Jump-box shell for Docker - secure remote ssh into containers with ACL
Used as user shell to allow developers jump into their containers using ssh
-l owner=myuser
or -l group=mygroup
jumpshell-all
group (beside jumpshell
group)tmux
windowsssh -t myuser@remote picker
ssh myuser@remote mycontainer cat /etc/hosts | wc -l
ssh myuser@remote docker_logs mycontainer | grep ERROR
ssh -t myuser@remote docker_logs
sudo
is only to a simple helper script that do the above checksssh -L 8080:<CONTAINER_IP>:8080 -t myuser@remote picker
(don't forget -t
)cat
it, like this ssh myuser@remote mycontainer cat /path/to/myfile > ./myfile
cat
it, like this ssh myuser@remote mycontainer bash -c "cat > /path/to/myfile" < ./myfile
tar
it, like this ssh myuser@remote mycontainer tar -czf - /path/to/mydir | tar -xzf - -C .
tar
it, like this tar -czf - . | ssh myuser@remote mycontainer tar -xzf - -C /path/to/mydir
scp
?
tar
trick aboversync
over ssh
?
tar
trick aboveauthorized_keys
jumpshell
group-l shell=/full/path/to/shell
bash
and sh
jumpshell-all
group.Just place them in a place like /usr/local/bin/
cd /usr/local/bin/
curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell-helper.sh
curl -sSLO https://raw.githubusercontent.com/muayyad-alsadi/docker-jumpshell/v1.5/docker-jumpshell.sh
chmod +x docker-jumpshell*.sh
create a group to be allowed to jump into their owned docker containers
groupadd jumpshell
add the following to /etc/sudoers.d/docker-jumpshell
Defaults !requiretty
%jumpshell ALL=(ALL) NOPASSWD: /usr/local/bin/docker-jumpshell-helper.sh
add the user, make his shell be the script, run a container of your choice named after the user
useradd myuser
usermod -a -G jumpshell myuser
chsh -s /usr/local/bin/docker-jumpshell.sh myuser
docker run -d -t --restart=always --name=my-fedora -l owner=myuser fedora/systemd-systemd
docker run -d -t --restart=always --name=my-ubuntu -l owner=myuser ubuntu-upstart:trusty
add public keys to /home/myuser/.ssh/authorized_keys
and make sure they have right permissions
sudo -u myuser /bin/bash -l
mkdir -p /home/myuser/.ssh/
vim /home/myuser/.ssh/authorized_keys
chmod 700 /home/myuser/.ssh/authorized_keys
chmod 644 /home/myuser/.ssh/authorized_keys
now you can execute commands in the container or have interactive shells on it
ssh -t myuser@remotebox picker
ssh -t myuser@remotebox my-fedora
ssh myuser@remotebox my-fedora cat /etc/hosts
ssh myuser@remotebox
in tmux
use
CTRL+B n
to move to next window,CTRL+B c
to create a new windowCTRL+B d
to detachmembers of group jumpshell
are allowed to sudo
the helper script.
the helper script is a simple secure script that
ls
and exec
ls
would list all containers having label owner=<USER>
or group=<GROUP>
exec
is followed by container idexec
validates that the given container have the suitable label (authorize)exec <ID>
would run interactive bash inside the given containerexec <ID> <COMMAND>
would run bash -c "COMMAND"
inside the given containerlogs <ID>
tail and follow logs of given containerthe shell of the desired user is set to docker-jumpshell.sh
which has more complex logic but it's safe because the user can't sudo
it
the shell is executed when users access it remotely via ssh
If a container is to be accessed by more than one user,
create a UNIX group for that by typing groupadd jumpshell-mygroup
then add users to that group, then run your docker containers with label group=mygroup
NOTE: we have added jumpshell-
prefix to UNIX group name
that is omitted from docker label. The reason behind this
is to allow you so that UNIX admin
is not jumpshell-admin