[FEAT] Docker support for Trust0 artifact image builds (#82)

* FEAT: Docker build file support (for tools, client, gateway)

* TASK: [example] New example using Docker containers

* TASK: [doc] Update docs for Docker support

* TASK: [cmn][cli][gw] Update Rust dependencies

README.md

@@ -18,18 +18,17 @@
 
 Trust0 is a [Zero Trust](https://en.wikipedia.org/wiki/Zero_trust_security_model) security framework, whose implementation is fashioned as a [Software Defined Perimeter](https://en.wikipedia.org/wiki/Software-defined_perimeter) service gateway. The gateway ensures that users may only access services, which were authorized for their account.
 
-This is early alpha, use with care.
+This is prerelease code, use with care.
 
 ### To-Do
 
-* Add Windows UDP support. Tested: macOS (Big Sur); Fedora 39, Windows 11 (TCP only)
-* Incorporate device posture trust assessment and rules processor for security enforcement
+* Add Windows UDP support. Tested: macOS - Big Sur (TCP/UDP); Linux Fedora 39 (TCP/UDP, Windows 11 (TCP)
+* Brainstorm solution for device posture trust assessment and rules processor for security enforcement
 * Build (more) testing: integration, performance, ...
 * Strategize non-name resolution (DNS/hosts file/...) approach to handle client hostname verification for TLS-type service connections
 * Consider gateway-to-gateway service proxy routing (reasons of proximity, security, ...)
 * Consider gateway load-balancing, via client redirect (reasons of load, rollout deployment, ...)
 * Accommodate integration to well-known identity provider (IdP) systems/protocols for user authentication and 2FA purposes
-* Create (K8S, Docker, ...) container resource files
 
 ### Change History
 
@@ -46,11 +45,11 @@ Refer to the following for more information:
 
 ### Contributions
 
-We welcome and appreciate questions, bug issues, ideas and the like. However code contributions are currently closed until after the first non-alpha release.
+We welcome and appreciate questions, bug issues, ideas and the like. However, code contributions are currently closed until after the first non-alpha/beta release.
 
 ### License
 
-Copyright 2023 the Trust0 Authors. All rights reserved.
+Copyright 2024 the Trust0 Authors. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 these files except in compliance with the License. You may obtain a copy of the

docs/Architecture.md

@@ -210,7 +210,7 @@ The database is used to enforce user access to Trust0 and the respective service
 
 The repository is exposed as an abstract trait, so additional DB implementations may be developed.
 
-Currently, there are two supported DB implementations:
+Currently, there are 3 supported DB implementations:
 
 | DB Type     | Description                                                                                                                                                                 |
 |-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

docs/Examples.md

@@ -81,6 +81,8 @@ In the `example` directory, you can run an example, which lets clients access a
 
 To run this example, execute the `run-chat-tcp-example.sh` script. You will be asked for free ports to be used for the client, gateway and the chat service (script uses these ports to update the chat service DB record and also now knows how to run the gateway).
 
