Docker Installation
Instructions for installing Keeper Gateway on Docker
Last updated
Was this helpful?
Instructions for installing Keeper Gateway on Docker
Last updated
Was this helpful?
This document contains information on how to install, configure, and update your Keeper Gateway on Docker. The Docker container is built upon the base image of Rocky Linux 8 and it is hosted in DockerHub.
For full PAM capabilities, use a Linux host with a x86 AMD processor.
A Linux host with a x86 AMD processor
Docker and Docker Compose installed
Note: your install may use "docker compose
" or "docker-compose
"
A new Gateway deployment can be created by clicking on Create New > Gateway from the Preview Web Vault.
You can also create a Gateway and configuration file from the Commander CLI:
The Application names and UIDs can be found with secrets-manager app list
A Docker Compose file is provided through the Vault UI. Typically this file would be saved in your local environment as docker-compose.yml
in your preferred folder. An example is below:
The only required environment variable setting is GATEWAY_CONFIG which is the resulting base64-encoded configuration provided when creating a Gateway device.
When running the Preview version of the Keeper Gateway, you'll see the output in the logs like below:
On the Vault UI in the Secrets Manager > Applications > Gateways screen, the Gateway will show Online.
If you need to enable verbose debug logs on the Gateway, enable debug logging by adding the below environment
section variables to your Docker Compose file:
After debug is enabled, restart the service with docker compose restart
Executing the following command will update the Keeper Gateway container to the latest Preview and restart the service:
Adding the "restart" parameter in the docker-compose.yml
file will assign a restart policy to the environment:
If you would like to force the host operating system to automatically start the Keeper Gateway on a Docker installation, follow these steps (Linux host).
First, create a .service
file in /etc/systemd/system/keeper-gateway.service
NOTE:
Replace /home/ec2-user
with the path to your docker-compose.yml
Replace ec2-user
user with your user running Docker
Replace docker
group with your defined group
Then enable the service:
DockerHub listing: https://hub.docker.com/r/keeper/gateway
Quick reference for Installing Docker and Docker Compose on Linux
A very useful capability of the Keeper Gateway is being able to open connections and tunnels to the host machine. By adding the extra_hosts
section to your docker compose file with a value of host.docker.internal:host-gateway
, you can open sessions directly to the host.
Example docker compose with the Gateway container:
Enabling this option allows you to establish a Connection to the host. For example, to open an SSH connection:
Create a PAM User record with the SSH private key
Create a PAM Machine record with the hostname to host.docker.internal
and port 22
Activate the SSH connection in PAM settings referencing the PAM User
If you use KeeperPAM to SSH over to the host service, you can upgrade the container by running the container update of the gateway in the background: