github.com/tiredofit/docker-gcds

About

This will build a container for Google Cloud Directory Sync. A tool to synchronize user and group data from your local LDAP directory to Google Workspace.

Executes synchronization routines on a scheduled basis
Error detection with customizable notification endpoints
Sends statistics to Zabbix Server

This image needs manual configuration to get started. You will need to manually create the configuration file on another system with the config-manager GCDS GUI before the scheduler will occur. You will also need to import an OAUTH Token into that configuration file that was generated from another machine as of GCDS 5.x versions.

Maintainer

Dave Conroy

About
Maintainer
Table of Contents
Prerequisites and Assumptions
Installation
- Build from Source
- Prebuilt Images
Configuration
Maintenance
- Shell Access
- Manual Synchronization
Contributions
Support
License
References

Prerequisites and Assumptions

You have an active Google Workspace Account with appropriate Administration privileges.

Installation

Build from Source

Clone this repository and build the image with docker build <arguments> (imagename) .

Prebuilt Images

Builds of the image are available on Docker Hub

docker pull docker.io/tiredofit/gcds:(latest)

Configuration

Quick Start

The quickest way to get started is using docker-compose. See the examples folder for a working compose.yml that can be modified for development or production use.
On another machine, you must setup Oauth tokens, as this container cannot set them up for you. You must enter upgrade-config -exportkeys encrypted.key [password] on the source system.
Get the contents of this new file and paste it in OAUTH_TOKEN environment variable or use upgrade-config -importkeys encrypted.key [password] inside the container.
Set MODE environment variables
Set any environment variables to support scheduling or notifications

Persistent Storage

The following directories are used for configuration and can be mapped for persistent storage.

Directory	Description
`/config/`	Map this directory and place your GCDS .xml file here. State information is also stored here for encryption.
`/logs/`	GCDS Log Output Directory

Environment Variables

Base Images used

This image relies on a Debian Linux base image that relies on an init system for added capabilities. Outgoing SMTP capabilities are handlded via msmtp. Individual container performance monitoring is performed by zabbix-agent. Additional tools include: bash,curl,less,logrotate,nano.

Be sure to view the following repositories to understand all the customizable options:

Image	Description
OS Base	Customized Image based on debian Linux

Parameter	Description	Default
`AUTO_UPGRADE_CONFIG`	Automatically upgrade older versions configuration AND import OAUTH_TOKEN	`FALSE`
`CONFIG_PATH`	Configuration Path	`/config/`
`CONFIG_FILE`	The name of your GCDS configuration file (e.g. `config_file.xml`)
`DOMAIN`	The Domain in question that is being synced
`DRY_RUN`	Execute a Dry Run Test `TRUE` / `FALSE`	`TRUE`
`FLUSH_REMOTE_DATA`	Enable Flushing of Data after Sync `TRUE`/`FALSE`	`FALSE`
`MODE`	`STANDALONE` (Do Nothing) `SCHEDULER` (run at scheduled time)	`STANDALONE`
`LOG_LEVEL`	GCDS Error Logging level (e.g. `ERROR`)	`INFO`
`LOG_PATH`	Path where logs are kept	`/logs/`
`LOG_FILE`	Name of Logfile to output	`${DOMAIN}-sync.log`
`OAUTH_TOKEN`	Oauth Token string as recieved from another machine capable of exporting authentication information eg `3FD988...`
`OAUTH_TOKEN_PASS`	If token has been encrypted, enter it here
`SYNC_BEGIN`	What time to do the first sync. Defaults to immediate. Must be in one of two formats	`+0`
	Absolute HHMM, e.g. `2330` or `0415`
	Relative +MM, i.e. how many minutes after starting the container, e.g. `+0` (immediate), `+10` (in 10 minutes), or `+90` in an hour and a half
`SYNC_INTERVAL`	How often to sync, in minutes.	`60`

Notifications

Parameter	Description	Default
`NOTIFICATION_TYPE`	`CUSTOM` `EMAIL` `MATRIX` `MATTERMOST` `ROCKETCHAT` - Seperate Multiple by commas

Custom Notifications

The following is sent to the custom script. Use how you wish:

$1 unix timestamp
$2 logfile
$3 errorcode
$4 subject
$5 body/error message

Parameter	Description	Default
`NOTIFICATION_CUSTOM_SCRIPT`	Path and name of custom script to execute notification.