+Note - An analogous example script (`run-chat-tcp-docker-example.sh`) is available, which uses the project's Docker files to use the Trust0 gateway, client and tools in a containerized environment.
+
 ```
 [example] $ ./run-chat-tcp-example.sh
 If example requires secondary authentication credentials, please use "user1", "pass1"

docs/Invocation.md

@@ -8,6 +8,10 @@
 
 ## Trust0 Invocation
 
+Below is a breakdown of the invocation details for the client and gateway binaries. These applications may be built and executed for a desired target architecture.
+
+Additionally, Docker files are available (in the `resources/docker` directory) to build and execute the binaries in a Docker container. Refer to [Chat TCP](./Examples.md#example---chat-tcp-service) for an example of how the binaries can be used in a containerized environment.
+
 -----------------
 
 ### Trust0 Gateway

example/Makefile

@@ -7,14 +7,18 @@ EXAMPLE_BUILD_DIR=${EXAMPLE_DIR}/target
 EXAMPLE_CONFIG_FILE=${EXAMPLE_BUILD_DIR}/example.conf
 PROJECT_DIR=${EXAMPLE_DIR}/..
 PROJECT_RESOURCES_DIR=${PROJECT_DIR}/resources
+PROJECT_BINARIES_BUILD_DIR=${PROJECT_DIR}/target/debug
 
 CARGO_CMD=cargo
+DOCKER_CMD=docker
+DOCKER_COMPOSE_CMD=docker-compose
 TRUST0_ADMIN_CMD=${PROJECT_RESOURCES_DIR}/trust0-admin.sh
 
 CA_ENABLED=false
 
 PKI_PROVIDER_OPENSSL=openssl
 PKI_PROVIDER_TRUST0=trust0
+PKI_PROVIDER_DOCKER_TRUST0=docker-trust0
 PKI_PROVIDER_DEFAULT=${PKI_PROVIDER_TRUST0}
 
 ifeq ($(CA_ENABLED),false)
@@ -72,7 +76,7 @@ TRUST0_GATEWAY__PKI_HOST_IP2=127.1.0.3
 TRUST0_GATEWAY__PKI_CERT_FILE=${EXAMPLE_BUILD_DIR}/${TRUST0_GATEWAY__PKI_NAME}.crt.pem
 TRUST0_GATEWAY__PKI_KEY_FILE=${EXAMPLE_BUILD_DIR}/${TRUST0_GATEWAY__PKI_NAME}.key.pem
 TRUST0_GATEWAY__BINARY_NAME=trust0-gateway
-TRUST0_GATEWAY__BINARY_FILE=${PROJECT_DIR}/target/debug/${TRUST0_GATEWAY__BINARY_NAME}
+TRUST0_GATEWAY__BINARY_FILE=${PROJECT_BINARIES_BUILD_DIR}/${TRUST0_GATEWAY__BINARY_NAME}
 TRUST0_GATEWAY__HOST=localhost
 TRUST0_GATEWAY__BIND_HOST=[::1]
 TRUST0_GATEWAY__SERVICE_HOST=${TRUST0_GATEWAY__HOST}
@@ -103,17 +107,22 @@ [email protected]
 TRUST0_CLIENT__PKI_CERT_FILE=${EXAMPLE_BUILD_DIR}/${TRUST0_CLIENT__PKI_NAME}.crt.pem
 TRUST0_CLIENT__PKI_KEY_FILE=${EXAMPLE_BUILD_DIR}/${TRUST0_CLIENT__PKI_NAME}.key.pem
 TRUST0_CLIENT__BINARY_NAME=trust0-client
-TRUST0_CLIENT__BINARY_FILE=${PROJECT_DIR}/target/debug/${TRUST0_CLIENT__BINARY_NAME}
+TRUST0_CLIENT__BINARY_FILE=${PROJECT_BINARIES_BUILD_DIR}/${TRUST0_CLIENT__BINARY_NAME}
 TRUST0_CLIENT__BIND_HOST=127.0.0.1
 
+# Params - Docker-related
+
+TRUST0_CLIENT__DOCKER_CMD=${DOCKER_CMD} run --name trust0-client-example -it --rm --network host -v ${EXAMPLE_BUILD_DIR}:${EXAMPLE_BUILD_DIR} trust0-client:latest
+TRUST0_GATEWAY__DOCKER_CMD=${DOCKER_CMD} run --name trust0-gateway-example -it --rm --network host -v ${EXAMPLE_BUILD_DIR}:${EXAMPLE_BUILD_DIR} trust0-gateway:latest
+
 # Params - CRL
 
 CRLSUPPORT__PKI_GATEWAY_CONFIGURED_FILE=${EXAMPLE_BUILD_DIR}/revoked.crl.pem
 CRLSUPPORT__PKI_REVOKE_CLIENT_FILE=${EXAMPLE_BUILD_DIR}/revoked-${TRUST0_CLIENT__PKI_NAME}.crl.pem
 
 # Targets
 
-.PHONY: default clean-all trust0-common root-ca-pki generate-root-ca-pki-resources gateway-server-pki generate-gateway-pki-resources client-pki generate-client-pki-resources trust0-gateway trust0-client run-trust0-gateway run-trust0-client run-trust0-gateway-nodeps run-trust0-client-nodeps setup-crl-files
+.PHONY: default clean-all trust0-common root-ca-pki generate-root-ca-pki-resources gateway-server-pki generate-gateway-pki-resources client-pki generate-client-pki-resources trust0-gateway trust0-gateway-image trust0-client trust0-client-image run-trust0-gateway run-trust0-client run-trust0-gateway-nodeps run-trust0-gateway-image-nodeps run-trust0-client-nodeps run-trust0-client-image-nodeps setup-crl-files
 
 default:
 
@@ -141,6 +150,8 @@ trust0-common:
 
 ifeq ($(PKI_PROVIDER),$(PKI_PROVIDER_OPENSSL))
   include ${EXAMPLE_DIR}/pki-provider-openssl.mk
+else ifeq ($(PKI_PROVIDER),$(PKI_PROVIDER_DOCKER_TRUST0))
+  include ${EXAMPLE_DIR}/pki-provider-docker-trust0.mk
 else
   include ${EXAMPLE_DIR}/pki-provider-trust0.mk
 endif
@@ -156,18 +167,27 @@ gateway-server-pki: generate-gateway-pki-resources
 trust0-gateway: trust0-common
 	${CARGO_CMD} build --color=always --bin trust0-gateway --manifest-path ${PROJECT_DIR}/crates/gateway/Cargo.toml ${CARGOBUILD_GATEWAY_ARGS} ${CARGOBUILD_EXTRA_ARGS}
 
+trust0-gateway-image:
+	${DOCKER_COMPOSE_CMD} -f ${PROJECT_RESOURCES_DIR}/docker/docker-compose-build.yml build trust0-gateway
+
 ifeq ($(CA_ENABLED),false)
 run-trust0-gateway: trust0-gateway
 	${TRUST0_GATEWAY__BINARY_FILE} --host ${TRUST0_GATEWAY__BIND_HOST} --port ${TRUST0_GATEWAY__PORT} --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --auth-cert-file ${ROOT_CA__PKI_CERT_FILE} --gateway-service-host ${TRUST0_GATEWAY__SERVICE_HOST} ${EXECBIN_EXTRA_ARGS} --datasource ${TRUST0_GATEWAY__DATASOURCE} --db-connect ${TRUST0_GATEWAY__DB_CONNECT}
 
 run-trust0-gateway-nodeps:
