Commit 8f302f71 authored by Jérome Perrin's avatar Jérome Perrin

slaprunner: WIP for passwordless shellinabox

* use more recent shellinabox with copy & paste support
* URL is now /shellinabox/ for some reason. Runner template has to be updated
* PATH now contains /bin/ & /usr/bin/ is it good ?
* Fixes for account creation when no .htpassword
* Fixes for incorrect $HOME on shellinabox
parent e09d3774
...@@ -46,7 +46,7 @@ mode = 0644 ...@@ -46,7 +46,7 @@ mode = 0644
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-runner.cfg url = ${:_profile_base_location_}/instance-runner.cfg
output = ${buildout:directory}/template-runner.cfg.in output = ${buildout:directory}/template-runner.cfg.in
md5sum = 7cfa24cdad2822396659d8d68fb02b36 md5sum = 7e26c2f332dfca5446a6cb1d74e3d467
mode = 0644 mode = 0644
[template-runner-import-script] [template-runner-import-script]
...@@ -98,7 +98,7 @@ mode = 0644 ...@@ -98,7 +98,7 @@ mode = 0644
recipe = hexagonit.recipe.download recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/nginx_conf.in url = ${:_profile_base_location_}/nginx_conf.in
download-only = true download-only = true
md5sum = 7c0608eafb5c6998846851744a70b3de md5sum = d339a25e68b996c458f29b619de4ce77
filename = nginx_conf.in filename = nginx_conf.in
mode = 0644 mode = 0644
......
...@@ -4,7 +4,6 @@ parts = ...@@ -4,7 +4,6 @@ parts =
nginx-launcher nginx-launcher
certificate-authority certificate-authority
ca-nginx ca-nginx
ca-shellinabox
gunicorn-launcher gunicorn-launcher
gunicorn-graceful gunicorn-graceful
sshkeys-dropbear-runner sshkeys-dropbear-runner
...@@ -16,7 +15,6 @@ parts = ...@@ -16,7 +15,6 @@ parts =
slaprunner-supervisord-wrapper slaprunner-supervisord-wrapper
dropbear-promise dropbear-promise
runtestsuite runtestsuite
shellinabox-promise
symlinks symlinks
shellinabox shellinabox
slapos-cfg slapos-cfg
...@@ -269,7 +267,7 @@ scgi_temp_path = $${directory:tmp}/scgi_temp_path ...@@ -269,7 +267,7 @@ scgi_temp_path = $${directory:tmp}/scgi_temp_path
[nginx-frontend] [nginx-frontend]
# Options # Options
nb_workers = 2 nb_workers = 5
# Network # Network
local-ip = $${slap-network-information:local-ipv4} local-ip = $${slap-network-information:local-ipv4}
global-ip = $${slap-network-information:global-ipv6} global-ip = $${slap-network-information:global-ipv6}
...@@ -303,7 +301,7 @@ recipe = slapos.recipe.template:jinja2 ...@@ -303,7 +301,7 @@ recipe = slapos.recipe.template:jinja2
template = ${template_nginx_conf:location}/${template_nginx_conf:filename} template = ${template_nginx_conf:location}/${template_nginx_conf:filename}
rendered = $${nginx-frontend:path_nginx_conf} rendered = $${nginx-frontend:path_nginx_conf}
context = context =
key shellinabox_port shellinabox:port key shellinabox_socket shellinabox:socket
key socket gunicorn:socket key socket gunicorn:socket
section param_nginx_frontend nginx-frontend section param_nginx_frontend nginx-frontend
section param_tempdir tempdirectory section param_tempdir tempdirectory
...@@ -409,13 +407,6 @@ wrapper = $${directory:services}/nginx-frontend ...@@ -409,13 +407,6 @@ wrapper = $${directory:services}/nginx-frontend
# Put domain name # Put domain name
name = example.com name = example.com
[ca-shellinabox]
<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request
executable = $${shellinabox:wrapper}
wrapper = $${directory:services}/shellinaboxd
key-file = $${cadirectory:certs}/shellinabox.key
cert-file = $${cadirectory:certs}/shellinabox.crt
#-------------------- #--------------------
#-- #--
#-- Request frontend #-- Request frontend
...@@ -485,12 +476,6 @@ path = $${directory:promises}/dropbear ...@@ -485,12 +476,6 @@ path = $${directory:promises}/dropbear
hostname = $${dropbear-runner-server:host} hostname = $${dropbear-runner-server:host}
port = $${dropbear-runner-server:port} port = $${dropbear-runner-server:port}
[shellinabox-promise]
recipe = slapos.cookbook:check_port_listening
path = $${directory:promises}/shellinabox
hostname = $${shellinabox:ipv6}
port = $${shellinabox:port}
[symlinks] [symlinks]
recipe = cns.recipe.symlink recipe = cns.recipe.symlink
symlink_target = $${directory:bin} symlink_target = $${directory:bin}
...@@ -532,30 +517,26 @@ context = ...@@ -532,30 +517,26 @@ context =
section slaprunner test-runner section slaprunner test-runner
[shellinabox] [shellinabox]
recipe = slapos.cookbook:shellinabox recipe = slapos.recipe.template:jinja2
