Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/muayyad-alsadi/docker-jumpshell

Jump-box shell for Docker - secure remote ssh into containers with ACL
https://github.com/muayyad-alsadi/docker-jumpshell

docker docker-containers jumpshell remote-access ssh

Last synced: 6 days ago
JSON representation

Jump-box shell for Docker - secure remote ssh into containers with ACL

Awesome Lists containing this project

README 

        
# Jump shell for Docker



Used as user shell to allow developers jump into their containers using ssh



## Features



* simple and effective ACL, just run the container with `-l owner=myuser` or `-l group=mygroup`

* access to all containers if you are member of `jumpshell-all` group (beside `jumpshell` group)

* opens all owned containers in `tmux` windows

* interactive picker `ssh -t myuser@remote picker`

* scriptable non-interactive mode `ssh myuser@remote mycontainer cat /etc/hosts | wc -l`

* tail container logs `ssh myuser@remote docker_logs mycontainer | grep ERROR`

* and with log picker `ssh -t myuser@remote docker_logs`



![Container Picker](/picker.png)



![Container Logs](/logs.png)



## Security



* developers are NOT granted access to host

* developers are NOT granted access to docker socket

* developers can NOT execute random docker commands

* only listing owned containers and exec inside owned containers is allowed

* only containers having special labels are allowed

* `sudo` is only to a simple helper script that do the above checks



## FAQ



* Can I use it with [mosh](https://mosh.org/)?

  * yes, it just work

* Can I use it to create tunnels to a container port?

  * yes `ssh -L 8080::8080 -t myuser@remote picker` (don't forget `-t`)

* How can I receive a file from the container?

  * simply `cat` it, like this `ssh myuser@remote mycontainer cat /path/to/myfile > ./myfile`

* How can I send a file to the container?

  * simply `cat` it, like this `ssh myuser@remote mycontainer bash -c "cat > /path/to/myfile" < ./myfile`

* How can I receive a directory from the container?

  * simply `tar` it, like this `ssh myuser@remote mycontainer tar -czf - /path/to/mydir | tar -xzf - -C .`

* How can I send a directory to the container?

  * simply `tar` it, like this `tar -czf - . | ssh myuser@remote mycontainer tar -xzf - -C /path/to/mydir`

* Is it possible to `scp`?

  * no, use `tar` trick above

* Is it possible to `rsync` over `ssh`?

  * no, use `tar` trick above

* How to remove access from a user? I can't remove docker label!

  * remove the public key from `authorized_keys`

  * or remove the UNIX user from `jumpshell` group

* Can I define custom shell?

  * yes, pass `-l shell=/full/path/to/shell`

  * no need to define it for `bash` and `sh`

* I have running countainers without labels how I access them?

  * add your user to `jumpshell-all` group.



## Requirements



* docker with label support

* tmux

* whiptail



## Setup



Just place them in a place like `/usr/local/bin/`



```

cd /usr/local/bin/

curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell-helper.sh

curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell.sh

chmod +x docker-jumpshell*.sh

```



create a group to be allowed to jump into their owned docker containers



```

groupadd jumpshell

```



add the following to `/etc/sudoers.d/docker-jumpshell`



```

Defaults    !requiretty

%jumpshell	ALL=(ALL)	NOPASSWD: /usr/local/bin/docker-jumpshell-helper.sh

```



add the user, make his shell be the script, run a container of your choice named after the user



```

useradd myuser

usermod -a -G jumpshell myuser

chsh -s /usr/local/bin/docker-jumpshell.sh myuser

docker run -d -t --restart=always --name=my-fedora -l owner=myuser fedora/systemd-systemd

docker run -d -t --restart=always --name=my-ubuntu -l owner=myuser ubuntu-upstart:trusty

```



add public keys to `/home/myuser/.ssh/authorized_keys` and make sure they have right permissions



```

sudo -u myuser /bin/bash -l

mkdir -p /home/myuser/.ssh/

vim /home/myuser/.ssh/authorized_keys

chmod 700 /home/myuser/.ssh/authorized_keys

chmod 644 /home/myuser/.ssh/authorized_keys

```



now you can execute commands in the container or have interactive shells on it



```

ssh -t myuser@remotebox picker

ssh -t myuser@remotebox my-fedora

ssh myuser@remotebox my-fedora cat /etc/hosts

ssh myuser@remotebox

```



in `tmux` use



* `CTRL+B n` to move to next window,

* `CTRL+B c` to create a new window

* `CTRL+B d` to detach



## How it works



members of group `jumpshell` are allowed to `sudo` the helper script.



the helper script is a simple secure script that



* sudo itself if not root

* accept only two commands `ls` and `exec` 

* `ls` would list all containers having label `owner=` or `group=`

* `exec` is followed by container id

* `exec` validates that the given container have the suitable label (authorize)

* `exec ` would run interactive bash inside the given container

* `exec  ` would run `bash -c "COMMAND"` inside the given container

* `logs ` tail and follow logs of given container



the shell of the desired user is set to `docker-jumpshell.sh`

which has more complex logic but it's safe because the user can't `sudo` it

the shell is executed when users access it remotely via `ssh`



## Group Access



If a container is to be accessed by more than one user,

create a UNIX group for that by typing `groupadd jumpshell-mygroup`

then add users to that group, then run your docker containers with label `group=mygroup`



NOTE: we have added `jumpshell-` prefix to UNIX group name

that is omitted from docker label. The reason behind this 

is to allow you so that UNIX `admin` is not `jumpshell-admin`