├── .gitignore ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── config.go ├── config_test.go ├── docker.go ├── docker_test.go ├── dockersh.bash ├── dockersh.go ├── dockersh_test.go ├── hooks └── pre-commit ├── installer.sh ├── nsenter_linux_amd64.go ├── proxy.go ├── testutils └── docker ├── user.go └── user_test.go /.gitignore: -------------------------------------------------------------------------------- 1 | dockersh 2 | profile.out 3 | docker.in 4 | 5 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM google/golang 2 | 3 | ENV GOPATH $GOPATH:/gopath/src/github.com/docker/libcontainer/vendor 4 | WORKDIR /gopath/src/github.com/Yelp/dockersh 5 | ADD . /gopath/src/github.com/Yelp/dockersh/ 6 | RUN go get 7 | RUN make dockersh && chmod 755 /gopath/src/github.com/Yelp/dockersh/installer.sh && ln /gopath/src/github.com/Yelp/dockersh/dockersh /dockersh && chown root:root dockersh && chmod u+s dockersh 8 | 9 | CMD ["/gopath/src/github.com/Yelp/dockersh/installer.sh"] 10 | 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | dockersh: test 2 | go fmt && go build -ldflags "-linkmode external -extldflags -static" 3 | strip dockersh 4 | 5 | test: 6 | PATH=testutils/:$(PATH) go test -coverprofile=profile.out 7 | 8 | clean: 9 | rm -f dockersh 10 | go fmt 11 | 12 | localinstall: dockersh 13 | sudo cp dockersh /usr/local/bin/dockersh 14 | sudo chown root:root /usr/local/bin/dockersh 15 | sudo chmod u+s /usr/local/bin/dockersh 16 | 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ARCHIVAL NOTICE 2 | =============== 3 | 4 | This project is no longer maintained and is left up for historic purposes. 5 | 6 | 7 | dockersh 8 | ======== 9 | 10 | A user shell for isolated, containerized environments. 11 | 12 | What is this? 13 | ============= 14 | 15 | dockersh is designed to be used as a login shell on machines with multiple interactive users. 16 | 17 | When a user invokes dockersh, it will bring up a [Docker](https://docker.com/) container (if not already running), and 18 | then spawn a new interactive shell in the container's namespace. 19 | 20 | dockersh can be used as a shell in ``/etc/passwd`` or as an ssh ``ForceCommand``. 21 | 22 | 23 | This allows you to have a single ssh process on the normal ssh port which places user 24 | sessions into their own individual docker containers in a secure and locked down manner. 25 | 26 | Why do I want this? 27 | =================== 28 | 29 | You want to allow multiple users to ssh onto a single box, but you'd like some isolation 30 | between those users. With dockersh each user enters their 31 | own individual docker container (acting like a lightweight virtual machine), with their home directory mounted from the host 32 | system (so that user data is persistent between container restarts), but with its own kernel namespaces for 33 | processes and networking. 34 | 35 | 36 | This means that the user is isolated from the rest of the system, and they can only see their own processes, 37 | and have their own network stack. This gives better privacy between users, and can also be used for more easily 38 | separating each user's processes from the rest of the system with per user constraints. 39 | 40 | 41 | Normally to give users individual containers you have to run an ssh daemon in each 42 | container, and either have have a different port for each user to ssh to or some nasty 43 | Forcecommand hacks (which only work with agent forwarding from the client). 44 | 45 | 46 | Dockersh eliminates the need for any of these techniques by acting like a regular 47 | shell which can be used in ``/etc/passwd`` or as an ssh 48 | [ForceCommand](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config). 49 | This allows you to have a single ssh process, on the normal ssh port, and gives 50 | a secure way to connect users into their own individual docker 51 | containers. 52 | 53 | SECURITY WARNING 54 | ================ 55 | 56 | dockersh tries hard to drop all privileges as soon as possible, including disabling 57 | the suid, sgid, raw sockets and mknod capabilities of the target process (and all children), 58 | however this doesn't mean that it is safe enough to allow public access to dockersh containers! 59 | 60 | *WARNING:* Whilst this project tries to make users inside containers have lowered privileges 61 | and drops capabilities to limit users ability to escalate their privilege level, it is not certain 62 | to be completely secure. Notably when Docker adds user namespace support, this can be used 63 | to further lock down privileges. 64 | 65 | *SECOND WARNING:* The dockersh binary needs the suid bit set so that it can make the syscalls to adjust 66 | kernel namespaces, so any security issues in this code are likely to be exploitable to root. 67 | 68 | Requirements 69 | ============ 70 | 71 | Linux >= 3.8 72 | 73 | Docker >= 1.2.0 74 | 75 | If you want to build it locally (rather than in a docker container), Go >= 1.2 76 | 77 | Installation 78 | ============ 79 | 80 | With docker 81 | ----------- 82 | 83 | (This is the recommended method). 84 | 85 | Build the Dockerfile in the local directory into an image, and run it like this: 86 | 87 | $ docker build . 88 | # Progress, takes a while the first time.. 89 | .... 90 | Successfully built 3006a08eef2e 91 | $ docker run -v /usr/local/bin:/target 3006a08eef2e 92 | 93 | Without docker 94 | -------------- 95 | 96 | You need to install golang (tested on 1.2 and 1.3), then you should just be able to run: 97 | 98 | go get 99 | make 100 | 101 | and a 'dockersh' binary will be generated in your ``$GOPATH`` (or your current 102 | working directory if ``$GOPATH`` isn't set). N.B. This binary needs to be moved to where 103 | you would like to install it (recommended ``/usr/local/bin``), and owned by root + u+s 104 | (suid). This is done automatically if you use the Docker based installed, but 105 | you need to do it manually if you're compiling the binary yourself. 106 | 107 | Invoking dockersh 108 | ================= 109 | 110 | There are two main methods of invoking dockersh. Either: 111 | 112 | 1. Put the path to dockersh into ``/etc/shells``, and then change the users shell 113 | in /etc/passwd (e.g. ``chsh myuser -s /usr/local/bin/dockersh``) 114 | 1. Set dockersh as the ssh ``ForceCommand`` in the users ``$HOME/.ssh/config``, or 115 | globally in ``/etc/ssh/ssh_config`` 116 | 117 | *Note:* The dockersh binary needs the suid bit set to operate! 118 | 119 | Configuration 120 | ============= 121 | 122 | We use [gcfg](https://code.google.com/p/gcfg/) to read configs in an ini style format. 123 | 124 | The global config file, ``/etc/dockershrc`` has a ``[dockersh]`` block in it, and zero or more ``[user "foo"]`` blocks. 125 | 126 | This can be used to set settings globally or per user, and also to enable the setting 127 | of settings in the (optional) per user configuration file (``~/.dockersh``), if enabled. 128 | 129 | Config file values 130 | ------------------ 131 | 132 | Setting name | Type | Description | Default value | Example value 133 | ------------- | ---- | ----------- | ------------- | ------------- 134 | imagename | String | The name of the container image to launch for the user. The %u sequence will interpolate the username | busybox | ubuntu, or %u/mydockersh 135 | containername | String | The name of the container (per user) which is launched. | %u_dockersh | %u-dsh 136 | mounthome | Bool | If the users home directory should be mounted in the target container | false | true 137 | mounttmp | Bool | If /tmp should be mounted into the target container (so that ssh agent forwarding works). N.B. Security risk | false | true 138 | mounthometo | String | Where to map the user's home directory inside the container. | %h | /opt/home/myhomedir 139 | mounthomefrom | String | Where to map the user's home directory from on the host. | %h | /opt/home/%u 140 | usercwd | String | Where to chdir into the container when starting a shell. | %h | / 141 | containerusername | String | Username which should be used inside the container. | %u | root 142 | shell | String | The shell that should be started for the user inside the container. | /bin/ash | /bin/bash 143 | mountdockersocket | Bool | If to mount the docker socket from the host. (DANGEROUS) | false | true 144 | dockersocket | String | The location of the docker socket from the host. | /var/run/docker.sock | /opt/docker/var/run/docker.sock 145 | entrypoint | String | The entrypoint for the persistent process to keep the container running | internal | /sbin/yoursupervisor 146 | cmd | Array of Strings | Additional parameters to pass when launching the container as the command line | | -c'/echo foo' 147 | dockeropt | Array of Strings | Additional options to pass to docker when launching the container. Can be used to mount additional volumes or limit memory etc. | | -v /some/place:/foovol 148 | enableuserconfig | Bool | Set to true to enable reading of per user ``~/.dockersh`` files | false | true 149 | enableuserimagename | Bool | Set to true to enable reading of imagename parameter from ``~/.dockersh`` files | false | true 150 | enableusercontainername | Bool | Set to true to enable reading of containername parameter from ``~/.dockersh`` files. (Dangerous!) | false | true 151 | enableusermounthome | Bool | Set to true to enable reading of mounthome parameter from ``~/.dockersh`` files | false | true 152 | enableusermounttmp | Bool | Set to true to enable reading of mounttmp parameter from ``~/.dockersh`` files | false | true 153 | enableusermounthometo | Bool | Set to true to enable reading of mounthometo parameter from ``~/.dockersh`` files | false | true 154 | enableusermounthomefrom | Bool | Set to true to enable reading of mounthomefrom parameter from ``~/.dockersh`` files | false | true 155 | enableuserusercwd | Bool | Set to true to enable reading of usercwd parameter from ``~/.dockersh`` files | false | true 156 | enableusercontainerusername | bool | Set to true to enable reading of containerusername parameter from ``~/.dockersh`` files | false | true 157 | enableusershell | Bool | Set to true to enable reading of shell parameter from ``~/.dockersh`` files | false | true 158 | enableuserentrypoint | Bool | Set to true to enable users to set their own supervisor daemon / entry point to the container for PID 1 | false | true 159 | enableusercmd | Bool | Set to true to enable users to set the additional command parameters to the entry point | false | true 160 | enableuserdockeropt | Bool | Set to true to enable users to set additional options to the docker container that's started. (Dangerous!) | false | true 161 | 162 | Notes: 163 | 164 | * Boolean settings are set by just putting the setting name in the config (see examples below). 165 | * You must set both ``enableuserconfig`` and the specific ``enableuserxxx`` setting that you want in ``/etc/dockersh`` to 166 | get any values parsed from ``~/.dockersh`` 167 | * Array values are represented by having the same config key appear multiple times, once per value. 