Skip to content

slapos
slapos
Commit d21df0ee authored by Jérome Perrin's avatar Jérome Perrin
Browse files
Options

Update Shellinabox in testnode 

/reviewed-on nexedi/slapos!408
parents 71d01aa6 5d4852c3
Hide whitespace changes
Inline Side-by-side
Showing with 86 additions and 404 deletions
component/shellinabox/0001-Switch-to-IPv6.patch deleted 100644 → 0
View file @ 71d01aa6
From 50ec7439e80bd6a77346dc6482895e481d8cd43a Mon Sep 17 00:00:00 2001
From: Antoine Catton <acatton@tiolive.com>
Date: Tue, 10 Jan 2012 18:30:20 +0100
Subject: [PATCH] Switch to IPv6
---
libhttp/http.h | 4 ++--
libhttp/httpconnection.c | 11 ++++++++++-
libhttp/server.c | 33 +++++++++++++++++++--------------
libhttp/server.h | 6 +++---
shellinabox/shellinaboxd.c | 14 +++++++-------
5 files changed, 41 insertions(+), 27 deletions(-)
diff --git a/libhttp/http.h b/libhttp/http.h
index e7840fa..5cd61e3 100644
--- a/libhttp/http.h
+++ b/libhttp/http.h
@@ -66,8 +66,8 @@ typedef struct ServerConnection ServerConnection;
typedef struct Server Server;
typedef struct URL URL;
-Server *newCGIServer(int localhostOnly, int portMin, int portMax, int timeout);
-Server *newServer(int localhostOnly, int port);
+Server *newCGIServer(char *ipv6, int portMin, int portMax, int timeout);
+Server *newServer(char *ipv6, int port);
void deleteServer(Server *server);
int serverGetListeningPort(Server *server);
int serverGetFd(Server *server);
diff --git a/libhttp/httpconnection.c b/libhttp/httpconnection.c
index c8e69f6..cae467f 100644
--- a/libhttp/httpconnection.c
+++ b/libhttp/httpconnection.c
@@ -823,8 +823,17 @@ static int httpHandleCommand(struct HttpConnection *http,
const char *host = getFromHashMap(&http->header,
"host");
if (host) {
+ int brackets = 0; // For IPv6 hosts
for (char ch; (ch = *host) != '\000'; host++) {
- if (ch == ':') {
+ if (ch == '[') {
+ brackets = 1;
+ break;
+ }
+ if (ch == ']') {
+ brackets = 0;
+ break;
+ }
+ if (!brackets && ch == ':') {
*(char *)host = '\000';
break;
}
diff --git a/libhttp/server.c b/libhttp/server.c
index f52a269..2c30bd8 100644
--- a/libhttp/server.c
+++ b/libhttp/server.c
@@ -170,19 +170,19 @@ static int serverQuitHandler(struct HttpConnection *http, void *arg) {
return HTTP_DONE;
}
-struct Server *newCGIServer(int localhostOnly, int portMin, int portMax,
+struct Server *newCGIServer(char *ipv6, int portMin, int portMax,
int timeout) {
struct Server *server;
check(server = malloc(sizeof(struct Server)));
- initServer(server, localhostOnly, portMin, portMax, timeout);
+ initServer(server, ipv6, portMin, portMax, timeout);
return server;
}
-struct Server *newServer(int localhostOnly, int port) {
- return newCGIServer(localhostOnly, port, port, -1);
+struct Server *newServer(char *ipv6, int port) {
+ return newCGIServer(ipv6, port, port, -1);
}
-void initServer(struct Server *server, int localhostOnly, int portMin,
+void initServer(struct Server *server, char *ipv6, int portMin,
int portMax, int timeout) {
server->looping = 0;
server->exitAll = 0;
@@ -192,14 +192,19 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
server->numConnections = 0;
int true = 1;
- server->serverFd = socket(PF_INET, SOCK_STREAM, 0);
+ server->serverFd = socket(PF_INET6, SOCK_STREAM, 0);
check(server->serverFd >= 0);
check(!setsockopt(server->serverFd, SOL_SOCKET, SO_REUSEADDR,
&true, sizeof(true)));
- struct sockaddr_in serverAddr = { 0 };
- serverAddr.sin_family = AF_INET;
- serverAddr.sin_addr.s_addr = htonl(localhostOnly
- ? INADDR_LOOPBACK : INADDR_ANY);
+ struct sockaddr_in6 serverAddr = { 0 };
+ serverAddr.sin6_family = AF_INET6;
+ if (ipv6 != NULL) {
+ if (!inet_pton(AF_INET6, ipv6, serverAddr.sin6_addr.s6_addr)) {
+ fatal("Bad ipv6 address");
+ }
+ } else {
+ serverAddr.sin6_addr = in6addr_any;
+ }
// Linux unlike BSD does not have support for picking a local port range.
// So, we have to randomly pick a port from our allowed port range, and then
@@ -214,14 +219,14 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
int portStart = rand() % (portMax - portMin + 1) + portMin;
for (int p = 0; p <= portMax-portMin; p++) {
int port = (p+portStart)%(portMax-portMin+1)+ portMin;
- serverAddr.sin_port = htons(port);
+ serverAddr.sin6_port = htons(port);
if (!bind(server->serverFd, (struct sockaddr *)&serverAddr,
sizeof(serverAddr))) {
break;
}
- serverAddr.sin_port = 0;
+ serverAddr.sin6_port = 0;
}
- if (!serverAddr.sin_port) {
+ if (!serverAddr.sin6_port) {
fatal("Failed to find any available port");
}
}
@@ -231,7 +236,7 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
check(!getsockname(server->serverFd, (struct sockaddr *)&serverAddr,
&socklen));
check(socklen == sizeof(serverAddr));
- server->port = ntohs(serverAddr.sin_port);
+ server->port = ntohs(serverAddr.sin6_port);
info("Listening on port %d", server->port);
check(server->pollFds = malloc(sizeof(struct pollfd)));
diff --git a/libhttp/server.h b/libhttp/server.h
index bb879fb..5ffb698 100644
--- a/libhttp/server.h
+++ b/libhttp/server.h
@@ -78,10 +78,10 @@ struct Server {
struct SSLSupport ssl;
};
-struct Server *newCGIServer(int localhostOnly, int portMin, int portMax,
+struct Server *newCGIServer(char *ipv6, int portMin, int portMax,
int timeout);
-struct Server *newServer(int localhostOnly, int port);
-void initServer(struct Server *server, int localhostOnly, int portMin,
+struct Server *newServer(char *ipv6, int port);
+void initServer(struct Server *server, char *ipv6, int portMin,
int portMax, int timeout);
void destroyServer(struct Server *server);
void deleteServer(struct Server *server);
diff --git a/shellinabox/shellinaboxd.c b/shellinabox/shellinaboxd.c
index dcf05ff..2d1d758 100644
--- a/shellinabox/shellinaboxd.c
+++ b/shellinabox/shellinaboxd.c
@@ -80,7 +80,7 @@
static int port;
static int portMin;
static int portMax;
-static int localhostOnly = 0;
+static char *ipv6 = NULL;
static int noBeep = 0;
static int numericHosts = 0;
static int enableSSL = 1;
@@ -747,7 +747,7 @@ static void usage(void) {
" -g, --group=GID switch to this group (default: %s)\n"
" -h, --help print this message\n"
" --linkify=[none|normal|agressive] default is \"normal\"\n"
- " --localhost-only only listen on 127.0.0.1\n"
+ " --ipv6 listen on a specific ipv6\n"
" --no-beep suppress all audio output\n"
" -n, --numeric do not resolve hostnames\n"
" -p, --port=PORT select a port (default: %d)\n"
@@ -839,7 +839,7 @@ static void parseArgs(int argc, char * const argv[]) {
{ "static-file", 1, 0, 'f' },
{ "group", 1, 0, 'g' },
{ "linkify", 1, 0, 0 },
- { "localhost-only", 0, 0, 0 },
+ { "ipv6", 1, 0, 0 },
{ "no-beep", 0, 0, 0 },
{ "numeric", 0, 0, 'n' },
{ "port", 1, 0, 'p' },
@@ -1001,8 +1001,8 @@ static void parseArgs(int argc, char * const argv[]) {
"\"none\", \"normal\", or \"aggressive\".");
}
} else if (!idx--) {
- // Localhost Only
- localhostOnly = 1;
+ // IPv6
+ ipv6 = optarg;
} else if (!idx--) {
// No Beep
noBeep = 1;
@@ -1197,7 +1197,7 @@ int main(int argc, char * const argv[]) {
// Create a new web server
Server *server;
if (port) {
- check(server = newServer(localhostOnly, port));
+ check(server = newServer(ipv6, port));
dropPrivileges();
setUpSSL(server);
} else {
@@ -1217,7 +1217,7 @@ int main(int argc, char * const argv[]) {
_exit(0);
}
check(!NOINTR(close(fds[0])));
- check(server = newCGIServer(localhostOnly, portMin, portMax,
+ check(server = newCGIServer(ipv6, portMin, portMax,
AJAX_TIMEOUT));
cgiServer = server;
setUpSSL(server);
--
1.7.6.5
component/shellinabox/0002-Allow-to-run-entire-command-path.patch deleted 100644 → 0
View file @ 71d01aa6
From eee6f7180dc5dd4523264e7ce0721945ab2b78a1 Mon Sep 17 00:00:00 2001
From: Antoine Catton <acatton@tiolive.com>
Date: Wed, 11 Jan 2012 17:32:15 +0100
Subject: [PATCH 2/2] Allow to run entire command path.
