Deploying PO Box on a Linux VM

Overview

Zilla PO Box is a container that simplifies integration with on-prem applications by extending into customer environments and making outbound API calls to push user and account information to Zilla. The shell script pobox_main.sh is used to manage and deploy containers for PO Box using either Podman or Docker.

This article is designed as a playbook for completing prerequisite activities, configuring and deploying the PO Box container, and setting up a cron job to restart the container with the latest released image on a daily basis.

This article covers the following topics:

Prerequisites

Machine Specs

• 2vCPU

• 4GB RAM

• 25GB Disk

Libraries

• Either Podman or Docker is installed to run the container

  • Get started and install Podman

  • Get started and install Docker

    • If necessary, refer to this post for additional guidance on setting up Docker

• jq is installed to parse the JSON response

  • Install jq on multiple OS

• curl is installed to make the necessary API calls

  • Install curl on multiple OS

  • How to perform basic actions with curl

PO Box Directory

• PO Box directory structure has been created identical to the structure below

• The Zilla_API_Key file has been saved under the pobox-config directory for authenticating and managing deployments

  • To get the value for Zilla_API_Key via a secure credentials link, please reach out to the Zilla Customer Success Team

Whitelist URLs

Customers may need to whitelist certain URLs to successfully deploy PO Box. This list includes but is not limited to:

• Zilla Application URL

  • http://app.zillasecurity.com/

• US East Service endpoints and Docker endpoints

  • ecr.us-east-1.amazonaws.com

  • dkr.ecr-fips.us-east-1.amazonaws.com

  • api.ecr.us-east-1.amazonaws.com

  • ecr-fips.us-east-1.amazonaws.com

  • ecr.us-east-2.amazonaws.com

  • ecr-fips.us-east-2.amazonaws.com

  • api.ecr.us-east-2.amazonaws.com

  • dkr.ecr-fips.us-east-2.amazonaws.com

  • http://508384223771.dkr.ecr.us-east-1.amazonaws.com/

Configuring and Deploying PO Box

Configuring pobox_main.sh

1. Download the tar file on the target VM.

2. Before running the script, edit the pobox_main.sh script and set the values for the variables listed below.

• ZILLA_URL: This is the host URL of the Zilla server based on your tenant; Zilla has different host URLs for different tenants including:

  • https://app.zillasecurity.com

  • https://app2.zillasecurity.com

  • https://anz.zillasecurity.com

  • https://eu.zillasecurity.com

  • https://uk.zillasecurity.com

• TENANT_DOMAIN: This is the domain of your tenant. To find your tenant domain, click Settings in the Zilla app and find the Your Domains section. Your tenant domain is the first domain listed under that section.

• POBOX_BASEDIR: This is the absolute path to the pobox directory, as outlined in the PO Box Directory section above.

• CONTAINER_TOOL: This is the container tool used (either Podman or Docker).

2. Modify the pobox_main.sh file and modify the ZILLA_URL, TENANT_DOMAIN, POBOX_BASEDIR, and CONTAINER_TOOL variables according to your environment.

Deploying PO Box

1. Run the command below to extract the pobox-deployment.tar file.

3. Open the pobox-deployment directory. You will see the pobox_main.sh, pobox_pull_image.sh, and pobox_launch.sh shell script files.

4. Run the command below to deploy the PO Box container.

After running the pobox_main.sh script, an output similar to the below example will display. You will be prompted to indicate whether you want to proceed by entering either yes or no.

5. After confirming the configured values are correct, proceed by entering yes. If the values are incorrect, enter no and refer to the Configuring pobox_main.sh section above for instructions to update the values as needed.

6. Once the PO Box deployment is complete, run one of the two commands below based on whether Podman or Docker was used to validate that it was deployed correctly.

For Podman installs, run the command below at the Linux $ prompt.

For Docker installs, run the command below at the Linux $ prompt.

If successful, the output will look similar to the below and and will show a running container with a name similar to 508384223771.dkr.ecr.us-east-1.amazonaws.com/zinc:latest.

Scheduling a cron Job

The next step is to set the POBox deployment as a daily cron job, which is required to restart the container with the latest released image that will be pulled-down from the container registry at http://508384223771.dkr.ecr.us-east-1.amazonaws.com/.

Once the cron job has been set, the shell script pobox_main.sh will initialize the config variable and execute two tasks daily:

• pobox_pull_image.sh to pull the latest PO Box image

• pobox_launch.sh to run/restart the PO Box container

1. Run the command below to open the crontab. If you are prompted to select a crontab editor, enter nano.

2. In the crontab editor, run the command below replacing the /absolute/directory/path/of/pobox-deployment directory path with correct value.

In the example below, the script will be executed daily at 01:00 AM UTC.

Troubleshooting

Access Denied Error for Zilla_API_Key

In order to run the PO Box container, the user inside the container needs to be able to access the Zilla_API_Key file. If the owner of the mounted directory is not the same as the container’s user, the container exits with an access denied error for the Zilla_API_Key file.

Docker Solution

When working with Docker the User-Namespace-Mapping is disabled by default. The UID-GID (user ID and group ID) of the user inside the container and the UID-GID of the owner of the PO Box directory on the host machine must be the same.

Rootless Podman Solution

When working with Rootless Podman the User-Namespace-Mapping is strictly enabled. The owner on the PO Box directory must be updated to the mapped user inside the container.

SELinux Flag Solution

• Z: SELinux policies can restrict access based on labels, so the Z flag helps to apply the correct label automatically to prevent access denials or potential security risks.

• U: The U flag ensures that when a volume is mounted between the host and a container, the user and group IDs (UIDs and GIDs) inside the container are properly mapped to the corresponding UIDs and GIDs on the host system.