Run the CLI using a Docker container.
The first step is pulling the CLI image.
$ docker pull keeper/keeper-secrets-manager-cli:latest
The next step is running the container. By default the container is setup to run
ksmin shell mode.
$ docker run \
-v $PWD:/wd --workdir /wd \
-v $HOME/.config:/etc/keeper -e KSM_INI_DIR=/etc/keeper \
- 1.The docker run command.
- 2.Flags to remove the container when it is done running. That will prevent a build up of inactive containers.
- 3.Flag to enable interactions with the container.
- 4.Mounts the current directory as /wd inside of the container and then set the working directory to /wd inside of the container. This will allow anything written to /wd to be written to the current directory outside of the container. This is useful when downloading a file.
- 5.Mounts a directory where we want to store, or have, the keeper.ini file. Then we passing the environmental variable telling the CLI where to write or read the keeper.ini file.
- 6.Name of the image.
The docker run command can be a little too much to type each time. It is recommend that aliases be created.
$ alias ksm_shell='docker run --rm -it --workdir $PWD -v $PWD:$PWD -v $HOME/.config:/etc/keeper -e KSM_INI_DIR=/etc/keeper keeper/keeper-secrets-manager-cli:latest'
The above will launch the ksm shell.
The next alias is slightly different. At the end of the run command, the application
ksmis added. This will cause the
ksmnot to start in shell mode.
$ alias ksm='docker run --rm -it --workdir $PWD -v $PWD:$PWD -v $HOME/.config:/etc/keeper -e KSM_INI_DIR=/etc/keeper keeper/keeper-secrets-manager-cli:latest ksm'
The KSM CLI docker includes a volume mount to both GLIBC (most Linux distributions) and MUSL (Alpine Linux) CLI binaries. The volume is
/cli. This directory can be mounted into another container using the
volumes_fromin docker-compose or
-vfrom command line docker. The ksm executables exists in directory based on the version of C library your Linux distribution is using.
/cli/glibc/ksm- For standard GLIBC distributions like Ubuntu, Debian, Fedora, and CentOS.
/cli/musl/ksm- For Alpine Linux.
For example, the following is simple framework showing how to access the CLI binary.
command: [ '/cli/glibc/ksm', 'exec', 'printenv', 'MY_LOGIN' ]
KSM_CONFIG: ewog ... M09IemdQMnc9Igp9
initservice will load the CLI docker. The container will start, display a CLI splash screen, and then exit. Even though the container has stopped, the
/clivolume is still accessible.
mainservice will mount the CLI docker's volume under the directory
commandis overridden to run the GLIBC version of the KSM CLI. The
commandis using the
execfunction of the CLI. That will replace environment variables environment variable, that use the Keeper Notation, with a secret value. The
execcommand, of the CLI, is running the
printenvapplication. That will print the environment variable, MY_LOGIN, that has been set to Keeper Notation, and has had its value replaced with a secret by the
$ example : docker-compose up
[+] Running 2/0
⠿ Container example-init-1 Created 0.0s
⠿ Container example-main-1 Recreated 0.1s
Attaching to example-init-1, example-main-1
example-init-1 | ██╗ ██╗███████╗███╗ ███╗ ██████╗██╗ ██╗
example-init-1 | ██║ ██╔╝██╔════╝████╗ ████║ ██╔════╝██║ ██║
example-init-1 | █████╔╝ ███████╗██╔████╔██║ ██║ ██║ ██║
example-init-1 | ██╔═██╗ ╚════██║██║╚██╔╝██║ ██║ ██║ ██║
example-init-1 | ██║ ██╗███████║██║ ╚═╝ ██║ ╚██████╗███████╗██║
example-init-1 | ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝
example-init-1 | Current Version: 1.0.13
example-init-1 | Running in shell mode. Type 'quit' to exit.
example-init-1 exited with code 0
example-main-1 | john.smith@localhost
example-main-1 exited with code 0