---
shellinabox/launcher.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/shellinabox/launcher.c b/shellinabox/launcher.c
index fb8a133..e116a75 100644
--- a/shellinabox/launcher.c
+++ b/shellinabox/launcher.c
@@ -1226,8 +1226,7 @@ static void execService(int width, int height, struct Service *service,
extern char **environ;
environ = environment;
- char *cmd = strrchr(argv[0], '/');
- execvp(cmd ? cmd + 1: argv[0], argv);
+ execvp(argv[0], argv);
}
void setWindowSize(int pty, int width, int height) {
--
1.7.6.5
component/shellinabox/buildout.cfg
View file @ d21df0ee
......@@ -11,24 +11,6 @@ extends =
parts = shellinabox
[shellinabox]
<= shellinabox-2.10
[shellinabox-2.10]
; This version is old, but we patch it for IPv6 support
recipe = slapos.recipe.cmmi
url = http://shellinabox.googlecode.com/files/shellinabox-2.10.tar.gz
md5sum = 0e144910d85d92edc54702ab9c46f032
patch-binary = ${patch:location}/bin/patch
patch-options = -p1
patches =
${:_profile_base_location_}/0001-Switch-to-IPv6.patch#b61cb099c00e15a5fcaf6c98134fff45
${:_profile_base_location_}/0002-Allow-to-run-entire-command-path.patch#a506b4d83021e24c830f767501c1d3fc
environment =
CFLAGS = -I${zlib:location}/include -I${openssl:location}/include
LDFLAGS = -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib
PKG_CONFIG_PATH = ${openssl:location}/lib/pkgconfig/
[shellinabox-git-repository]
; This version has much more features, but does not support IPv6 (support unix domain though)
recipe = slapos.recipe.build:gitclone
......@@ -36,7 +18,7 @@ repository = https://github.com/shellinabox/shellinabox
revision = b8285748993c4c99e80793775f3d2a0a4e962d5a
git-executable = ${git:location}/bin/git
[shellinabox-github]
[shellinabox]
recipe = slapos.recipe.cmmi
path = ${shellinabox-git-repository:location}
configure-command =
......
setup.py
View file @ d21df0ee
......@@ -168,7 +168,6 @@ setup(name=name,
'reverseproxy.nginx = slapos.recipe.reverse_proxy_nginx:Recipe',
'sheepdogtestbed = slapos.recipe.sheepdogtestbed:SheepDogTestBed',
'shell = slapos.recipe.shell:Recipe',
'shellinabox = slapos.recipe.shellinabox:Recipe',
'signalwrapper= slapos.recipe.signal_wrapper:Recipe',
'simplelogger = slapos.recipe.simplelogger:Recipe',
'simplehttpserver = slapos.recipe.simplehttpserver:Recipe',
......
