Getting Started with Dependency Track - Default Docker Deployment - Cannot Log In.

[ghost]

Dear All.

Working on Ubuntu 18.04 and logged in as my user then SU to root, current directory = /home/myuser.

I have configured a Docker Container on Ubuntu 18.04 exactly as described starting here : https://docs.dependencytrack.org/getting-started/distributions/ - this is an exactly default installation using the inbuilt H2 database.

Using Firefox when i go to http://serveripaddress/login?redirect=%2Fdashboard i can see the login page, but when i type out the default details, green ticks appear next to the username and password, i get very excited, and then when i click Login, nothing happens, my excitement turns to sadness :(

I am up to this page in the instructions -> https://docs.dependencytrack.org/getting-started/initial-startup/

When i did this ...

Downloads the latest Docker Compose file

curl -LO https://dependencytrack.org/docker-compose.yml

Starts the stack using Docker Compose

docker-compose up -d

... is Dependency Track now started ?

If not how do i start it ?

root@hostname:/home/myuser# ps ugx | grep docker

root 1058 0.1 1.1 1349084 92980 ? Ssl 02:53 0:22 dockerd --group docker --exec-root=/run/snap.docker --data-root=/var/snap/docker/common/var-lib-docker --pidfile=/run/snap.docker/docker.pid --config-file=/var/snap/docker/796/config/daemon.json
root 1392 0.6 0.6 1354796 48604 ? Ssl 02:53 1:17 containerd --config /run/snap.docker/containerd/containerd.toml --log-level error
root 6876 0.0 0.0 478584 2888 ? Sl 05:55 0:00 /snap/docker/796/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.20.0.2 -container-port 8080
root 6882 0.0 0.0 108732 5408 ? Sl 05:55 0:00 containerd-shim -namespace moby -workdir /var/snap/docker/common/var-lib-docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/6b1b6b7e9bcacb7a0d82c15f830928a16ae0ef5419841f6b212c5ad87f86a686 -address /run/snap.docker/containerd/containerd.sock -containerd-binary /snap/docker/796/bin/containerd -runtime-root /run/snap.docker/runtime-runc
root 7001 0.0 0.0 552316 2868 ? Sl 05:55 0:00 /snap/docker/796/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.20.0.3 -container-port 8080
root 7008 0.0 0.0 108732 5412 ? Sl 05:55 0:00 containerd-shim -namespace moby -workdir /var/snap/docker/common/var-lib-docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/8833fa939a0c92b9e12813cfa99585ad1701191173ea45c05eec2f2fef92b0bd -address /run/snap.docker/containerd/containerd.sock -containerd-binary /snap/docker/796/bin/containerd -runtime-root /run/snap.docker/runtime-runc
root 8060 0.0 0.0 13136 1096 pts/0 S+ 06:26 0:00 grep --color=auto docker

[stevespringett]

You may have to update the compose if you're connecting to anything other than localhost.

      # NOTE:
      #   * This URL must be reachable by the browsers of your users.
      #   * The frontend container itself does NOT communicate with the API server directly, it just serves static files.
      #   * When deploying to dedicated servers, please use the external IP or domain of the API server.
      - API_BASE_URL=http://localhost:8081

[ghost]

Hi Steve, got it working thank you ! Next job is to connect to postgresql !!! : )

[ghost]

Steve, i have been able to easily get Dependency Track running with Postgresql both running inside one Docker Container. The problem is of course that it's very easy to blow away the database and lose all the contents. Are there instructions anywhere explaining how to create and connect to a database hosted in the OS file system so that when i do docker-compose down i don't lose everything ? I understand this is not really a Dependency Track question.

[stevespringett]

I would not recommend running DT and the database server in the same container. It will be a performance nightmare. But it sounds like you don't have a persistent volume for your container. That would explain why the data isn't there when you restart. You should stand up a dedicated database container image and simply point DT to use that database server. All of those configuration parameters are in the docker-compose.yml provided.

[ghost]

Suggestion : if you try to create a new ladap user and there is a managed user with the same name, pop up a message saying so and dont allow the new ldap user to be created and vice versa.

[ghost]

Hi Steve i got it all working thanks for your help. I used one container with two volumes, one volume for dtrack and one for postgresql. Noting your comment about not running DT and DB in the same container, I will look at using two separate containers next.

[ghost]

Steve, can you point me in the right direction to enabling HTTPS ? We have dependency track installed and working very well. Thanks for your help so far.

[stevespringett]

Enabling TLS in DT is non-trivial and will require you to create your own container image.

Most orgs put NGINX in front of the API Server and frontend to provide TLS. It's the simplest option and allows them to continue to use the default container images provided by the DT project.

[ghost]

Steve thanks for the reply, there must be a good reason not to include HTTPS by default, is the LDAP communications secure or encrypted ? we are using this on an internal secured network. Or, in your opinion is it safe to run without HTTPS ? Sorry for the very basic questions.

[stevespringett]

good reason not to include HTTPS by default

Yes, certificates obtained from trusted certificate authorities typically cost money, or in some cases are free (e.g. lets encrypt), but they're typically tied to a specific hostname (except for wildcard certs which are specific to the entire domain or subdomain). In all cases however, some hostname or domain name information must be known in advance.

Self-signed certificates can be generated by anyone but do not provide any authenticity and as a result, will throw up browser warnings.

Therefore, it is up to each organization to obtain their own certificates - either from a trusted CA or via their own internal PKI, and configure their web properties with HTTPS. In the case of containers, this is typically accomplished with a frontend reverse proxy such as NGINX.

[ghost]

Steve thanks again for the reply, we have no problems paying for an SSL certificate but it's going to be a steep learning curve for me to set up a reverse proxy using NGINX. Does dependency track support LDAPS ? or is there any other easier way to ensure that user logins are encrypted ? I would have thought that considering the function of this system that secure user login would have been included by default, unless i am missing anything obvious ? We just want to use dependency track now and have login secure without messing around.

[stevespringett]

Yes, DT supports LDAP and LDAPS. Support for LDAPS can be achieved two ways:

If you specify a URL such as ldaps://ldap.example.com:636 or ldaps://ldap.example.com:3269 DT will disable certificate validation for the LDAP server.

If you specify a URL such as ldap://ldap.example.com:636 or ldap://ldap.example.com:3269 , then DT will still connect via LDAPS but certificate validation will be enforced.

If your directories use certificates from trusted CA's, use the ldap:// URLs. If your directory servers use their own PKI or self-signed certificates, then you may opt to use ldaps:// URLs.

Use of OIDC is always favorable instead of LDAP.