Installation using Docker Compose¶

Deployment via Docker Compose requires Docker at least version 23.0.

Configuration options¶

Configure using .env file.
Configure using Docker secrets.

Creating a group and adding a user¶

Create the docker group.
```
sudo groupadd docker
```
Add your user to the docker group.
```
sudo usermod -aG docker $USER
```
Run the following command for the changes to take effect:
```
newgrp docker
```

Important

Execute the commands from the following steps using the user added to the group.

Downloading the distribution¶

The distribution is currently available upon request.

Launch¶

When using it for the first time, unzip the archive with the distribution.

The archive contains two variants of the Docker Compose configuration. The first one uses the .env file for storing sensitive data (such as database passwords, S3-compatible storage access keys, etc.). The second variant uses Docker secrets for storing sensitive data.
Open the terminal and navigate to the solidpoint-compose directory obtained as a result of unpacking.

All subsequent examples of commands in this instruction are executed relative to this directory.
Enter your secret access token by editing the value of the environment variable TOKEN in the .env file, for example:
```
TOKEN=my-secret-access-token
```
Set the correct permissions for bind mounts to make them writable:
```
chmod a+wr fuchsiad/config/ backend/data/
```

Launch the services using the .env file configuration:

docker compose up --build

Launch the services using the Docker secrets configuration:

docker compose -f docker-compose-with-secrets.yml --env-file secrets.env up --build

The dashboard is available by default at http://localhost. When using the first configuration option the address and port can be changed in the file docker-compose.yml in services.dashboard.ports section. For the second option similar changes can be applied to the docker-compose-with-secrets.yml file.

Configuring¶

The environment variables can be configured in the .env or the secrets.env file for the first and second option, correspondingly.

Variable name	Default value	Description
`FUCHSIAD_POSTGRES_SERVER_URL`	`fuchsiad-database:5432`	Database server address for the `fuchsiad` scan service in the `host:port` format
`FUCHSIAD_POSTGRES_DB`	`fuchsia`	PostgreSQL database name for the `fuchsiad` scan service
`FUCHSIAD_POSTGRES_USER`	`fuchsia`	PostgreSQL username for the `fuchsiad` scan service
`FUCHSIAD_POSTGRES_PASSWORD`	***	PostgreSQL database password for the scan service `fuchsiad` (used only in the first configuration option)
`FUCHSIAD_POSTGRES_PASSWORD_FILE`	`/tmp/secrets/fuchsiad_db_password`	File path (inside the container) of the PostgreSQL database password for the `fuchsiad` scan service (used only in the second configuration option)
`FUCHSIAD_POSTGRES_SSL_MODE`	`disable`	Regulates the use of the SSL protocol to connect to the PostgreSQL database for the scan service `fuchsiad`
`FUCHSIAD_SOCKET_PORT`	`7075`	TCP port address of the `fuchsiad` scan service
`FUCHSIAD_SOCKET_ADDR`	`fuchsiad`	The address that other containers can use to interact with `fuchsiad`
`FUCHSIAD_CONFIG_DIR`	`/etc/fuchsia`	Directory containing the `fuchsiad` scan service configuration files
`FUCHSIAD_OMIT_JOB_LOGS`	`false`	If the value is `true`, the scan service task logs are not passed to standard output or error streams (they are only saved to S3-compatible storage)
`FUCHSIAD_LOGS_FILE`	Not specified	If set, the scan service logs are duplicated to the specified file
`FUCHSIAD_CREDENTIALS_FILE`	Not specified	If set, the file is used as an addition to the `fuchsiad` scan service configuration. This is necessary to store sensitive information separately from the main configuration directory specified by the environment variable `FUCHSIAD_CONFIG_DIR` (for example, in a read-only directory)
`BACKEND_POSTGRES_SERVER_URL`	`backend-database:5432`	Database server address for the backend in the format `host:port`
`BACKEND_POSTGRES_DB`	`backend`	PostgreSQL database name for the backend
`BACKEND_POSTGRES_USER`	`backend`	PostgreSQL username for the backend
`BACKEND_POSTGRES_PASSWORD`	***	PostgreSQL database password for the backend (used only in the first configuration option)
`BACKEND_POSTGRES_PASSWORD_FILE`	`/tmp/secrets/backend_db_password`	File path (inside the container) of the PostgreSQL database password for the backend (used only in the second configuration option)
`BACKEND_POSTGRES_SSL_MODE`	`disable`	Regulates the use of the SSL protocol to connect to the PostgreSQL database of the backend
`BACKEND_STATE_DIRECTORY`	`/var/lib/fuchsia/backend`	Directory where the state of the server part is stored
`BACKEND_LISTEN_PORT`	`8085`	The TCP port address of the server part
`BACKEND_ADDR`	`backend`	The address that other containers can use to interact with the server part
`BACKEND_LOGS_FILE`	Not specified	If set, the server part logs are duplicated to the specified file
`BACKEND_DATABASE_URI_FILE`	Not specified	If set, the PostgreSQL connection string is read from the file whose path is specified, not from the environment variable
`S3_SERVER_URL`	`http://minio:9000`	S3-compatible storage server address in the `schema://host:port` format
`S3_ROOT_USER`	`fuchsia`	Access key of the `root` user for the S3-compatible storage (used only in the first configuration option)
`S3_ROOT_USER_FILE`	`/tmp/secrets/s3_root_user`	File path (inside the container) of the access key of the `root` user in the S3-compatible storage (used only in the second configuration option)
`S3_ROOT_PASSWORD`	***	Password of the `root` user for the S3-compatible storage (used only in the first configuration option)
`S3_ROOT_PASSWORD_FILE`	`/tmp/secrets/s3_root_password`	File path (inside the container) of the `root` user's password for S3-compatible storage (used only in the second configuration option)
`S3_NO_CHECK_CERT`	`true`	Regulates whether self-signed server certificates are ignored when using SSL/TLS protocols
`INTERACTSH_DOMAIN`	Not specified	Domain of the configured interactsh server. Leave it unfilled to use the internal preconfigured interactsh server
`INTERACTSH_TOKEN`	Not specified	Authentication token of the interactsh server. • If authentication of a personal preconfigured interactsh server is set up, specify its authentication token; • If authentication is not set up or an internal interactsh server is used, leave it unfilled
`CHANNEL`	`stable`	Specifies the deb package repository channel
`TOKEN`	Not specified	Token for accessing the deb package repository
`TZ`	`Europe/Moscow`	Sets the time zone