168 | 169 | Config interpolations 170 | --------------------- 171 | 172 | The following sequences are interpolated if found in configuration variables: 173 | 174 | Sequence | Interpolation 175 | ---------|-------------- 176 | %u | The username of the user running dockersh 177 | %h | The homedirectory (from /etc/passwd) of the user running dockersh 178 | 179 | Example configs 180 | --------------- 181 | 182 | A very restricted environment, with only the busybox container, limited to 32M of memory, ``/etc/dockersh`` looks like this: 183 | 184 | [dockersh] 185 | imagename = busybox 186 | shell = /bin/ash 187 | usercwd = / 188 | 189 | A fairly restricted shell environment, but with homedirectories and one admin user being allowed additional privs, set the following ``/etc/dockersh`` 190 | 191 | [dockersh] 192 | imagename = ubuntu:precise 193 | shell = /bin/bash 194 | mounthome 195 | 196 | [user "someadminguy"] 197 | mounttmp 198 | mountdockersocket 199 | 200 | In a less restrictive environment, you may allow users to choose their own container and shell, from a 'shell' container 201 | they have uploaded to the registry, and have ssh agent forwarding working, with the following ``/etc/dockersh`` 202 | 203 | [dockersh] 204 | imagename = "%u/shell" 205 | mounthome 206 | mounttmp 207 | enableuserconfig 208 | enableusershell 209 | 210 | [user "someadminguy"] 211 | mountdockersocket 212 | 213 | And an example user's ``~/.dockersh`` 214 | 215 | [dockersh] 216 | shell = /bin/zsh 217 | 218 | Or just allowing your users to run whatever container they want: 219 | 220 | [dockersh] 221 | mounthome 222 | mounttmp 223 | enableuserconfig 224 | enableuserimagename 225 | 226 | Caveats 227 | ======= 228 | 229 | * User namespaces are not supported (yet) so if users escalate to root inside the container, they can probably escape 230 | * Tty/Pty handling is not great - whilst things appear to work, they don't go well in unusual circumstances (e.g. your process being killed due to OOM). 231 | * This code *has not* been audited by a 3rd party or a container expert, there are probably issues waiting to be found! 232 | 233 | TODO 234 | ==== 235 | 236 | * How do we deal with changed settings (i.e. when to recycle the container) 237 | * Document just kill 1 inside the container? 238 | * Fix up go panics when exiting the root container. 239 | * getpwnam so that we can interpolate the user's shell from /etc/shells (if used in ForceCommand mode!) 240 | * Decent test cases 241 | * Use libcontainer a lot more, in favour of our code: 242 | * https://github.com/docker/libcontainer/pull/143 - better nsenter with cgroups 243 | * https://github.com/docker/libcontainer/pull/150 - better forkexec 244 | * Find a better way to make ssh agent sockets work than to bind /tmp 245 | 246 | Contributing 247 | ============ 248 | 249 | Patches are very very welcome! 250 | 251 | This is our first real Go project, so we apologise about the shoddy quality of the code. 252 | 253 | Please make a branch and send us a pull request. 254 | 255 | Please ensure that you use the supplied pre-commit hook to correctly format your code 256 | with go fmt: 257 | 258 | ln -s hooks/pre-commit .git/hooks/pre-commit 259 | 260 | Copyright 261 | ========= 262 | 263 | Copyright (c) 2014 Yelp. Some rights are reserved (see the LICENSE file for more details). 264 | 265 | -------------------------------------------------------------------------------- /config.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "os" 7 | 8 | "gopkg.in/gcfg.v1" 9 | ) 10 | 11 | type Configuration struct { 12 | ImageName string 13 | EnableUserImageName bool 14 | ContainerName string 15 | EnableUserContainerName bool 16 | MountHomeFrom string 17 | EnableUserMountHomeFrom bool 18 | MountHomeTo string 19 | EnableUserMountHomeTo bool 20 | UserCwd string 21 | EnableUserUserCwd bool 22 | ContainerUsername string 23 | EnableUserContainerUsername bool 24 | Shell string 25 | EnableUserShell bool 26 | EnableUserConfig bool 27 | MountHome bool 28 | EnableUserMountHome bool 29 | MountTmp bool 30 | EnableUserMountTmp bool 31 | MountDockerSocket bool 32 | EnableUserMountDockerSocket bool 33 | DockerSocket string 34 | EnableUserDockerSocket bool 35 | Entrypoint string 36 | EnableUserEntrypoint bool 37 | Cmd []string 38 | EnableUserCmd bool 39 | DockerOpt []string 40 | EnableUserDockerOpt bool 41 | ReverseForward []string 42 | EnableUserReverseForward bool 43 | } 44 | 45 | func (c Configuration) Dump() string { 46 | return fmt.Sprintf("ImageName %s MountHomeTo %s ContainerUsername %s Shell %s DockerSocket %s", c.ImageName, c.MountHomeTo, c.ContainerUsername, c.Shell, c.DockerSocket) 47 | } 48 | 49 | type configInterpolation struct { 50 | Home string 51 | User string 52 | } 53 | 54 | var defaultConfig = Configuration{ 55 | ImageName: "busybox", 56 | ContainerName: "%u_dockersh", 57 | MountHomeFrom: "%h", 58 | MountHomeTo: "%h", 59 | UserCwd: "%h", 60 | ContainerUsername: "%u", 61 | Shell: "/bin/ash", 62 | DockerSocket: "/var/run/docker.sock", 63 | Entrypoint: "internal", 64 | } 65 | 66 | func loadAllConfig(user string, homedir string) (config Configuration, err error) { 67 | globalconfig, err := loadConfig(loadableFile("/etc/dockersh"), user) 68 | if err != nil { 69 | return config, err 70 | } 71 | if globalconfig.EnableUserConfig == true { 72 | localconfig, err := loadConfig(loadableFile(fmt.Sprintf("%s/.dockersh", homedir)), user) 73 | if err != nil { 74 | return config, err 75 | } 76 | return mergeConfigs(mergeConfigs(defaultConfig, globalconfig, false), localconfig, true), nil 77 | } 78 | return mergeConfigs(defaultConfig, globalconfig, false), nil 79 | } 80 | 81 | type loadableFile string 82 | 83 | func (fn loadableFile) Getcontents() ([]byte, error) { 84 | localConfigFile, err := os.Open(string(fn)) 85 | var b []byte 86 | if err != nil { 87 | return b, fmt.Errorf("Could not open: %s", string(fn)) 88 | } 89 | b, err = ioutil.ReadAll(localConfigFile) 90 | if err != nil { 91 | return b, err 92 | } 93 | localConfigFile.Close() 94 | return b, nil 95 | } 96 | 97 | func loadConfig(filename loadableFile, user string) (config Configuration, err error) { 98 | bytes, err := filename.Getcontents() 99 | if err != nil { 100 | return config, err 101 | } 102 | return loadConfigFromString(bytes, user) 103 | } 104 | 105 | func mergeConfigs(old Configuration, new Configuration, blacklist bool) (ret Configuration) { 106 | if (!blacklist || old.EnableUserShell) && new.Shell != "" { 107 | old.Shell = new.Shell 108 | } 109 | if (!blacklist || old.EnableUserContainerUsername) && new.ContainerUsername != "" { 110 | old.ContainerUsername = new.ContainerUsername 111 | } 112 | if (!blacklist || old.EnableUserImageName) && new.ImageName != "" { 113 | old.ImageName = new.ImageName 114 | } 115 | if (!blacklist || old.EnableUserMountHomeTo) && new.MountHomeTo != "" { 116 | old.MountHomeTo = new.MountHomeTo 117 | } 118 | if (!blacklist || old.EnableUserMountHomeFrom) && new.MountHomeFrom != "" { 119 | old.MountHomeFrom = new.MountHomeFrom 120 | } 121 | if (!blacklist || old.EnableUserDockerSocket) && new.DockerSocket != "" { 122 | old.DockerSocket = new.DockerSocket 123 | } 124 | if (!blacklist || old.EnableUserMountHome) && new.MountHome == true { 125 | old.MountHome = true 126 | } 127 | if (!blacklist || old.EnableUserMountTmp) && new.MountTmp == true { 128 | old.MountTmp = true 129 | } 130 | if (!blacklist || old.EnableUserMountDockerSocket) && new.MountDockerSocket == true { 131 | old.MountDockerSocket = true 132 | } 133 | if (!blacklist || old.EnableUserEntrypoint) && new.Entrypoint != "" { 134 | old.Entrypoint = new.Entrypoint 135 | } 136 | if (!blacklist || old.EnableUserUserCwd) && new.UserCwd != "" { 137 | old.UserCwd = new.UserCwd 138 | } 139 | if (!blacklist || old.EnableUserContainerName) && new.ContainerName != "" { 140 | old.ContainerName = new.ContainerName 141 | } 142 | if (!blacklist || old.EnableUserCmd) && len(new.Cmd) > 0 { 143 | old.Cmd = new.Cmd 144 | } 145 | if (!blacklist || old.EnableUserDockerOpt) && len(new.DockerOpt) > 0 { 146 | old.DockerOpt = new.DockerOpt 147 | } 148 | if (!blacklist || old.EnableUserReverseForward) && len(new.ReverseForward) > 0 { 149 | old.ReverseForward = new.ReverseForward 150 | } 151 | if !blacklist && new.EnableUserConfig == true { 152 | old.EnableUserConfig = true 153 | } 154 | return old 155 | } 156 | 157 | func loadConfigFromString(bytes []byte, user string) (config Configuration, err error) { 158 | inicfg := struct { 159 | Dockersh Configuration 160 | User map[string]*Configuration 161 | }{} 162 | err = gcfg.ReadStringInto(&inicfg, string(bytes)) 163 | if err != nil { 164 | return config, err 165 | } 166 | if inicfg.User[user] == nil { 167 | return inicfg.Dockersh, nil 168 | } 169 | return mergeConfigs(inicfg.Dockersh, *inicfg.User[user], false), nil 170 | } 171 | -------------------------------------------------------------------------------- /config_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | "testing" 6 | ) 7 | 8 | func Test_loadAllConfig_1(t *testing.T) { 9 | if _, err := os.Stat("/etc/dockersh"); os.IsNotExist(err) { 10 | t.Log("No /etc/dockersh, skipping test") 11 | return 12 | } 13 | _, err := loadAllConfig("notexist", "/notexist") 14 | if err != nil { 15 | t.Errorf("Got error %v", err) 16 | } 17 | } 18 | 19 | func Test_Dump_1(t *testing.T) { 20 | exp := "ImageName busybox MountHomeTo %h ContainerUsername %u Shell /bin/ash DockerSocket /var/run/docker.sock" 21 | str := defaultConfig.Dump() 22 | if str != exp { 23 | t.Errorf("Got '%s' expected '%s'", str, exp) 24 | } 25 | 26 | } 27 | 28 | func Test_DefaultConfig_1(t *testing.T) { 29 | if defaultConfig.ImageName == "busybox" { 30 | t.Log("default ImageName passed.") 31 | } else { 32 | t.Errorf("default ImageName failed: expected busybox got %s", defaultConfig.ImageName) 33 | } 34 | } 35 | 36 | func Test_SimpleConfig_1(t *testing.T) { 37 | c, err := loadConfigFromString([]byte(``), "fred") 38 | if err != nil { 39 | t.Error(err) 40 | } 41 | c, err = loadConfigFromString([]byte(`[dockersh] 42 | imagename = testimage`), "fred") 43 | if err != nil { 44 | t.Error(err) 45 | } 46 | if c.ImageName == "testimage" { 47 | t.Log("set ImageName passed.") 48 | } else { 49 | t.Errorf("Expected ImageName testimage got %s", c.ImageName) 50 | } 51 | } 52 | 53 | func Test_UserConfig_1(t *testing.T) { 54 | c, err := loadConfigFromString([]byte(`[dockersh] 55 | imagename = testimage 56 | shell = someshell 57 | 58 | [user "fred"] 59 | imagename = fredsimage 60 | containerusername = bill`), "fred") 61 | if err != nil { 62 | t.Error(err) 63 | } 64 | if c.Shell == "someshell" { 65 | t.Log("set Shell in dockersh config passed.") 66 | } else { 67 | t.Errorf("Expected Shell dockersg got %s", c.Shell) 68 | } 69 | if c.ContainerUsername == "bill" { 70 | t.Log("set ContainerUserName in user config passed.") 71 | } else { 72 | t.Errorf("Expected ContainerUserName bill got %s", c.ContainerUsername) 73 | } 74 | if c.ImageName == "fredsimage" { 75 | t.Log("set ImageName in user config passed.") 76 | } else { 77 | t.Errorf("Expected ImageName fredsimage got %s", c.ImageName) 78 | } 79 | } 80 | 81 | func Test_IniConfig_2(t *testing.T) { 82 | c := Configuration{ContainerUsername: "default_contun", ImageName: "default", EnableUserConfig: true, EnableUserImageName: true} 83 | n, err := loadConfigFromString([]byte(`[dockersh] 84 | imagename = testimage 85 | containerusername = shouldbeblacklisted`), "fred") 86 | c = mergeConfigs(c, n, true) 87 | if err != nil { 88 | t.Error(err) 89 | } 90 | if c.ImageName == "testimage" { 91 | t.Log("set ImageName passed.") 