ipv6 = $${slap-network-information:global-ipv6} # We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
port = 8949 socket = $${directory:run}/siab.sock
shell = $${shell:wrapper} mode = 0700
wrapper = $${directory:bin}/shellinaboxd rendered = $${directory:services}/shellinaboxd
shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd template = inline:
password = $${zero-parameters:shell-password} #!/bin/sh
directory = $${runnerdirectory:home} exec ${shellinabox:location}/bin/shellinaboxd \
login-shell = $${directory:bin}/login --disable-ssl \
certificate-directory = $${cadirectory:certs} --disable-ssl-menu \
cert-file = $${ca-shellinabox:cert-file} --socket=$${:socket} \
key-file = $${ca-shellinabox:key-file} --service "/:$(id -u):$(id -g):HOME:$${shell:wrapper}" \
--user-css "Black on White":+${shellinabox:location}/share/doc/shellinabox/black-on-white.css,"White on Black":-${shellinabox:location}/share/doc/shellinabox/white-on-black.css
[shellinabox-code]
recipe = slapos.cookbook:generate.password
storage-path = $${directory:etc}/.scode
bytes = 8
[shell] [shell]
recipe = slapos.cookbook:shell recipe = slapos.cookbook:shell
wrapper = $${directory:bin}/sh wrapper = $${directory:bin}/sh
shell = ${bash:location}/bin/bash shell = ${bash:location}/bin/bash
home = $${runnerdirectory:home} home = $${buildout:directory}
path = $${environ:PATH}:${nano:location}/bin:${vim:location}/bin:${screen:location}/bin:${git:location}/bin:${tig:location}/bin path = $${environ:PATH}:/usr/bin:/bin/:${nano:location}/bin:${vim:location}/bin:${screen:location}/bin:${git:location}/bin:${tig:location}/bin
ps1 = "\\w> " ps1 = "\\w> "
[environ] [environ]
...@@ -617,7 +598,6 @@ key = $${slap-connection:key-file} ...@@ -617,7 +598,6 @@ key = $${slap-connection:key-file}
cert = $${slap-connection:cert-file} cert = $${slap-connection:cert-file}
[public] [public]
shell-password = $${shellinabox-code:passwd}
recovery-code = $${recovery-code:passwd} recovery-code = $${recovery-code:passwd}
[zero-parameters] [zero-parameters]
......
...@@ -6,8 +6,8 @@ error_log {{ param_nginx_frontend['path_error_log'] }}; ...@@ -6,8 +6,8 @@ error_log {{ param_nginx_frontend['path_error_log'] }};
daemon off; daemon off;
events { events {
worker_connections 1024; worker_connections 1024;
accept_mutex off; accept_mutex off;
} }
http { http {
...@@ -18,6 +18,7 @@ http { ...@@ -18,6 +18,7 @@ http {
default upgrade; default upgrade;
'' close; '' close;
} }
server { server {
listen [{{ param_nginx_frontend['global-ip'] }}]:{{ param_nginx_frontend['global-port'] }} ssl; listen [{{ param_nginx_frontend['global-ip'] }}]:{{ param_nginx_frontend['global-port'] }} ssl;
server_name _; server_name _;
...@@ -31,8 +32,12 @@ http { ...@@ -31,8 +32,12 @@ http {
fastcgi_temp_path {{ param_tempdir['fastcgi_temp_path'] }}; fastcgi_temp_path {{ param_tempdir['fastcgi_temp_path'] }};
uwsgi_temp_path {{ param_tempdir['uwsgi_temp_path'] }}; uwsgi_temp_path {{ param_tempdir['uwsgi_temp_path'] }};
scgi_temp_path {{ param_tempdir['scgi_temp_path'] }}; scgi_temp_path {{ param_tempdir['scgi_temp_path'] }};
error_page 401 /login;
location / { location / {
# When no .htpasswd exist, redirect the user to account creation page
if ( !-f {{ param_nginx_frontend['etc_dir'] }}/.htpasswd ) {
return 301 /setAccount ;
}
auth_basic "Restricted"; auth_basic "Restricted";
auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd; auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
proxy_redirect off; proxy_redirect off;
...@@ -52,8 +57,9 @@ http { ...@@ -52,8 +57,9 @@ http {
proxy_pass http://unix:{{ socket }}; proxy_pass http://unix:{{ socket }};
} }
location /shellinabox {
proxy_pass http://[{{ param_nginx_frontend['global-ip'] }}]:{{ shellinabox_port }}/; location /shellinabox {
proxy_pass http://unix:{{ shellinabox_socket }}:/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
auth_basic "Restricted"; auth_basic "Restricted";
auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd; auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
...@@ -61,9 +67,9 @@ http { ...@@ -61,9 +67,9 @@ http {
proxy_buffering off; proxy_buffering off;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
} }
} }
} }
...@@ -5,4 +5,5 @@ ...@@ -5,4 +5,5 @@
cd {{ workdir }} cd {{ workdir }}
export PATH={{- path }} export PATH={{- path }}
export PS1="\w $ " export PS1="\w $ "
export LANG="en_GB.UTF-8" export LANG="en_GB.UTF-8" # XXX jerome - is it good idea ?
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment