Installing Luna Minimal Client on Linux Using Docker
The following procedure will allow you to install the Luna Minimal Client in a Docker container on Linux. For an overview description of Luna Minimal Client and its prerequisites, see Linux Minimal Luna Client Install - Overview.
NOTE If SELinux is enabled in Enforcing mode, you must assign proper permissions to any container that needs to access the config directory.
To install the SafeNet Luna Minimal Client software on a Linux 64-bit Docker instance:
This example uses NTLS. The use of STC is optional.
1.Install a full Luna HSM Client software (non-minimal) on your Docker host (see Installing Luna Minimal Client on Linux Using Docker).
2.Create a directory. In this example:
$HOME/luna-docker
The name is not important, only that you use it consistently.
3.Create the following subdirectories under that first directory:
$HOME/luna-docker/config
$HOME/luna-docker/config/certs
additionally, if you are configuring STC:
$HOME/luna-docker/config/stc $HOME/luna-docker/config/stc/token/001
and create an empty file
$HOME/luna-docker/config/stc/token/001/token.db
The contents of the config directory are needed by the Docker containers.
4.Copy the Luna Minimal Client tarball to $HOME/luna-docker.
5.Untar the Luna Minimal Client tarball.
>tar -xf $HOME/luna-docker/LunaClient-Minimal-<release_version>.x86_64.tar -C $HOME/luna-docker
6.Copy the Chrystoki.conf file from the Minimal Client directory to $HOME/luna-docker/config.
>cp LunaClient-Minimal-<release_version>.x86_64/Chrystoki-template.conf $HOME/luna-docker/config/Chrystoki.conf
7.Define the following environment variable:
>export ChrystokiConfigurationPath=$HOME/luna-docker/config
8.[Optional] If you choose to use STC, review the SafeNet Luna PCIe HSM documentation and modify the following instructions. The goal is to have an HSM partition created and registered with the full Luna HSM Client before you create the Docker image and containers.
9.Create a Luna HSM Client certificate for the Docker containers.
>/usr/safenet/lunaclient/bin/vtl createCert -n <cert_name>
10.Copy the client certificate to the SafeNet Luna PCIe HSM appliance.
>scp ./certs/<cert_name>.pem admin@<Network_HSM_IP>:
11.Copy the appliance server certificate (server.pem) to $HOME/luna-docker/config/certs
>scp admin@<Network_HSM_IP>:server.pem ./certs
12.Register the appliance server certificate with the Client.
>/usr/safenet/lunaclient/bin/vtl addServer -c ./certs/server.pem -n <Network_HSM_IP>
13.Connect via SSH to the SafeNet Luna PCIe HSM appliance and log in to LunaSH.
>ssh admin@<Network_HSM_IP>
14.Create a partition, if one does not already exist on the HSM.
lunash:>partition create -partition <partition_name>
15.Register the full Luna HSM Client with the appliance, and assign the partition to the client (see "client register" on page 1 and "client assignpartition" on page 1 for full command syntax).
lunash:>client register -client <client_name> {-ip <client_IP> | -hostname <client_hostname>}
lunash:>client assignpartition -client <client_name> -partition <partition_name>
lunash:>ntls ipcheck disable
lunash:>exit
16.On the Client workstation, run LunaCM, set the active slot to the registered partition, and initialize it (see partition init for full command syntax).
lunacm:>slot set -slot <slotnum>
lunacm:>partition init -label <partition_label>
17.Change the path of the runtime libraries in config/Chrystoki.conf.
>sed -i -e 's#\./certs#/usr/local/luna/config/certs#g' -e 's#/usr/safenet/lunaclient/lib/libCryptoki2_64.so#/usr/local/luna/libs/64/libCryptoki2.so#g' -e 's#/usr/safenet/lunaclient/lib/libSoftToken.so#/usr/local/luna/libs/64/libSoftToken.so#g' config/Chrystoki.conf
Create a Luna Client Docker image
The minimal client tarball does not include tools or other files not necessary for basic operation; copy any additional files you want to include in the docker image to $HOME/luna-docker/.
18.Create a file named Dockerfile with the following contents:
FROM ubuntu:xenial
#FROM centos:centos7
ARG MIN_CLIENT
COPY $MIN_CLIENT.tar /tmp
RUN mkdir -p /usr/local/luna
RUN tar xvf /tmp/$MIN_CLIENT.tar --strip 1 -C /usr/local/luna
ENV ChrystokiConfigurationPath=/usr/local/luna/config
COPY lunacm /usr/local/bin
COPY vtl /usr/local/bin
COPY multitoken /usr/local/bin
COPY ckdemo /usr/local/bin
ENTRYPOINT /bin/bash
#End of the Dockerfile
19.Build a Docker image.
>docker build . --build-arg MIN_CLIENT=LunaClient-Minimal-<release_version>.x86_64 -t lunaclient-image
20.Use the following command to verify the Docker image has been created:
>docker images
Run the Docker container
21.Make the contents of the config directory available to the Containers when you create them, by mounting the config directory as a volume.
>docker run -it --name lunaclient -v $PWD/config:/usr/local/luna/config lunaclient-image
22.From the Docker container, verify that the container has a connection to the SafeNet Luna PCIe HSM partition.
.