92 | } else { 93 | t.Errorf("Expected ImageName testimage got %s", c.ImageName) 94 | } 95 | if c.ContainerUsername == "default_contun" { 96 | t.Log("blacklising worked, value not changed") 97 | } else { 98 | t.Error("blacklisting failed") 99 | } 100 | } 101 | 102 | func Test_Config_3(t *testing.T) { 103 | c := Configuration{ContainerUsername: "default_contun", Shell: "default_shell"} 104 | c, err := loadConfigFromString([]byte(`[dockersh] 105 | shell = global_default 106 | containerusername = global_default 107 | mounthometo = somewhere 108 | enableusershell 109 | `), "fred") 110 | if err != nil { 111 | t.Error(err) 112 | } 113 | if c.Shell != "global_default" { 114 | t.Error("Set shell to global_default failed") 115 | } 116 | if c.ContainerUsername != "global_default" { 117 | t.Error("Set un to global default failed") 118 | } 119 | if c.MountHomeTo != "somewhere" { 120 | t.Error("Set mounthome to global default failed") 121 | } 122 | newc, err := loadConfigFromString([]byte(`[dockersh] 123 | shell = user_value 124 | containerusername = user_value 125 | mounthometo = somewhere_else`), "fred") 126 | if err != nil { 127 | t.Error(err) 128 | } 129 | c = mergeConfigs(c, newc, true) 130 | if c.Shell != "user_value" { 131 | t.Error("Local defaults not applying over global defaults") 132 | } else { 133 | t.Log("c.shell not overridden") 134 | } 135 | if c.ContainerUsername != "global_default" { 136 | t.Error("Blacklist of container_username in global config failed") 137 | } 138 | if c.MountHomeTo != "somewhere" { 139 | t.Error("Blacklist mounthome in global config failed") 140 | } 141 | } 142 | 143 | func Test_IniConfig_4(t *testing.T) { 144 | c, err := loadConfigFromString([]byte(`[dockersh] 145 | containerusername = default_contun 146 | imagename = default 147 | enableuserconfig 148 | enableuserimagename`), "fred") 149 | newc, err := loadConfigFromString([]byte(`[dockersh] 150 | imagename = testimage 151 | containerusername = shouldbeblacklisted`), "fred") 152 | if err != nil { 153 | t.Error(err) 154 | } 155 | c = mergeConfigs(c, newc, true) 156 | if c.ImageName == "testimage" { 157 | t.Log("set ImageName passed.") 158 | } else { 159 | t.Errorf("Expected ImageName testimage got %s", c.ImageName) 160 | } 161 | if c.ContainerUsername != "default_contun" { 162 | t.Error("blacklising disabled, value changed") 163 | } else { 164 | t.Log("blacklisting enabled, value has not changed") 165 | } 166 | } 167 | 168 | func Test_IniConfig_5(t *testing.T) { 169 | c, err := loadConfigFromString([]byte(`[dockersh] 170 | containerusername = default_contun 171 | imagename = default 172 | enableuserconfig 173 | `), "fred") 174 | newc, err := loadConfigFromString([]byte(`[dockersh] 175 | imagename = testimage 176 | containerusername = shouldbeblacklisted`), "fred") 177 | if err != nil { 178 | t.Error(err) 179 | } 180 | c = mergeConfigs(c, newc, true) 181 | if c.ImageName == "default" { 182 | t.Log("set ImageName passed.") 183 | } else { 184 | t.Errorf("Expected ImageName default got %s", c.ImageName) 185 | } 186 | if c.ContainerUsername != "default_contun" { 187 | t.Error("blacklising disabled, value changed") 188 | } else { 189 | t.Log("blacklisting enabled, value has not changed") 190 | } 191 | } 192 | 193 | func Test_IniConfig_6(t *testing.T) { 194 | c, err := loadConfigFromString([]byte(`[dockersh] 195 | imagename = default 196 | enableuserimagename 197 | 198 | [user "fred"] 199 | imagename = testimage 200 | `), "fred") 201 | if err != nil { 202 | t.Error(err) 203 | } 204 | if c.ImageName == "testimage" { 205 | t.Log("set ImageName in user section when blacklisted in [dockersh] passed.") 206 | } else { 207 | t.Errorf("Expected ImageName testimage got %s", c.ImageName) 208 | } 209 | } 210 | -------------------------------------------------------------------------------- /docker.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "errors" 6 | "fmt" 7 | "os" 8 | "os/exec" 9 | "path/filepath" 10 | "strconv" 11 | "strings" 12 | ) 13 | 14 | func dockerVersionCheck() (err error) { 15 | versionString, err := getDockerVersionString() 16 | // Docker version 1.1.2, build d84a070 17 | versionStringParts := strings.Split(versionString, " ") 18 | versionParts := strings.Split(versionStringParts[2], ".") 19 | major, _ := strconv.Atoi(versionParts[0]) 20 | minor, _ := strconv.Atoi(versionParts[1]) 21 | if major > 1 { 22 | return nil 23 | } 24 | if minor >= 2 { 25 | return nil 26 | } 27 | return errors.New(fmt.Sprintf("Docker version '%s' lower than desired version '1.2.0'", versionStringParts[2])) 28 | } 29 | 30 | func getDockerVersionString() (string, error) { 31 | cmd := exec.Command("docker", "-v") 32 | o, err := cmd.Output() 33 | return string(o), err 34 | } 35 | 36 | func dockerpid(name string) (pid int, err error) { 37 | cmd := exec.Command("docker", "inspect", "--format", "{{.State.Pid}}", name) 38 | output, err := cmd.Output() 39 | if err != nil { 40 | return -1, errors.New(err.Error() + ":\n" + string(output)) 41 | } 42 | 43 | pid, err = strconv.Atoi(strings.TrimSpace(string(output))) 44 | 45 | if err != nil { 46 | return -1, errors.New(err.Error() + ":\n" + string(output)) 47 | } 48 | if pid == 0 { 49 | return -1, errors.New("Invalid PID") 50 | } 51 | return pid, nil 52 | } 53 | 54 | func dockersha(name string) (sha string, err error) { 55 | cmd := exec.Command("docker", "inspect", "--format", "{{.Id}}", name) 56 | output, err := cmd.Output() 57 | if err != nil { 58 | return sha, errors.New(err.Error() + ":\n" + string(output)) 59 | } 60 | sha = strings.TrimSpace(string(output)) 61 | if sha == "" { 62 | return "", errors.New("Invalid SHA") 63 | } 64 | return sha, nil 65 | } 66 | 67 | func dockerstart(config Configuration) (pid int, err error) { 68 | cmd := exec.Command("docker", "rm", config.ContainerName) 69 | _ = cmd.Run() 70 | cmdtxt, err := dockercmdline(config) 71 | if err != nil { 72 | return -1, err 73 | } 74 | //fmt.Fprintf(os.Stderr, "docker %s\n", strings.Join(cmdtxt, " ")) 75 | cmd = exec.Command("docker", cmdtxt...) 76 | var output bytes.Buffer 77 | cmd.Stdout = &output 78 | cmd.Stderr = &output 79 | err = cmd.Run() 80 | if err != nil { 81 | return -1, errors.New(err.Error() + ":\n" + output.String()) 82 | } 83 | return dockerpid(config.ContainerName) 84 | } 85 | 86 | func dockercmdline(config Configuration) ([]string, error) { 87 | var err error 88 | bindSelfAsInit := false 89 | init := config.Entrypoint 90 | if init == "internal" { 91 | init = "/init" 92 | bindSelfAsInit = true 93 | } 94 | thisBinary := "/usr/local/bin/dockersh" 95 | if os.Getenv("SHELL") != "/usr/local/bin/dockersh" { 96 | thisBinary, _ = filepath.Abs(os.Args[0]) 97 | } 98 | var cmdtxt = []string{"run", "-d", "-u", config.ContainerUsername, 99 | "-v", "/etc/passwd:/etc/passwd:ro", "-v", "/etc/group:/etc/group:ro", 100 | "--cap-drop", "SETUID", "--cap-drop", "SETGID", "--cap-drop", "NET_RAW", 101 | "--cap-drop", "MKNOD"} 102 | if len(config.DockerOpt) > 0 { 103 | for _, element := range config.DockerOpt { 104 | cmdtxt = append(cmdtxt, element) 105 | } 106 | } 107 | if config.MountTmp { 108 | cmdtxt = append(cmdtxt, "-v", "/tmp:/tmp") 109 | } 110 | if config.MountHome { 111 | cmdtxt = append(cmdtxt, "-v", fmt.Sprintf("%s:%s:rw", config.MountHomeFrom, config.MountHomeTo)) 112 | } 113 | if bindSelfAsInit { 114 | cmdtxt = append(cmdtxt, "-v", thisBinary+":/init") 115 | } else { 116 | if len(config.ReverseForward) > 0 { 117 | return []string{}, errors.New("Cannot configure ReverseForward with a custom init process") 118 | } 119 | } 120 | if config.MountDockerSocket { 121 | cmdtxt = append(cmdtxt, "-v", config.DockerSocket+":/var/run/docker.sock") 122 | } 123 | if len(config.ReverseForward) > 0 { 124 | cmdtxt, err = setupReverseForward(cmdtxt, config.ReverseForward) 125 | if err != nil { 126 | return []string{}, err 127 | } 128 | } 129 | cmdtxt = append(cmdtxt, "--name", config.ContainerName, "--entrypoint", init, config.ImageName) 130 | if len(config.Cmd) > 0 { 131 | for _, element := range config.Cmd { 132 | cmdtxt = append(cmdtxt, element) 133 | } 134 | } else { 135 | cmdtxt = append(cmdtxt, "") 136 | } 137 | 138 | return cmdtxt, nil 139 | } 140 | 141 | func validatePortforwardString(element string) error { 142 | parts := strings.Split(element, ":") 143 | if len(parts) != 2 { 144 | return errors.New("Number of parts must be 2") 145 | } 146 | if _, err := strconv.Atoi(parts[0]); err != nil { 147 | return (err) 148 | } 149 | if _, err := strconv.Atoi(parts[1]); err != nil { 150 | return (err) 151 | } 152 | return nil 153 | } 154 | 155 | func setupReverseForward(cmdtxt []string, reverseForward []string) ([]string, error) { 156 | for _, element := range reverseForward { 157 | err := validatePortforwardString(element) 158 | if err != nil { 159 | return cmdtxt, err 160 | } 161 | } 162 | cmdtxt = append(cmdtxt, "--env=DOCKERSH_PORTFORWARD="+strings.Join(reverseForward, ",")) 163 | return cmdtxt, nil 164 | } 165 | -------------------------------------------------------------------------------- /docker_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "testing" 5 | ) 6 | 7 | func Test_dockerPid_1(t *testing.T) { 8 | pid, err := dockerpid("testcontainer") 9 | if err != nil { 10 | t.Errorf("Error from dockerpid: %v", err) 11 | } 12 | if pid != 666 { 13 | t.Errorf("PID was %i expected 666", pid) 14 | } 15 | } 16 | 17 | func Test_dockerSha_1(t *testing.T) { 18 | sha, err := dockersha("testcontainer") 19 | if err != nil { 20 | t.Errorf("Error from dockersha: %v", err) 21 | } 22 | if sha != "666" { 23 | t.Errorf("SHA was %s expected 666", sha) 24 | } 25 | } 26 | 27 | func Test_dockerStart(t *testing.T) { 28 | c := Configuration{ContainerName: "somecontainer", ImageName: "busybox", MountHome: true, MountHomeFrom: "/home/fred", MountHomeTo: "/home/fred", Entrypoint: "internal", DockerSocket: "dockersock", Cmd: []string{"foo"}, DockerOpt: []string{"bar"}} 29 | pid, err := dockerstart(c) 30 | if err != nil { 31 | t.Errorf("Error from dockerstart: %v", err) 32 | } 33 | if pid != 666 { 34 | t.Errorf("PID was %i expected 666", pid) 35 | } 36 | } 37 | 38 | func Test_validatePortforwardString_1(t *testing.T) { 39 | err := validatePortforwardString("1:2") 40 | if err != nil { 41 | t.Errorf("Error on 1:2") 42 | } 43 | } 44 | 45 | func Test_validatePortforwardString_2(t *testing.T) { 46 | err := validatePortforwardString("foobar") 47 | if err == nil { 48 | t.Errorf("No error on foobar") 49 | } 50 | } 51 | 52 | func Test_validatePortforwardString_3(t *testing.T) { 53 | err := validatePortforwardString("foo:bar") 54 | if err == nil { 55 | t.Errorf("No error on foo:bar") 56 | } 57 | } 58 | 59 | func Test_validatePortforwardString_4(t *testing.T) { 60 | err := validatePortforwardString("1:bar") 61 | if err == nil { 62 | t.Errorf("No error on 1:bar") 63 | } 64 | } 65 | 66 | func Test_validatePortforwardString_5(t *testing.T) { 67 | err := validatePortforwardString("foo:2") 68 | if err == nil { 69 | t.Errorf("No error on foo:2") 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /dockersh.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This is the initial prototype version of dockersh, just to prove that it could be done. 4 | 5 | # WARNING: This code is _entirely unsupported_ and a barely functional 6 | # prototype, please use the .go version if you'd actually like 7 | # to experiment with this project! 8 | 9 | # TODO: Figure out they want for a real shell 10 | REAL_SHELL=/bin/ash 11 | 12 | DESIRED_USER="nobody" 13 | # Must use a conistent naming scheme, docker will only let one of these run 14 | # at a time. 15 | DOCKER_NAME="${DESIRED_USER}_shell" 16 | 17 | # TODO: Figure out what they want from config 18 | DOCKER_CONTAINER=busybox 19 | 20 | DESIRED_USER="vagrant" 21 | 22 | # FIXME - We should instead work out the target UID inside the destination container? 23 | DESIRED_UID=$(id -u $DESIRED_USER) 24 | DESIRED_GID=$(id -g $DESIRED_USER) 25 | HOMEDIR=$(eval echo ~$DESIRED_USER) 26 | MYHOSTNAME="$(hostname --fqdn)-${DESIRED_USER}-docker" 27 | 28 | PID=$(docker inspect --format {{.State.Pid}} "$DOCKER_NAME" 2>/dev/null) 29 | # If we got here, then the docker is not running. 30 | if [ -z "$PID" ] || [ "$PID" == 0 ]; then 31 | # If the docker is stopped, we must remove it and start a new one 32 | docker rm --name="$DOCKER_NAME" >/dev/null 2>&1 # May not be running, just throw away the output 33 | # TODO: Configur the bind mounts 34 | # FIXME - If you docker attach to this container, then Ctrl-D, it dies. (This is expected?) 35 | docker run -t -i -u $DESIRED_USER --hostname="$MYHOSTNAME" --name="$DOCKER_NAME" -v $HOMEDIR:$HOMEDIR:rw -v /etc/passwd:/etc/passwd:ro -v /etc/group:/etc/group:ro -d "$DOCKER_CONTAINER" 36 | PID=$(docker inspect --format {{.State.Pid}} "$DOCKER_NAME") 37 | fi 38 | 39 | # N.B. You need to bobtfish/nsenter version of nsenter for suid/sgid to do the right thing. 40 | sudo nsenter --target "$PID" --mount --uts --ipc --net --pid --setuid $DESIRED_UID --setgid $DESIRED_GID --wd=$HOMEDIR -- "$REAL_SHELL" 41 | 42 | -------------------------------------------------------------------------------- /dockersh.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "encoding/hex" 6 | "errors" 7 | "fmt" 8 | "github.com/docker/libcontainer/user" 9 | "os" 10 | "os/signal" 11 | "strings" 12 | "syscall" 13 | ) 14 | 15 | func main() { 16 | if os.Args[0] == "/init" { 17 | os.Exit(initMain()) 18 | } else { 19 | os.Exit(realMain()) 20 | } 21 | } 22 | 23 | func tmplConfigVar(template string, v *configInterpolation) string { 24 | shell := "/bin/bash" 25 | r := strings.NewReplacer("%h", v.Home, "%u", v.User, "%s", shell) // Arguments are old, new ... 26 | return r.Replace(template) 27 | } 28 | 29 | func getInterpolatedConfig(config *Configuration, configInterpolations configInterpolation) error { 30 | config.ContainerUsername = tmplConfigVar(config.ContainerUsername, &configInterpolations) 31 | config.MountHomeTo = tmplConfigVar(config.MountHomeTo, &configInterpolations) 32 | config.MountHomeFrom = tmplConfigVar(config.MountHomeFrom, &configInterpolations) 33 | config.ImageName = tmplConfigVar(config.ImageName, &configInterpolations) 34 | config.Shell = tmplConfigVar(config.Shell, &configInterpolations) 35 | config.UserCwd = tmplConfigVar(config.UserCwd, &configInterpolations) 36 | config.ContainerName = tmplConfigVar(config.ContainerName, &configInterpolations) 37 | return nil 38 | } 39 | 40 | func Readln(r *bufio.Reader) (string, error) { 41 | var ( 42 | isPrefix bool = true 43 | err error = nil 44 | line, ln []byte 45 | ) 46 | for isPrefix && err == nil { 47 | line, isPrefix, err = r.ReadLine() 48 | ln = append(ln, line...) 49 | } 50 | return string(ln), err 51 | } 52 | 53 | func gatewayIP() (string, error) { 54 | file, err := os.Open("/proc/net/route") 55 | if err != nil { 56 | return "", errors.New("Could not open /proc/net/route") 57 | } 58 | defer file.Close() 59 | r := bufio.NewReader(file) 60 | s, err := Readln(r) 61 | ip := "" 62 | for err == nil { 63 | f := strings.Fields(s) 64 | if f[1] == "00000000" { 65 | a, _ := hex.DecodeString(f[2]) 66 | ip = fmt.Sprintf("%v.%v.%v.%v", a[3], a[2], a[1], a[0]) 67 | err = nil 68 | break 69 | } 70 | s, err = Readln(r) 71 | } 72 | return ip, err 73 | } 74 | 75 | func initMain() int { 76 | fmt.Fprintf(os.Stdout, "started dockersh persistent container\n") 77 | pfString := os.Getenv("DOCKERSH_PORTFORWARD") 78 | if pfString != "" { 79 | fmt.Printf("DOCKERSH_PORTFORWARD file exists; processing...") 80 | pfs := strings.Split(pfString, ",") 81 | gw, err := gatewayIP() 82 | if err != nil { 83 | panic(err) 84 | } 85 | for _, element := range pfs { 86 | err := validatePortforwardString(element) 87 | if err != nil { 88 | panic(err) 89 | } 90 | fmt.Println(element) 91 | parts := strings.Split(element, ":") // Parts is hostport:containerport 92 | localAddr := "127.0.0.1:" + parts[1] 93 | remoteAddr := gw + ":" + parts[0] 94 | go proxyMain(localAddr, remoteAddr) 95 | } 96 | } 97 | // Wait for terminating signal 98 | sc := make(chan os.Signal, 2) 99 | signal.Notify(sc, syscall.SIGTERM, syscall.SIGINT) 100 | <-sc 101 | return 0 102 | } 103 | 104 | func realMain() int { 105 | err := dockerVersionCheck() 106 | if err != nil { 107 | fmt.Fprintf(os.Stderr, "Docker version error: %v", err) 108 | return 1 109 | } 110 | username, homedir, uid, gid, err := getCurrentUser() 111 | if err != nil { 112 | fmt.Fprintf(os.Stderr, "could not get current user: %v", err) 113 | return 1 114 | } 115 | config, err := loadAllConfig(username, homedir) 116 | if err != nil { 117 | fmt.Fprintf(os.Stderr, "Could not load config: %v\n", err) 118 | return 1 119 | } 