Email Notifications

Parameter	Description	Default
`MAIL_FROM`	What email address to send mail from for errors
`MAIL_TO`	What email address to send mail to for errors. Send to multiple by seperating with comma.
`SMTP_HOST`	What SMTP server to use for sending mail
`SMTP_PORT`	What SMTP port to use for sending mail

Matrix Notifications

Fetch a MATRIX_ACCESS_TOKEN:

curl -XPOST -d '{"type":"m.login.password", "user":"myuserid", "password":"mypass"}' "https://matrix.org/_matrix/client/r0/login"

Copy the JSON response access_token that will look something like this:

{"access_token":"MDAxO...blahblah","refresh_token":"MDAxO...blahblah","home_server":"matrix.org","user_id":"@myuserid:matrix.org"}

Parameter	Description	Default
`MATRIX_HOST`	URL (https://matrix.example.com) of Matrix Homeserver
`MATRIX_ROOM`	Room ID eg `\!abcdef:example.com` to send to. Send to multiple by seperating with comma.
`MATRIX_ACCESS_TOKEN`	Access token of user authorized to send to room

Mattermost Notifications

Parameter	Description	Default
`MATTERMOST_WEBHOOK_URL`	Full URL to send webhook notifications to
`MATTERMOST_RECIPIENT`	Channel or User to send Webhook notifications to. Send to multiple by seperating with comma.
`MATTERMOST_USERNAME`	Username to send as eg `GCDS`

Rocketchat Notifications

Parameter	Description	Default
`ROCKETCHAT_WEBHOOK_URL`	Full URL to send webhook notifications to
`ROCKETCHAT_RECIPIENT`	Channel or User to send Webhook notifications to. Send to multiple by seperating with comma.
`ROCKETCHAT_USERNAME`	Username to send as eg `GCDS`

Maintenance

Shell Access

For debugging and maintenance purposes you may want access the containers shell.

docker exec -it (whatever your container name) bash

Manual Synchronization

Visit the inside of the container and execute sync-now

Contributions

Welcomed. Please fork the repository and submit a pull request for any bug fixes, features or additions you propose to be included in the image. If it does not impact my intended usage case, it will be merged into the tree, tagged as a release and credit to the contributor in the CHANGELOG.

Support

These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.

Usage

The Discussions board is a great place for working with the community on tips and tricks of using this image.
Sponsor me for personalized support.

Bugfixes

Please, submit a Bug Report if something isn't working as expected. I'll do my best to issue a fix in short order.

Feature Requests

Feel free to submit a feature request, however there is no guarantee that it will be added, or at what timeline.
Sponsor me regarding development of features.

Updates

Best effort to track upstream changes, More priority if I am actively using the image in a production environment.
Sponsor me for up to date releases.

License

MIT. See LICENSE for more details.

References

https://support.google.com/a/answer/106368?hl=en&ref_topic=4497998

run from random container name

I'm trying to do something similar to what you've done, but I'm shooting for a more ephemeral runtime. OpenShift. I've made changes to update the password in the XML based on your script, but during testing I'm running into:

bash-4.2$ $APP_DIR/GoogleCloudDirSync/upgrade-config -testldap -c "$GCDS_SYNC_CONFIG"
[2017-10-11 00:25:29,239] [main] [WARN] [usersyncapp.cli.UpgradeConfig] Upgrading configuration file "/opt/app-root/etc/test_config.xml" to most recent version (will save a backup).
com.google.usersyncapp.plugin.InvalidPluginConfigurationException: Please update the LDAP password in the Configuration Manager and save the configuration file.


It is possible that this configuration file was created on a different system, so encrypted information stored in it can't be decrypted. Please use the Configuration Manager to update your details in the 'LDAP Configuration' section. Use the 'Test Connection' button to ensure that connection settings is set up correctly. For more information, visit http://support.google.com/a/bin/answer.py?hl=en&answer=3075991.

ExceptionDetails : [authCredentialsEncrypted] contains an invalid encrypted value
        at com.google.usersyncapp.plugin.ldap.LdapConfigLoader.loadFromElement(LdapConfigLoader.java:718)
        at com.google.usersyncapp.plugin.ldap.LdapConfigLoader.load(LdapConfigLoader.java:74)
        at com.google.usersyncapp.plugin.ldap.LDAPPlugin.setConfiguration(LDAPPlugin.java:288)
        at com.google.usersyncapp.sync.PluginFactory.initializePlugin(PluginFactory.java:105)
        at com.google.usersyncapp.sync.PluginFactory.initializeFromPluginConfigList(PluginFactory.java:131)
        at com.google.usersyncapp.sync.PluginFactory.initializePluginsIntoGroup(PluginFactory.java:161)
        at com.google.usersyncapp.cli.UpgradeConfig.upgrade(UpgradeConfig.java:134)
        at com.google.usersyncapp.cli.UpgradeConfig.main(UpgradeConfig.java:199)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:65)
        at com.install4j.runtime.launcher.UnixLauncher.main(UnixLauncher.java:57)

Do you know if other fields beyond the authCredentialsEncrypted need to be replaced when moving to another machine?

tiredofit / docker-gcds Goto Github PK

docker-gcds's Introduction