Important

The following commands are specified for a distribution using the first configuration option. To reuse it with the second option, you have to add the -f docker-compose-with-secrets.yml --env-file secrets.env flags to the docker compose command.

Adding SSL certificates and HTTPS to the Dashboard¶

In the docker-compose.yml configuration file for the dashboard settings block, add the volumes block and specify the mapping for 443 port in the ports block.

dashboard:
  image: repo.solidpoint.net/dashboard:25.17.1
  env_file:
    - .env
  depends_on:
    - backend
  ports:
    - 0.0.0.0:80:8100
    - 0.0.0.0:443:8443
  volumes:
    - ./dashboard/conf.d:/tmp/conf.d:rw
    - ./dashboard/certs:/etc/nginx/certs:ro
  logging:
    driver: journald
  networks:
    - dashboard
    - external

In the directory with the docker-compose.yml configuration file create dashboard/conf.d and dashboard/certs directories.
In the dashboard/certs directory add <cert_name>.crt and <cert_name>.key certificates.

In the dashboard/conf.d directory create https.conf file with the following configuration:

server {
   listen 8443 ssl;
   server_name _;
   ssl_certificate /etc/nginx/certs/<cert_name>.crt;
   ssl_certificate_key /etc/nginx/certs/<cert_name>.key;
   include /usr/share/solidpoint/frontend/nginx.conf;
}

Shutdown¶

To shut down and clean up the volumes (-v flag) run the command:

docker compose down -v

To delete unnamed volumes, run the command:

./remove-unnamed-volumes.sh

`fuchsiactl` exploitation¶

Warning

The fuchsiactl console client is intended for direct access to the fuchsiad scan service.

In the future it will be replaced by a new client solidpoint-cli that accesses the control panel.

The fuchsiactl console client can be used by adding the following alias to run it inside the container:

alias fuchsiactl="docker compose exec fuchsiad fuchsiactl"

After this, the console client can be used, for example, by typing the command:

fuchsiactl help

Mounting files for the scanner¶

The fuchsiad/files/ directory in the root of the distribution is mounted into the fuchsiad container in the /files directory.

Start scanning¶

Using the OpenAPI Specification¶

While in the root directory of the distribution, move the OpenAPI specification files to the fuchsiad/files/ directory, for example:

cp /path/to/spec.json fuchsiad/files/

Next, use fuchsiactl to run a scan, specifying the required files relative to the /files directory, for example:

fuchsiactl scan --url http://example.com --file "openapi-hars-generator:OpenAPISpec@/files/spec.json"

Using a client TLS certificate¶

fuchsiactl scan --url https://example.com --file=@proxy:CERT.crt@/files/somecrt.crt --file=@proxy:CERT.key@/files/somecrt.key

Scan report generator service¶