{"id":13463688,"url":"https://github.com/muayyad-alsadi/docker-jumpshell","last_synced_at":"2025-03-22T21:31:33.072Z","repository":{"id":147752498,"uuid":"68288165","full_name":"muayyad-alsadi/docker-jumpshell","owner":"muayyad-alsadi","description":"Jump-box shell for Docker - secure remote ssh into containers with ACL","archived":false,"fork":false,"pushed_at":"2016-10-15T14:55:17.000Z","size":68,"stargazers_count":26,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-18T14:53:42.531Z","etag":null,"topics":["docker","docker-containers","jumpshell","remote-access","ssh"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/muayyad-alsadi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-09-15T11:26:33.000Z","updated_at":"2022-02-22T22:54:11.000Z","dependencies_parsed_at":"2023-05-27T10:15:40.739Z","dependency_job_id":null,"html_url":"https://github.com/muayyad-alsadi/docker-jumpshell","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Fdocker-jumpshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Fdocker-jumpshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Fdocker-jumpshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muayyad-alsadi%2Fdocker-jumpshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/muayyad-alsadi","download_url":"https://codeload.github.com/muayyad-alsadi/docker-jumpshell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245022513,"owners_count":20548550,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-containers","jumpshell","remote-access","ssh"],"created_at":"2024-07-31T14:00:26.524Z","updated_at":"2025-03-22T21:31:32.795Z","avatar_url":"https://github.com/muayyad-alsadi.png","language":"Shell","funding_links":[],"categories":["docker","Shell","Docker, Linux containers and Kubernetes"],"sub_categories":[],"readme":"# Jump shell for Docker\n\nUsed as user shell to allow developers jump into their containers using ssh\n\n## Features\n\n* simple and effective ACL, just run the container with `-l owner=myuser` or `-l group=mygroup`\n* access to all containers if you are member of `jumpshell-all` group (beside `jumpshell` group)\n* opens all owned containers in `tmux` windows\n* interactive picker `ssh -t myuser@remote picker`\n* scriptable non-interactive mode `ssh myuser@remote mycontainer cat /etc/hosts | wc -l`\n* tail container logs `ssh myuser@remote docker_logs mycontainer | grep ERROR`\n* and with log picker `ssh -t myuser@remote docker_logs`\n\n![Container Picker](/picker.png)\n\n![Container Logs](/logs.png)\n\n## Security\n\n* developers are NOT granted access to host\n* developers are NOT granted access to docker socket\n* developers can NOT execute random docker commands\n* only listing owned containers and exec inside owned containers is allowed\n* only containers having special labels are allowed\n* `sudo` is only to a simple helper script that do the above checks\n\n## FAQ\n\n* Can I use it with [mosh](https://mosh.org/)?\n  * yes, it just work\n* Can I use it to create tunnels to a container port?\n  * yes `ssh -L 8080:\u003cCONTAINER_IP\u003e:8080 -t myuser@remote picker` (don't forget `-t`)\n* How can I receive a file from the container?\n  * simply `cat` it, like this `ssh myuser@remote mycontainer cat /path/to/myfile \u003e ./myfile`\n* How can I send a file to the container?\n  * simply `cat` it, like this `ssh myuser@remote mycontainer bash -c \"cat \u003e /path/to/myfile\" \u003c ./myfile`\n* How can I receive a directory from the container?\n  * simply `tar` it, like this `ssh myuser@remote mycontainer tar -czf - /path/to/mydir | tar -xzf - -C .`\n* How can I send a directory to the container?\n  * simply `tar` it, like this `tar -czf - . | ssh myuser@remote mycontainer tar -xzf - -C /path/to/mydir`\n* Is it possible to `scp`?\n  * no, use `tar` trick above\n* Is it possible to `rsync` over `ssh`?\n  * no, use `tar` trick above\n* How to remove access from a user? I can't remove docker label!\n  * remove the public key from `authorized_keys`\n  * or remove the UNIX user from `jumpshell` group\n* Can I define custom shell?\n  * yes, pass `-l shell=/full/path/to/shell`\n  * no need to define it for `bash` and `sh`\n* I have running countainers without labels how I access them?\n  * add your user to `jumpshell-all` group.\n\n\n## Requirements\n\n* docker with label support\n* tmux\n* whiptail\n\n## Setup\n\nJust place them in a place like `/usr/local/bin/`\n\n```\ncd /usr/local/bin/\ncurl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell-helper.sh\ncurl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell.sh\nchmod +x docker-jumpshell*.sh\n```\n\ncreate a group to be allowed to jump into their owned docker containers\n\n```\ngroupadd jumpshell\n```\n\nadd the following to `/etc/sudoers.d/docker-jumpshell`\n\n```\nDefaults    !requiretty\n%jumpshell\tALL=(ALL)\tNOPASSWD: /usr/local/bin/docker-jumpshell-helper.sh\n```\n\nadd the user, make his shell be the script, run a container of your choice named after the user\n\n```\nuseradd myuser\nusermod -a -G jumpshell myuser\nchsh -s /usr/local/bin/docker-jumpshell.sh myuser\ndocker run -d -t --restart=always --name=my-fedora -l owner=myuser fedora/systemd-systemd\ndocker run -d -t --restart=always --name=my-ubuntu -l owner=myuser ubuntu-upstart:trusty\n```\n\nadd public keys to `/home/myuser/.ssh/authorized_keys` and make sure they have right permissions\n\n```\nsudo -u myuser /bin/bash -l\nmkdir -p /home/myuser/.ssh/\nvim /home/myuser/.ssh/authorized_keys\nchmod 700 /home/myuser/.ssh/authorized_keys\nchmod 644 /home/myuser/.ssh/authorized_keys\n```\n\nnow you can execute commands in the container or have interactive shells on it\n\n```\nssh -t myuser@remotebox picker\nssh -t myuser@remotebox my-fedora\nssh myuser@remotebox my-fedora cat /etc/hosts\nssh myuser@remotebox\n```\n\nin `tmux` use\n\n* `CTRL+B n` to move to next window,\n* `CTRL+B c` to create a new window\n* `CTRL+B d` to detach\n\n## How it works\n\nmembers of group `jumpshell` are allowed to `sudo` the helper script.\n\nthe helper script is a simple secure script that\n\n* sudo itself if not root\n* accept only two commands `ls` and `exec` \n* `ls` would list all containers having label `owner=\u003cUSER\u003e` or `group=\u003cGROUP\u003e`\n* `exec` is followed by container id\n* `exec` validates that the given container have the suitable label (authorize)\n* `exec \u003cID\u003e` would run interactive bash inside the given container\n* `exec \u003cID\u003e \u003cCOMMAND\u003e` would run `bash -c \"COMMAND\"` inside the given container\n* `logs \u003cID\u003e` tail and follow logs of given container\n\nthe shell of the desired user is set to `docker-jumpshell.sh`\nwhich has more complex logic but it's safe because the user can't `sudo` it\nthe shell is executed when users access it remotely via `ssh`\n\n## Group Access\n\nIf a container is to be accessed by more than one user,\ncreate a UNIX group for that by typing `groupadd jumpshell-mygroup`\nthen add users to that group, then run your docker containers with label `group=mygroup`\n\nNOTE: we have added `jumpshell-` prefix to UNIX group name\nthat is omitted from docker label. The reason behind this \nis to allow you so that UNIX `admin` is not `jumpshell-admin`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuayyad-alsadi%2Fdocker-jumpshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmuayyad-alsadi%2Fdocker-jumpshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuayyad-alsadi%2Fdocker-jumpshell/lists"}