slapos/recipe/shellinabox.py deleted 100644 → 0
View file @ 71d01aa6
##############################################################################
#
# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsibility of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# guarantees and support are strongly adviced to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
##############################################################################
from getpass import getpass
import hmac
import pwd
import grp
import os
import shlex
from slapos.recipe.librecipe import GenericBaseRecipe
def login_shell(password_file, shell):
if password_file:
with open(password_file, 'r') as password_file:
password = password_file.read()
if not password or hmac.compare_digest(getpass(), password):
commandline = shlex.split(shell)
os.execv(commandline[0], commandline)
return 1
def shellinabox(args):
certificate_dir = args['certificate_dir']
certificate_path = os.path.join(certificate_dir, 'certificate.pem')
with open(certificate_path, 'w') as certificate_file:
with open(args['ssl_key'], 'r') as key_file:
# XXX: Dirty hack in order to make shellinabox work
print >> certificate_file, key_file.read().replace(' PRIVATE ',
' RSA PRIVATE ')
with open(args['ssl_certificate']) as public_key_file:
print >> certificate_file, public_key_file.read()
user = pwd.getpwuid(os.getuid()).pw_uid
group = grp.getgrgid(os.getgid()).gr_gid
service = '/:%(user)s:%(group)s:%(directory)s:%(command)s' % {
'user': user,
'group': group,
'directory': args['directory'],
'command': args['login_shell'],
}
command_line = [
args['shellinabox'],
'-c', certificate_dir,
'-s', service,
'--ipv6', args['ipv6'],
'-p', args['port'],
]
# XXX: By default shellinbox drop privileges
# switching to nobody:nogroup user.
# This force root.
if group == 'root':
command_line.extend(['-g', group])
if user == 'root':
command_line.extend(['-u', group])
os.execv(command_line[0], command_line)
class Recipe(GenericBaseRecipe):
def install(self):
login_shell_wrapper = self.createPythonScript(
self.options['login-shell'],
__name__ + '.login_shell',
(self.options['password-file'], self.options['shell'])
)
shellinabox_wrapper = self.createPythonScript(
self.options['wrapper'],
__name__ + '.shellinabox',
(dict(
certificate_dir=self.options['certificate-directory'],
ssl_key=self.options['key-file'],
ssl_certificate=self.options['cert-file'],
shellinabox=self.options['shellinabox-binary'],
directory=self.options['directory'],
ipv6=self.options['ipv6'],
port=self.options['port'],
login_shell=login_shell_wrapper,
),)
)
return login_shell_wrapper, shellinabox_wrapper
software/erp5testnode/buildout.hash.cfg
View file @ d21df0ee
......@@ -18,4 +18,4 @@ md5sum = 307663d73ef3ef94b02567ecd322252e
[template-default]
filename = instance-default.cfg
md5sum = 555700e5d216ff32a981f4066791bdab
md5sum = d5a4270e5e7827db2e6a19d2eedb570b
software/erp5testnode/instance-default.cfg
View file @ d21df0ee
......@@ -9,8 +9,6 @@ extends = ${monitor2-template:rendered}
parts =
testnode
shell
shellinabox
certificate-authority
ca-shellinabox
ca-httpd-testnode
......@@ -18,11 +16,12 @@ parts =
monitor-publish
testnode-frontend
resiliency-exclude-file
shellinabox-frontend-reload
promises
[monitor-publish]
recipe = slapos.cookbook:publish
url = https://[$${shellinabox:ipv6}]:$${shellinabox:port}/
password = $${pwgen:passwd}
url = $${shellinabox-frontend:url}
frontend-url = $${testnode-frontend:connection-secure_access}
[pwgen]
......@@ -73,34 +72,70 @@ apache-modules-dir = ${apache:location}/modules
apache-mime-file = ${apache:location}/conf/mime.types
apache-htpasswd = ${apache:location}/bin/htpasswd
[shell]
recipe = slapos.cookbook:shell
wrapper = $${rootdirectory:bin}/sh
shell = ${busybox:location}/bin/sh
home = $${buildout:directory}
ps1 = "\\w> "
path =
${busybox:location}/bin/
${busybox:location}/usr/bin/
${git:location}/bin/
${python2.7:location}/bin/
${buildout:bin-directory}/
${busybox:location}/sbin/
${busybox:location}/usr/sbin/
[shell-environment]
shell = ${bash:location}/bin/bash
[shellinabox]
recipe = slapos.cookbook:shellinabox
recipe = slapos.recipe.template:jinja2
# We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
socket = $${directory:run}/siab.sock
mode = 0700
rendered = $${basedirectory:services}/shellinaboxd
template = inline:
#!/bin/sh
exec ${shellinabox:location}/bin/shellinaboxd \
--disable-ssl \
--disable-ssl-menu \
--unixdomain-only=$${:socket}:$(id -u):$(id -g):0600 \
--service "/:$(id -u):$(id -g):HOME:$${shell-environment:shell} -l"
[shellinabox-frontend-config]
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/$${:_buildout_section_name_}
template = inline:
https://$${:hostname}:$${:port} {
bind $${:ipv6}
tls $${:cert-file} $${:key-file}
gzip
log stdout
errors stderr
proxy / unix:$${shellinabox:socket}
basicauth $${:username} $${:passwd} {
realm "Test Node $${testnode:test-node-title}"
/
}
}
ipv6 = $${slap-network-information:global-ipv6}
hostname = [$${:ipv6}]
port = 8080
shell = $${shell:wrapper}
wrapper = $${rootdirectory:bin}/shellinaboxd
shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
password-file = $${pwgen:storage-path}
directory = $${buildout:directory}/
login-shell = $${rootdirectory:bin}/login
certificate-directory = $${directory:shellinabox}
username = testnode
passwd = $${pwgen:passwd}
cert-file = $${directory:shellinabox}/public.crt
key-file = $${directory:shellinabox}/private.key
url = https://$${:username}:$${:passwd}@$${:hostname}:$${:port}
[shellinabox-frontend]
recipe = slapos.cookbook:wrapper
wrapper-path = $${rootdirectory:bin}/$${:_buildout_section_name_}
command-line =
${caddy:output} -conf $${shellinabox-frontend-config:rendered} -pidfile $${:pidfile}
url = $${shellinabox-frontend-config:url}
hostname = $${shellinabox-frontend-config:ipv6}
port = $${shellinabox-frontend-config:port}
pidfile = $${basedirectory:run}/$${:_buildout_section_name_}.pid
[shellinabox-frontend-reload]
recipe = slapos.cookbook:wrapper
wrapper-path = $${basedirectory:services}/$${:_buildout_section_name_}
command-line =
${bash:location}/bin/bash -c
"kill -s USR1 $$(${coreutils:location}/bin/cat $${shellinabox-frontend:pidfile}) \
&& ${coreutils:location}/bin/sleep infinity"
hash-files =
$${shellinabox-frontend-config:rendered}
$${shellinabox-frontend:wrapper-path}
[certificate-authority]
recipe = slapos.cookbook:certificate_authority
......@@ -124,10 +159,10 @@ crl = $${directory:ca-dir}/crl/
[ca-shellinabox]
<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request
executable = $${shellinabox:wrapper}
wrapper = $${basedirectory:services}/shellinaboxd
key-file = $${shellinabox:key-file}
cert-file = $${shellinabox:cert-file}
executable = $${shellinabox-frontend:wrapper-path}
wrapper = $${basedirectory:services}/shellinabox-frontend
key-file = $${shellinabox-frontend-config:key-file}
cert-file = $${shellinabox-frontend-config:cert-file}
[ca-httpd-testnode]
<= certificate-authority
......@@ -181,6 +216,21 @@ config-https-only = true
#software-type = custom-personal
return = domain secure_access
[promises]
recipe =
instance-promises =
$${shellinabox-frontend-listen-promise:path}
[check-port-listening-promise]
recipe = slapos.cookbook:check_port_listening
path = $${directory:promises}/$${:_buildout_section_name_}
[shellinabox-frontend-listen-promise]
<= check-port-listening-promise
hostname= $${shellinabox-frontend:hostname}
port = $${shellinabox-frontend:port}
[slap-parameter]
node-quantity = 1
test-suite-master-url =
......
software/erp5testnode/software.cfg
View file @ d21df0ee
......@@ -5,7 +5,9 @@ extends =
../../component/git/buildout.cfg
../../component/lxml-python/buildout.cfg
../../component/zip/buildout.cfg
../../component/busybox/buildout.cfg
../../component/bash/buildout.cfg
../../component/caddy/buildout.cfg
../../component/coreutils/buildout.cfg
../../component/shellinabox/buildout.cfg
../../component/pwgen/buildout.cfg
../../component/apache/buildout.cfg
......@@ -27,6 +29,7 @@ eggs =
zc.buildout
slapos.libnetworkcache
slapos.core
slapos.recipe.template
supervisor
jsonschema
hexagonit.recipe.download
......
software/slaprunner/software.cfg
View file @ d21df0ee
......@@ -43,10 +43,6 @@ common-parts =
parts =
${:common-parts}
# Use shellinabox from github with AF_UNIX support
[shellinabox]
<= shellinabox-github
[template-base]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/${:filename}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7