deployment: add docker images for other architectures and cpus about pomerium HOT 13 CLOSED

@StanislavBolshakov Great idea.

I spent the last few hours looking at how multi-architecture/os images could be supported, and it looks like the best way to do this is probably get pomerium added as an official docker image.

see

• https://github.com/docker-library/official-images#multiple-architectures
• https://hub.docker.com/_/traefik
• https://github.com/hashicorp/docker-vault
• https://blog.docker.com/2017/11/multi-arch-all-the-things/

from pomerium.

I think adding pomerium as an official Docker image is quite a big step.

Maybe it would be easier to provide a seperate armv6/7 pomierum-image (different tag) for the people using different kind of "Pi's". This should satisfy a big group of people and you would be the first zero trust solution on ARM32-Docker as far as I know.

I am new to docker, so I am not a hundred percent sure how this works but my first guess is to exchange
FROM golang:alpine as build
with
FROM arm32v7/golang:alpine as build

Are there any other caveats one has to know?
(I could test it with a Banana Pi 1)

from pomerium.

@fightforlife If you are free to test, we can try giving this a go see PR #95

from pomerium.

@desimone getting this error on step 6:

Sending build context to Docker daemon  36.86kB
Step 1/19 : FROM golang:alpine as build
alpine: Pulling from library/golang
c2a5cdd4aa08: Already exists 
61912a55c401: Pull complete 
c38eec8ecc12: Pull complete 
1a84f6973d50: Extracting [===>                                               ]  8.356MB/121MB
1a84f6973d50: Pull complete 
361acb9197b7: Pull complete 
Digest: sha256:1a5f8b6db670a7776ce5beeb69054a7cf7047a5d83176d39b94665a54cfb9756
Status: Downloaded newer image for golang:alpine
 ---> 7869b1303a7e
Step 2/19 : RUN apk --update --no-cache add ca-certificates git make
 ---> Running in 582820f9547b
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/armv7/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/armv7/APKINDEX.tar.gz
(1/8) Installing nghttp2-libs (1.35.1-r0)
(2/8) Installing libssh2 (1.8.2-r0)
(3/8) Installing libcurl (7.64.0-r1)
(4/8) Installing libgcc (8.3.0-r0)
(5/8) Installing expat (2.2.6-r0)
(6/8) Installing pcre2 (10.32-r1)
(7/8) Installing git (2.20.1-r0)
(8/8) Installing make (4.2.1-r2)
Executing busybox-1.29.3-r10.trigger
OK: 14 MiB in 23 packages

Removing intermediate container 582820f9547b
 ---> d52825b5c589
Step 3/19 : ENV CGO_ENABLED=0
 ---> Running in dd3b85e9ede4
Removing intermediate container dd3b85e9ede4
 ---> 96112d6bd4fd
Step 4/19 : ENV GO111MODULE=on
 ---> Running in 8aa72f79f94a
Removing intermediate container 8aa72f79f94a
 ---> b7534fb6aef0
Step 5/19 : WORKDIR /go/src/github.com/pomerium/pomerium
 ---> Running in 3bc47c75a582
Removing intermediate container 3bc47c75a582
 ---> cd2d9817af18
Step 6/19 : COPY go.mod .
COPY failed: stat /var/lib/docker/tmp/docker-builder845369703/go.mod: no such file or directory```

from pomerium.

@StanislavBolshakov thanks for testing this.

• Could you show me a little more details about your environment?
• What command are you using to run docker? If you are building from source (it looks like?), you need to do it from the root of the git repository. Sorry if that's not what you are doing, it's a little hard to tell.
• Can you pulling from dockerhub (e.g docker pull pomerium/pomerium:arm32v6-latest) ?

from pomerium.

Hi together, I just quickly tested the two images from dockerhub (arm32v6 and arm32v7) on my Banana Pi M1 running Armbian Ubuntu 18.04.

I used the standard docker compose example without any configuration files (I am a little short on time)
The errors I am getting are just pointing to a missing configuration. (Same errors for arm32v6 and 7)

7:42PM INF cmd/pomerium service=all user-agent="pomerium/v0.0.3 (+github.com/pomerium/pomerium; 86a7040; go1.11.5)" version=v0.0.3+86a7040

7:42PM WRN identity/google: no service account, cannot retrieve groups

7:42PM FTL cmd/pomerium: new authorize error="authorize: `POLICY_FILE` policy file ./policy.yaml: is directory exists? false"

I will try to updates this with the correct configuration in place in the next days. But at the moment it seems like it is working.

Thanks!

from pomerium.

So I just took the time and spun up a simple configuration with Google as Identity Provider and only one policy.

I get the Google login screen but after this I get a screeen from Pomerium with a 500 Error.
I will recheck my configuration, just to be sure.

from pomerium.

@fightforlife Great to hear. If it's running as you described it sounds like it is working (unless something unexpected is going on with Go's arm support).

If you are able to print out the debug logs I can help you troubleshoot that.

from pomerium.

Hi can you help me

from pomerium.

@desimone
I was on vacation the last days, but today I was able to clear my problem (wrong certificates linked) and can say that pomerium is working fine on my Banana Pi inside docker.

Thank you very much! This will replace Pritunl Zero for me.

from pomerium.

@fightforlife That's great, I'm glad it is working for you!

If you wouldn't mind testing the latest dockerhub builds, it would be a huge help. I just want to make sure distroless and dockerhub automated builds are still working as expected for ARM?

See #102

from pomerium.

Closing for now, but if there is an issue please let me know. Arm should be generated on latest and tagged like normal releases going forward.

from pomerium.

arm32v7 build from 5 hours ago is working fine for me.

from pomerium.