dockerexec

package

v0.2.2 Latest Latest Go to latest Published: Jun 1, 2022 License: MIT Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/tkw1536/proxyssh

Links

Open Source Insights

Documentation ¶

Overview ¶

Package dockerexec provides ContainerExecConfig.

Index ¶

Variables
func FindContainerKeys(cli client.APIClient, container types.Container, options SSHAuthOptions) (keys []ssh.PublicKey)
func FindUniqueContainer(cli client.APIClient, key string, value string) (container types.Container, err error)
type ContainerExecConfig
type ContainerExecProcess
- func NewContainerExecProcess(client client.APIClient, containerID string, command []string) *ContainerExecProcess
type SSHAuthOptions

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrContainerNotUnique = errors.New("No unique container found")

ErrContainerNotUnique is an error that is returned when a container is not unique

Functions ¶

func FindContainerKeys ¶

func FindContainerKeys(cli client.APIClient, container types.Container, options SSHAuthOptions) (keys []ssh.PublicKey)

FindContainerKeys finds the public keys desired by a particular container and returns them

Location of stored credentials is determined by options.

This function will ignore all errors and or invalid values.

func FindUniqueContainer ¶

func FindUniqueContainer(cli client.APIClient, key string, value string) (container types.Container, err error)

FindUniqueContainer finds a unique running container with the given label key and value

If there is no unique runing container, returns ErrContainerNotUnique. If something goes wrong, other errors may be returned.

Types ¶

type ContainerExecConfig ¶

type ContainerExecConfig struct {

	// Client is the docker client to be used to the docker daemon.
	Client client.APIClient

	// DockerLabelUser is the label to use for associating a user to a container.
	DockerLabelUser string

	// DockerLabelAuthFile is the label of a container that may contain paths to authorized_keys files.
	DockerLabelAuthFile string

	// DockerLabelKey is the label that may contain an authorized_key for a user.
	DockerLabelKey string

	// ContainerShell is the executable to run within the container.
	ContainerShell string
}

ContainerExecConfig implements a proxyssh.Configuration and proxyssh.Handler that execute user processes within running docker containers. For this purpose it makes use of 'docker exec'.

The association of incoming user to a docker container happens via the username. To find a docker container, the server looks for a docker container where a specific label has a value equal to the username. If there is no running docker container with the provided label (or there is more than one) the connection will fail.

To authenticate a user, the server uses ssh keys. A user is considered authenticated if they can prove the ownership of at least one of the ssh keys associated with this user. To find the ssh keys associated to a user, the server uses labels on the associated docker container. However in this case, two different labels are checked.

One label can contain an ssh key (in authorized_keys) format. The second label may contain comma-seperated file paths. These file paths are interpreted relative to the filesystem of the docker container. Each file (if it exists) may contain several ssh public keys (in authorized_keys format).

Once a user is authenticated, a session within the associated container will be started. For this, a process inside the docker container (called the shell) will be started. When no arguments are provided, it will run the shell without any arguments. When some arguments are provided by the user, it will run the shell with two arguments, '-c' and a concatination of the arguments provided.

For example, assume the shell is '/bin/sh' and the command provided by the user is 'whoami'. Then the server will execute the command '/bin/sh -c whoami' inside the container.

When the ssh user requested a tty, a tty will be allocated within the container. When no tty was requested, none will be allocated.

Both the shell and labels to be used can be configured via opts.

func (*ContainerExecConfig) Apply ¶

func (cfg *ContainerExecConfig) Apply(logger logging.Logger, sshserver *ssh.Server) error

Apply applies this configuration to the server.

func (*ContainerExecConfig) Handle ¶

func (cfg *ContainerExecConfig) Handle(logger logging.Logger, session ssh.Session) (proxyssh.Process, error)

Handle implements the handler

func (*ContainerExecConfig) RegisterFlags ¶

func (cfg *ContainerExecConfig) RegisterFlags(flagset *flag.FlagSet)

RegisterFlags registers flags representing the config to the provided flagset. When flagset is nil, uses flag.CommandLine.

type ContainerExecProcess ¶

type ContainerExecProcess struct {

	// internal streams
	term.Pipes
	// contains filtered or unexported fields
}

ContainerExecProcess represents a process running inside a docker engine

func NewContainerExecProcess ¶

func NewContainerExecProcess(client client.APIClient, containerID string, command []string) *ContainerExecProcess

NewContainerExecProcess creates a process that executes within a docker container.

The command will not prefix the entrypoint.

func (*ContainerExecProcess) Cleanup ¶

func (cep *ContainerExecProcess) Cleanup() (killed bool)

Cleanup cleans up this process, typically to kill it.

func (*ContainerExecProcess) Init ¶

func (cep *ContainerExecProcess) Init(ctx context.Context, detector logging.MemoryLeakDetector, isTerm bool) error

Init initializes this EngineProcess

func (*ContainerExecProcess) Start ¶

func (cep *ContainerExecProcess) Start(detector logging.MemoryLeakDetector, Term string, resizeChan <-chan proxyssh.WindowSize, isPty bool) (*os.File, error)

Start starts this process

func (*ContainerExecProcess) String ¶

func (cep *ContainerExecProcess) String() string

String turns EngineProcess into a string

func (*ContainerExecProcess) Wait ¶

func (cep *ContainerExecProcess) Wait(detector logging.MemoryLeakDetector) (code int, err error)

Wait waits for the process and returns the exit code

type SSHAuthOptions ¶

type SSHAuthOptions struct {
	// If set, check if a candidate container contains an ssh key in the provided label
	LabelKey string

	// If set, check if a candidate container contains an authorized_keys file at the provided path(s)
	// Paths may be an array seperated by commas.
	LabelFile string
}

SSHAuthOptions contain options that configure authentication via ssh

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL