, use the following flags:
-
--force
— allows you to overwrite the existing configuration file; -
-o
or--output
— allows you to save the configuration file with the given name, for example:--output /<file_path>
, where<file_path>
is the absolute path to the configuration file in the YAML format including the file name; -
--age-key-file
— determines the location of the file with the private key; -
--age-key
— determines the private key, for example:$ adi init <installation_name> --age-key AGE-SECRET-KEY-1...
NOTEThe private key can also be passed via theAGE_KEY
variable, for example:export AGE_KEY=AGE-SECRET-KEY-1…
.
# Project name
name: my-adcm
# Configurations of the following Docker containers: my-adcm-adcm and my-adcm-adpg
services:
adcm:
# Add specified Linux capabilities to the Docker container. The list of supported capabilities is given in the Linux documentation
cap_add:
- CAP_CHOWN
- CAP_SETUID
- CAP_SETGID
# Remove specified Linux capabilities from the Docker container
cap_drop:
- ALL
# Order in which the Docker containers are started. In this case, the my-adcm-adcm container will be started after the my-adcm-adpg container startup
depends_on:
adpg:
# Condition under which the my-adcm-adcm container is started. In this case -- wait until the my-adcm-adpg container is healthy
condition: service_healthy
restart: true
required: true
# Custom hostname for the Docker container
hostname: my-adcm-adcm
# Image name
image: hub.arenadata.io/adcm/adcm:2.5.0
# Metadata to add to the Docker container
labels:
app.arenadata.io/type: adcm
# Create a dedicated network for the Docker container on the host
networks:
default: null
# Map ports between the Docker container and the host
ports:
- mode: ingress
# Port of the Docker container
target: 8000
# Published port
published: "8000"
# Port protocol
protocol: tcp
# Pull the Docker image from the registry for every container startup
pull_policy: always
# Policy of the Docker container restart. In this case, the policy restarts the Docker container in all cases, except forcible stop of the Docker container
restart: unless-stopped
# Provide the Docker container with access to sensitive data defined by the x-secrets top-level element
secrets:
- source: adcm-db-name
target: /run/secrets/adcm-db-name
- source: adcm-db-user
target: /run/secrets/adcm-db-user
- source: adcm-db-pass
target: /run/secrets/adcm-db-pass
# Named volumes that are accessible by the Docker container
volumes:
- type: volume
source: my-adcm-adcm
target: /adcm/data
volume: {}
adpg:
cap_drop:
- ALL
hostname: my-adcm-adpg
# Docker container health check using the pg_isready utility
healthcheck:
test:
- CMD-SHELL
- pg-entrypoint isready postgres
timeout: 3s
interval: 10s
retries: 3
image: mybackspace/adpg:16.4
labels:
app.arenadata.io/type: adpg
networks:
default: null
pull_policy: always
# Run the Docker container with a read-only internal filesystem
read_only: true
restart: unless-stopped
# Prevent the Docker container processes from gaining additional privileges
security_opt:
- no-new-privileges
# User used to run the Docker container
user: 10001:10001
volumes:
- type: volume
source: my-adcm-adpg
target: /data
volume: {}
# Named network that allows Docker containers to communicate with each other
networks:
default:
name: my-adcm_default
# Named volumes that will be created with the Docker container initial startup
volumes:
my-adcm-adcm:
name: my-adcm-adcm
my-adcm-adpg:
name: my-adcm-adpg
# Sensitive data that is granted to the Docker containers
x-secrets:
age_recipient: age1htxwzyy75rlrhut6jry0uet3ks7cw44w80jl2gktukp9m800auyqspyfws
data:
adcm-db-name: YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMWh2d2E5TU8xR0RkQVdCalB6ZUEvZUh5d2ZqN3hpbEJBK2taMHZCM3hvCkNzbVNudHlSVUIxY0hCT3lDaHJNVld0VHlHK1hRU2RjMzRnUGxjaUdBUDAKLS0tIEFIcmVEVnpQVE5iVFdwQ0NRcVpNQ0w5TWRRQTB3ZmZBemZVbFcySk5ZOEEK3Y7P8Lgl0+Gx9+UwJQOzRheRbVxox/XaXEj6M1xMukn56AgJ
adcm-db-pass: YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRXR6eEduL3piZk1oODd5QnNENUZPTHhzMXhxczRMNTVhd0VrUWJoYlNVCnV5OHBadTlpMlpTWnc4SXFoMThqbHE4UVBheVloNnk1U0o1N2E2dHZaZFEKLS0tIFViUm96eXJFWWJJY3o1WHlNYmdneVRQUTVRL3ZKbFlhVFF2Z2l4cDZ0QUUKr7EYAMlS/h6TeoZV4bgBKqlVDUysOKGgAU1qWjCOezUWA/2hARb1Kt928jB+Qn8i
adcm-db-user: YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYm95bDZDV1NrbGpuYWdXN21IaUZwSFVaSHlVNVZXd2tGR1RhWE1XcTFjCnY0RUFJQnZwcUxWWk40bjUxWi9xdHM3TFpOUTZlYWk0elpSU21mUnlTbWcKLS0tIHJvYjZHNGk4UUNDMnFCd3NFVGsvV0tyYWprQUw2Wm1pMGNHMWRYYkIwTlEK4pYnqi8iDd2GefTUK2SLz8Q3BO5Re4DHmV33+TKiUQcjTXV6
adpg-password: YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObFI3MUptcW1ZdSs0ZGc2Tlp3SXprRGptdWhld01RekxjakZNQ1NIWFZNCnZDbzYzUXVzNUtvS3dYbkxhNnNNV2k2TXJCZWNQeVI2Y2c0aXlKdjk0bUUKLS0tIDZEUWFNRGRScFN0Y2s5WUQwMzUzQTJKNTAzRTBmVXhWNFQ0V2tXZUN6S00KTA1a/+YkjQ1bzr4/9I5GTHAnFHgCwblCW656C8O2qyw2NmbZtgeypIWf6n1yz2wg
OpenBao
Starting with ADCM Installer 1.1, it is possible to configure and deploy OpenBao for identity-based secrets and encryption management.
ADCM Installer allows you to run OpenBao in the following modes:
-
Dev mode (by default) — enables the following options:
-
automatically initialize and unseal the OpenBao server;
-
store data (in an encrypted form) in memory without requiring access rights;
-
store an OpenBao root token that can be used to access the OpenBao command line interface (CLI).
IMPORTANTIt is not recommended to use the development mode in a production environment, as data will be lost after restarting the OpenBao server. Use this mode only for testing purposes. -
-
Persistent mode — the exact opposite of the dev mode which allows you to use the PostgreSQL storage backend to persist data after restarting the OpenBao server.
-
High availability (HA) mode — protects from failures by running several OpenBao servers using the PostgreSQL storage backend.
NOTEYou can run OpenBao in the high availability mode by running ADCM Installer on the required hosts.
For more information on OpenBao features and functions, please refer to the OpenBao documentation.
For example, to create a configuration file for deploying the ADCM installation with a PostgreSQL database and installing OpenBao, perform the following steps:
-
Run the
init
command by specifying the--vault
flag:$ adi init <installation_name> --adpg --vault -i
-
Determine the values of parameters required to deploy the ADCM installation with a PostgreSQL database and to install OpenBao. The parameters are described in the table.
HashiCorp Consul
Starting with ADCM Installer 1.1, it is possible to configure and deploy HashiCorp Consul in the dev mode. HashiCorp Consul is a solution for network services that allows you to coordinate secure communication between services and check their availability. HashiCorp Consul can be used instead of the status-checker in all products (ADB Control, ADH, and so on).
NOTE
HashiCorp Consul provides the ability to register services, but it does not automatically do it. Products should register their services in HashiCorp Consul on their own.
|
To create a configuration file for deploying the ADCM installation with a PostgreSQL database and installing HashiCorp Consul, perform the following steps:
-
Run the
init
command by specifying the--consul
flag:$ adi init <installation_name> --adpg --consul -i
-
Determine the values of parameters required to deploy the ADCM installation with a PostgreSQL database and to install HashiCorp Consul. The parameters are described in the table.
Deploy the ADCM installation
The apply
command allows you to deploy the ADCM installation with the created files adcm.yaml (or adcm.yml), and age.key.
$ sudo adi apply
When you run the command, the docker-compose.yaml file is generated which participates in the following actions:
-
Creating and running the
my-adcm-adpg
container. -
Creating the PostgreSQL database.
-
Creating and running the
my-adcm-adcm
container.
To ensure that the ADCM installation is deployed successfully, run the commands described in the Installation article.
To deploy the ADCM installation in debug mode, specify the --dry-run
flag. As a result, the docker-compose.yaml file is created without creating and running containers.
For more information on other flags that can be specified when running the apply
command, use the following command:
$ adi apply --help
NOTE
With the --help flag, you can also get a brief description of other commands described below.
|
Create scripts with auto-complete
The completion
command allows you to generate scripts with auto-complete for the ADCM Installer commands using the Tab
key for the following shells:
-
Bash
-
fish
-
PowerShell
-
Zsh
NOTE
For Bash, first install the bash-completion package required for the script.
|
For more detailed instructions on how to use a generated script, run the following command:
$ adi completion <shell> --help
where <shell>
is the shell name.
List running ADCM installations
The list
command allows you to obtain the following information on the ADCM installations:
-
NAMES
— the ADCM installation name; -
STATUS
— the status and the number of the Docker containers; -
CONFIG FILES
— the path to the configuration file.
Command example:
$ sudo adi list
The example of the command execution result:
NAMES STATUS CONFIG FILES my-adcm running(3) /home/adelya/adcm-installer/adcm.yaml
To display information on stopped ADCM installations, specify the --all
flag.
List available ADCM versions
The adcm-versions
command allows you to check for the new ADCM image versions available for download from Arenadata Docker Registry:
$ adi adcm-versions --all
The example of the command execution result:
2.5.1 2.5.0 2.4.0 2.3.0 2.2.0 2.1.2 2.1.1 2.1.0 2.0.0
To display the last five versions, run the adcm-versions
command without specifying the --all
flag.
Manage secrets
The secrets
command allows you to manage secrets specified in the configuration file as follows:
-
secrets new-key
— creates a new private key which by default is saved in the age.key file; -
secrets show
— shows secrets defined during initialization; -
secrets set
— determines new secret values, for example:$ adi secrets set adcm-db-pass 1234
Stop and remove running ADCM installations
The delete
command stops running ADCM installations using the specified configuration file or running installation name.
If adcm.yaml (or adcm.yml) or age.key are located in the directory in which the command is run, the delete
command will be executed automatically without specifying the configuration file or the ADCM installation name:
$ sudo adi delete
As a result, the ADCM installation will be stopped with the preservation of data specified during initialization of the configuration file.
To remove a running ADCM installation along with volumes related to the installation, specify the --volumes
flag. Confirm the removal during the execution of the command.
IMPORTANT
Note that running this command will permanently delete all information.
|