 	${TRUST0_GATEWAY__BINARY_FILE} --host ${TRUST0_GATEWAY__BIND_HOST} --port ${TRUST0_GATEWAY__PORT} --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --auth-cert-file ${ROOT_CA__PKI_CERT_FILE} --gateway-service-host ${TRUST0_GATEWAY__SERVICE_HOST} ${EXECBIN_EXTRA_ARGS} --datasource ${TRUST0_GATEWAY__DATASOURCE} --db-connect ${TRUST0_GATEWAY__DB_CONNECT}
+
+run-trust0-gateway-image-nodeps:
+	${TRUST0_GATEWAY__DOCKER_CMD} --host ${TRUST0_GATEWAY__BIND_HOST} --port ${TRUST0_GATEWAY__PORT} --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --auth-cert-file ${ROOT_CA__PKI_CERT_FILE} --gateway-service-host ${TRUST0_GATEWAY__SERVICE_HOST} ${EXECBIN_EXTRA_ARGS} --datasource ${TRUST0_GATEWAY__DATASOURCE} --db-connect ${TRUST0_GATEWAY__DB_CONNECT}
 else
 run-trust0-gateway: trust0-gateway
 	${TRUST0_GATEWAY__BINARY_FILE} --host ${TRUST0_GATEWAY__BIND_HOST} --port ${TRUST0_GATEWAY__PORT} --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --auth-cert-file ${ROOT_CA__PKI_CERT_FILE} --auth-key-file ${ROOT_CA__PKI_KEY_FILE} --gateway-service-host ${TRUST0_GATEWAY__SERVICE_HOST} ${EXECBIN_EXTRA_ARGS} --datasource ${TRUST0_GATEWAY__DATASOURCE} --db-connect ${TRUST0_GATEWAY__DB_CONNECT} --mfa-scheme scram-sha256 --ca-enabled --ca-key-algorithm ${TRUST0_KEYALG_TYPE} --ca-validity-period-days ${TRUST0_GATEWAY__CA_VALIDITY_PERIOD_DAYS} --ca-reissuance-threshold-days ${TRUST0_GATEWAY__CA_REISSUANCE_THRESHOLD_DAYS}
 
 run-trust0-gateway-nodeps:
 	${TRUST0_GATEWAY__BINARY_FILE} --host ${TRUST0_GATEWAY__BIND_HOST} --port ${TRUST0_GATEWAY__PORT} --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --auth-cert-file ${ROOT_CA__PKI_CERT_FILE} --auth-key-file ${ROOT_CA__PKI_KEY_FILE} --gateway-service-host ${TRUST0_GATEWAY__SERVICE_HOST} ${EXECBIN_EXTRA_ARGS} --datasource ${TRUST0_GATEWAY__DATASOURCE} --db-connect ${TRUST0_GATEWAY__DB_CONNECT} --mfa-scheme scram-sha256 --ca-enabled --ca-key-algorithm ${TRUST0_KEYALG_TYPE} --ca-validity-period-days ${TRUST0_GATEWAY__CA_VALIDITY_PERIOD_DAYS} --ca-reissuance-threshold-days ${TRUST0_GATEWAY__CA_REISSUANCE_THRESHOLD_DAYS}
+
+run-trust0-gateway-image-nodeps:
+	${TRUST0_GATEWAY__DOCKER_CMD} --host ${TRUST0_GATEWAY__BIND_HOST} --port ${TRUST0_GATEWAY__PORT} --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --auth-cert-file ${ROOT_CA__PKI_CERT_FILE} --auth-key-file ${ROOT_CA__PKI_KEY_FILE} --gateway-service-host ${TRUST0_GATEWAY__SERVICE_HOST} ${EXECBIN_EXTRA_ARGS} --datasource ${TRUST0_GATEWAY__DATASOURCE} --db-connect ${TRUST0_GATEWAY__DB_CONNECT} --mfa-scheme scram-sha256 --ca-enabled --ca-key-algorithm ${TRUST0_KEYALG_TYPE} --ca-validity-period-days ${TRUST0_GATEWAY__CA_VALIDITY_PERIOD_DAYS} --ca-reissuance-threshold-days ${TRUST0_GATEWAY__CA_REISSUANCE_THRESHOLD_DAYS}
 endif
 
 # Targets - Trust Client
@@ -177,8 +197,14 @@ client-pki: generate-client-pki-resources
 trust0-client: trust0-common
 	${CARGO_CMD} build --color=always --bin trust0-client --manifest-path ${PROJECT_DIR}/crates/client/Cargo.toml ${CARGOBUILD_EXTRA_ARGS}
 
+trust0-client-image:
+	${DOCKER_COMPOSE_CMD} -f ${PROJECT_RESOURCES_DIR}/docker/docker-compose-build.yml build trust0-client
+
 run-trust0-client: trust0-client
 	${TRUST0_CLIENT__BINARY_FILE} --host ${TRUST0_CLIENT__BIND_HOST} --gateway-host ${TRUST0_GATEWAY__HOST} --gateway-port ${TRUST0_GATEWAY__PORT} --auth-key-file ${TRUST0_CLIENT__PKI_KEY_FILE} --auth-cert-file ${TRUST0_CLIENT__PKI_CERT_FILE} --ca-root-cert-file ${ROOT_CA__PKI_CERT_FILE} ${EXECBIN_EXTRA_ARGS}
 
 run-trust0-client-nodeps:
 	${TRUST0_CLIENT__BINARY_FILE} --host ${TRUST0_CLIENT__BIND_HOST} --gateway-host ${TRUST0_GATEWAY__HOST} --gateway-port ${TRUST0_GATEWAY__PORT} --auth-key-file ${TRUST0_CLIENT__PKI_KEY_FILE} --auth-cert-file ${TRUST0_CLIENT__PKI_CERT_FILE} --ca-root-cert-file ${ROOT_CA__PKI_CERT_FILE} ${EXECBIN_EXTRA_ARGS}
+
+run-trust0-client-image-nodeps:
+	${TRUST0_CLIENT__DOCKER_CMD} --host ${TRUST0_CLIENT__BIND_HOST} --gateway-host ${TRUST0_GATEWAY__HOST} --gateway-port ${TRUST0_GATEWAY__PORT} --auth-key-file ${TRUST0_CLIENT__PKI_KEY_FILE} --auth-cert-file ${TRUST0_CLIENT__PKI_CERT_FILE} --ca-root-cert-file ${ROOT_CA__PKI_CERT_FILE} ${EXECBIN_EXTRA_ARGS}

example/pki-provider-docker-trust0.mk

@@ -0,0 +1,46 @@
+TRUST0_PKI_MANAGER__DOCKER_CMD=${DOCKER_CMD} run --rm -v ${EXAMPLE_BUILD_DIR}:${EXAMPLE_BUILD_DIR} trust0-tools:latest /app/trust0-pki-manager
+
+# Params - CRL
+
+CRLSUPPORT__PKI_CRL_NUMBER=0100
+CRLSUPPORT__PKI_UPDATE_DATETIME=2024-01-01T00:00:00Z
+CRLSUPPORT__PKI_NEXT_UPDATE_DATETIME=2050-01-01T00:00:00Z
+CRLSUPPORT__PKI_CERT_REVOCATION_DATETIME=${CRLSUPPORT__PKI_UPDATE_DATETIME}
+CRLSUPPORT__PKI_CERT_REVOCATION_REASON=key-compromise
+CRLSUPPORT__PKI_CERT_REVOCATION_SERIAL_NUMS=${TRUST0_CLIENT__PKI_SERIAL_NUM}
+
+# Params - Key Algorithm
+
+TRUST0_KEYALG_TYPE=ecdsa-p256
+#TRUST0_KEYALG_TYPE=ecdsa-p384
+#TRUST0_KEYALG_TYPE=ed25519
+
+# PKI Provider Targets - ROOT CA
+
+generate-root-ca-pki-resources: ${EXAMPLE_CONFIG_FILE}
+	@echo "Creating root CA PKI resources"
+	${TRUST0_PKI_MANAGER__DOCKER_CMD} root-ca-pki-creator --cert-file ${ROOT_CA__PKI_CERT_FILE} --key-file ${ROOT_CA__PKI_KEY_FILE} --key-algorithm ${TRUST0_KEYALG_TYPE} --validity-not-after ${ROOT_CA__PKI_VALID_NOT_AFTER} --subject-common-name ${ROOT_CA__PKI_SUBJ_COMMONNAME} --subject-organization ${ROOT_CA__PKI_SUBJ_COMPANY} --subject-country ${ROOT_CA__PKI_SUBJ_COUNTRY}
