dockerexec

type ContainerExecConfig ¶

type ContainerExecConfig struct {

	// Client is the docker client to be used to the docker daemon.
	Client client.APIClient

	// DockerLabelUser is the label to use for associating a user to a container.
	DockerLabelUser string

	// DockerLabelAuthFile is the label of a container that may contain paths to authorized_keys files.
	DockerLabelAuthFile string

	// DockerLabelKey is the label that may contain an authorized_key for a user.
	DockerLabelKey string

	// ContainerShell is the executable to run within the container.
	ContainerShell string
}

ContainerExecConfig implements a proxyssh.Configuration and proxyssh.Handler that execute user processes within running docker containers. For this purpose it makes use of 'docker exec'.

The association of incoming user to a docker container happens via the username. To find a docker container, the server looks for a docker container where a specific label has a value equal to the username. If there is no running docker container with the provided label (or there is more than one) the connection will fail.

To authenticate a user, the server uses ssh keys. A user is considered authenticated if they can prove the ownership of at least one of the ssh keys associated with this user. To find the ssh keys associated to a user, the server uses labels on the associated docker container. However in this case, two different labels are checked.

One label can contain an ssh key (in authorized_keys) format. The second label may contain comma-seperated file paths. These file paths are interpreted relative to the filesystem of the docker container. Each file (if it exists) may contain several ssh public keys (in authorized_keys format).

Once a user is authenticated, a session within the associated container will be started. For this, a process inside the docker container (called the shell) will be started. When no arguments are provided, it will run the shell without any arguments. When some arguments are provided by the user, it will run the shell with two arguments, '-c' and a concatination of the arguments provided.

For example, assume the shell is '/bin/sh' and the command provided by the user is 'whoami'. Then the server will execute the command '/bin/sh -c whoami' inside the container.

When the ssh user requested a tty, a tty will be allocated within the container. When no tty was requested, none will be allocated.

Both the shell and labels to be used can be configured via opts.

func (cfg *ContainerExecConfig) Apply(logger logging.Logger, sshserver *ssh.Server) error

func (cfg *ContainerExecConfig) Handle(logger logging.Logger, session ssh.Session) (proxyssh.Process, error)

func (cfg *ContainerExecConfig) RegisterFlags(flagset *flag.FlagSet)

type ContainerExecProcess ¶

type ContainerExecProcess struct {

	// internal streams
	term.Pipes
	// contains filtered or unexported fields
}

ContainerExecProcess represents a process running inside a docker engine

func NewContainerExecProcess(client client.APIClient, containerID string, command []string) *ContainerExecProcess

func (cep *ContainerExecProcess) Cleanup() (killed bool)

func (cep *ContainerExecProcess) Init(ctx context.Context, detector logging.MemoryLeakDetector, isTerm bool) error

func (cep *ContainerExecProcess) Start(detector logging.MemoryLeakDetector, Term string, resizeChan <-chan proxyssh.WindowSize, isPty bool) (*os.File, error)

func (cep *ContainerExecProcess) String() string

func (cep *ContainerExecProcess) Wait(detector logging.MemoryLeakDetector) (code int, err error)

type SSHAuthOptions ¶

type SSHAuthOptions struct {
	// If set, check if a candidate container contains an ssh key in the provided label
	LabelKey string

	// If set, check if a candidate container contains an authorized_keys file at the provided path(s)
	// Paths may be an array seperated by commas.
	LabelFile string
}

SSHAuthOptions contain options that configure authentication via ssh