+	@echo ""
+
+# PKI Provider Targets - Trust Gateway
+
+generate-gateway-pki-resources: ${EXAMPLE_CONFIG_FILE}
+	@echo "Creating gateway PKI resources"
+	${TRUST0_PKI_MANAGER__DOCKER_CMD} gateway-pki-creator --cert-file ${TRUST0_GATEWAY__PKI_CERT_FILE} --key-file ${TRUST0_GATEWAY__PKI_KEY_FILE} --rootca-cert-file ${ROOT_CA__PKI_CERT_FILE} --rootca-key-file ${ROOT_CA__PKI_KEY_FILE} --key-algorithm ${TRUST0_KEYALG_TYPE} --serial-number ${TRUST0_GATEWAY__PKI_SERIAL_NUM} --validity-not-after ${TRUST0_GATEWAY__PKI_VALID_NOT_AFTER} --subject-common-name ${TRUST0_GATEWAY__PKI_SUBJ_COMMONNAME} --subject-organization ${TRUST0_GATEWAY__PKI_SUBJ_COMPANY} --subject-country ${TRUST0_GATEWAY__PKI_SUBJ_COUNTRY} --san-dns-names ${TRUST0_GATEWAY__PKI_HOST_DNS1},${TRUST0_GATEWAY__PKI_HOST_DNS2}
+	@echo ""
+
+# PKI Provider Targets - Trust Client
+
+generate-client-pki-resources: ${EXAMPLE_CONFIG_FILE}
+	@echo "Creating client PKI resources"
+	${TRUST0_PKI_MANAGER__DOCKER_CMD} client-pki-creator --cert-file ${TRUST0_CLIENT__PKI_CERT_FILE} --key-file ${TRUST0_CLIENT__PKI_KEY_FILE} --rootca-cert-file ${ROOT_CA__PKI_CERT_FILE} --rootca-key-file ${ROOT_CA__PKI_KEY_FILE} --key-algorithm ${TRUST0_KEYALG_TYPE} --serial-number ${TRUST0_CLIENT__PKI_SERIAL_NUM} --validity-not-after ${TRUST0_CLIENT__PKI_VALID_NOT_AFTER} --auth-user-id ${TRUST0_CLIENT__PKI_SUBJ_USERID} --auth-platform ${TRUST0_CLIENT__PKI_SUBJ_PLATFORM} --subject-common-name ${TRUST0_CLIENT__PKI_SUBJ_COMMONNAME} --subject-organization ${TRUST0_CLIENT__PKI_SUBJ_COMPANY} --subject-country ${TRUST0_CLIENT__PKI_SUBJ_COUNTRY}
+	@echo ""
+
+# PKI Provider Targets - CRL
+
+setup-crl-files:
+	@echo "Creating certificate revocation list file"
+	@rm -f ${CRLSUPPORT__PKI_REVOKE_CLIENT_FILE}
+	@touch ${CRLSUPPORT__PKI_GATEWAY_CONFIGURED_FILE}
+	${TRUST0_PKI_MANAGER__DOCKER_CMD} cert-revocation-list-creator --file ${CRLSUPPORT__PKI_REVOKE_CLIENT_FILE} --rootca-cert-file ${ROOT_CA__PKI_CERT_FILE} --rootca-key-file ${ROOT_CA__PKI_KEY_FILE} --key-algorithm ${TRUST0_KEYALG_TYPE} --crl-number ${CRLSUPPORT__PKI_CRL_NUMBER} --update-datetime ${CRLSUPPORT__PKI_UPDATE_DATETIME} --next-update-datetime ${CRLSUPPORT__PKI_NEXT_UPDATE_DATETIME} --signature-algorithm ${TRUST0_KEYALG_TYPE} --cert-revocation-datetime ${CRLSUPPORT__PKI_CERT_REVOCATION_DATETIME} --cert-revocation-reason ${CRLSUPPORT__PKI_CERT_REVOCATION_REASON} --cert-revocation-serial-nums ${CRLSUPPORT__PKI_CERT_REVOCATION_SERIAL_NUMS}
+	@echo ""

example/run-chat-tcp-docker-example.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+EXAMPLE_DIR=$(dirname "$0")
+
+# Build binaries/images/pki/config/db/...
+
+source "${EXAMPLE_DIR}"/run-configure.sh
+
+GMAKE_CMD="${GMAKE_CMD} PKI_PROVIDER=docker-trust0"
+
+${GMAKE_CMD} clean-all
+${GMAKE_CMD} trust0-gateway-image
+${GMAKE_CMD} trust0-client-image
+${GMAKE_CMD} root-ca-pki
+${GMAKE_CMD} gateway-server-pki
+${GMAKE_CMD} client-pki
+
+# Run example in tmux session
+
+ARG1=${1:-}
+if [ "$ARG1" == "verbose" ]; then
+  #GATEWAY_BIN_ARGS="--verbose --no-mask-addrs --mfa-scheme scram-sha256"
+  GATEWAY_BIN_ARGS="--verbose --no-mask-addrs"
+  #CLIENT_BIN_ARGS="--script-file '${EXAMPLE_DIR}/cmdscript-chat-tcp.txt' --verbose"
+  CLIENT_BIN_ARGS="--verbose"
+else
+  #GATEWAY_BIN_ARGS="--no-mask-addrs --mfa-scheme scram-sha256"
+  GATEWAY_BIN_ARGS="--no-mask-addrs"
+  #CLIENT_BIN_ARGS="--script-file '${EXAMPLE_DIR}/cmdscript-chat-tcp.txt'"
+  CLIENT_BIN_ARGS=""
+fi
+
+source "${EXAMPLE_DIR}"/target/example.conf
+
+PS1='$ ' "${TMUX_CMD}" new-session -s trust0-chat-tcp-docker-example \; \
+  set -g mouse on \; \
+  send-keys '(clear && read -p "Step 1: Hit <Enter> to run chat server (or prior to executing chat client)" && "'"${NCAT_CMD}"'" -v -k -l -p '"${CHAT_SERVICE__PORT}"' --chat)' C-m \; \
+  split-window -v -l 83% \; \
+  send-keys '(clear && read -p "Step 2: Hit <Enter> to run trust0 gateway" && '"${GMAKE_CMD}"' run-trust0-gateway-image-nodeps EXECBIN_EXTRA_ARGS="'"${GATEWAY_BIN_ARGS}"'")' C-m \; \
+  split-window -v -l 67% \; \
+  send-keys '(clear && echo "Step 3.1: Hit <Enter> to run trust0 client (after gateway is up)" && read -p "Step 3.2: Enter \"start -s chat-tcp -p '"${CHAT_PROXY__PORT}"'\" (to start service proxy)" && '"${GMAKE_CMD}"' run-trust0-client-image-nodeps EXECBIN_EXTRA_ARGS="'"${CLIENT_BIN_ARGS}"'")' C-m \; \
+  split-window -v -l 50% \; \
+  send-keys '(clear && read -p "Step 4: Hit <Enter> to run 1st chat client (after service proxy has started)" && "'"${NCAT_CMD}"'" -v 127.0.0.1 '"${CHAT_PROXY__PORT}"')' C-m \; \
+  split-window -h -l 50% \; \
+  send-keys '(clear && echo "Step 5.1: Hit <Enter> to run 2nd chat client (after service proxy has started)" && read -p "Step 5.2: Enter chat messages between chat clients" && "'"${NCAT_CMD}"'" -v 127.0.0.1 '"${CHAT_PROXY__PORT}"')' C-m \; \
+  select-pane -t 0 \; \
+  split-window -h -l 25% \; \
+  send-keys '(clear && read -p "Step Last: Hit <Enter> to shutdown example" && (echo "Stopping containers..."; "'"${DOCKER_CMD}"'" stop trust0-client-example trust0-gateway-example; "'"${TMUX_CMD}"'" kill-session -t trust0-chat-tcp-docker-example))' C-m \; \
+  select-pane -t 0 \;