120 | configInterpolations := configInterpolation{homedir, username} 121 | err = getInterpolatedConfig(&config, configInterpolations) 122 | if err != nil { 123 | panic(fmt.Sprintf("Cannot interpolate config: %v", err)) 124 | } 125 | 126 | _, err = dockerpid(config.ContainerName) 127 | if err != nil { 128 | _, err = dockerstart(config) 129 | if err != nil { 130 | fmt.Fprintf(os.Stderr, "could not start container: %s\n", err) 131 | return 1 132 | } 133 | } 134 | _, _, groups, _, err := user.GetUserGroupSupplementaryHome(username, 65536, 65536, "/") 135 | err = nsenterexec(config.ContainerName, uid, gid, groups, config.UserCwd, config.Shell) 136 | if err != nil { 137 | fmt.Fprintf(os.Stderr, "Error starting shell in new container: %v\n", err) 138 | return 1 139 | } 140 | return 0 141 | } 142 | -------------------------------------------------------------------------------- /dockersh_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "testing" 5 | ) 6 | 7 | func Test_templConfigVar_1(t *testing.T) { 8 | i := configInterpolation{"foo", "bar"} 9 | out := tmplConfigVar("%s", &i) 10 | if out == "/bin/bash" { 11 | t.Log("OK") 12 | } else { 13 | t.Error("Expected /bin/bash, got %s", out) 14 | } 15 | } 16 | 17 | func Test_getInterpolatedConfig_1(t *testing.T) { 18 | i := configInterpolation{"foo", "bar"} 19 | c := defaultConfig 20 | e := getInterpolatedConfig(&c, i) 21 | if e != nil { 22 | t.Error("Error") 23 | } 24 | if c.MountHomeFrom != "foo" { 25 | t.Errorf("MountHomeFrom is %s not foo", c.MountHomeFrom) 26 | } 27 | } 28 | 29 | func Test_gatewayIP_1(t *testing.T) { 30 | ip, err := gatewayIP() 31 | if err != nil { 32 | t.Error("Error") 33 | } 34 | t.Log(ip) 35 | } 36 | -------------------------------------------------------------------------------- /hooks/pre-commit: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | go fmt 3 | 4 | -------------------------------------------------------------------------------- /installer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "dockersh installer - installs prebuilt dockersh binary" 4 | echo "" 5 | echo "To install dockersh" 6 | echo " docker run -v /usr/local/bin:/target thiscontainer" 7 | echo "If you're using the publicly available (built from source) container, this is:" 8 | echo " docker run -v /usr/local/bin:/target yelp/dockersh" 9 | echo "" 10 | 11 | if [ -d "/target" ];then 12 | echo "GOING TO DO INSTALL IN 5 SECONDS, Ctrl-C to abort" 13 | sleep 5 14 | rm -f /target/dockersh 15 | cp -a /dockersh /target/dockersh 16 | else 17 | echo "No /target directory found, not installing" 18 | fi 19 | 20 | -------------------------------------------------------------------------------- /nsenter_linux_amd64.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "os" 7 | "path" 8 | "strconv" 9 | "strings" 10 | . "syscall" 11 | 12 | "github.com/coreos/go-namespaces/namespace" 13 | "github.com/docker/libcontainer" 14 | "github.com/docker/libcontainer/namespaces" 15 | ) 16 | 17 | func loadContainer(path string) (*libcontainer.Config, error) { 18 | f, err := os.Open(path) 19 | if err != nil { 20 | return nil, err 21 | } 22 | 23 | var container *libcontainer.Config 24 | if err := json.NewDecoder(f).Decode(&container); err != nil { 25 | f.Close() 26 | return nil, err 27 | } 28 | f.Close() 29 | return container, nil 30 | } 31 | 32 | func openNamespaceFd(pid int, path string) (*os.File, error) { 33 | return os.Open(fmt.Sprintf("/proc/%s/root%s", strconv.Itoa(pid), path)) 34 | } 35 | 36 | func nsenterexec(containerName string, uid int, gid int, groups []int, wd string, shell string) (err error) { 37 | containerpid, err := dockerpid(containerName) 38 | if err != nil { 39 | panic(fmt.Sprintf("Could not get PID for container: %s", containerName)) 40 | } 41 | containerSha, err := dockersha(containerName) 42 | if err != nil { 43 | panic(fmt.Sprintf("Could not get SHA for container: %s %s", err.Error(), containerName)) 44 | } 45 | containerConfigLocation := fmt.Sprintf("/var/lib/docker/execdriver/native/%s/container.json", containerSha) 46 | container, err := loadContainer(containerConfigLocation) 47 | if err != nil { 48 | panic(fmt.Sprintf("Could not load container configuration: %v", err)) 49 | } 50 | 51 | rootfd, err := openNamespaceFd(containerpid, "") 52 | if err != nil { 53 | panic(fmt.Sprintf("Could not open fd to root: %s", err)) 54 | } 55 | rootfd.Close() 56 | 57 | cwdfd, err := openNamespaceFd(containerpid, wd) 58 | if err != nil { 59 | panic(fmt.Sprintf("Could not open fs to working directory (%s): %s", wd, err)) 60 | } 61 | cwdfd.Close() 62 | 63 | if strings.HasPrefix(shell, "/") != true { 64 | return fmt.Errorf("Shell '%s' does not start with /, need an absolute path", shell) 65 | } 66 | shell = path.Clean(shell) 67 | shellfd, err := openNamespaceFd(containerpid, shell) 68 | shellfd.Close() 69 | if err != nil { 70 | return fmt.Errorf("Cannot find your shell %s inside your container", shell) 71 | } 72 | 73 | var nslist = []uintptr{namespace.CLONE_NEWIPC, namespace.CLONE_NEWUTS, namespace.CLONE_NEWNET, namespace.CLONE_NEWPID, namespace.CLONE_NEWNS} // namespace.CLONE_NEWUSER 74 | for _, ns := range nslist { 75 | nsfd, err := namespace.OpenProcess(containerpid, ns) 76 | if nsfd == 0 || err != nil { 77 | panic("namespace.OpenProcess(containerpid, xxx)") 78 | } 79 | namespace.Setns(nsfd, ns) 80 | namespace.Close(nsfd) 81 | } 82 | 83 | pid, err := ForkExec(shell, []string{"sh"}, &ProcAttr{ 84 | //Env: 85 | Dir: wd, 86 | //sys.Setsid 87 | //sys.Setpgid 88 | //sys.Setctty && sys.Ctty 89 | Files: []uintptr{os.Stdin.Fd(), os.Stdout.Fd(), os.Stderr.Fd()}, 90 | Sys: &SysProcAttr{ 91 | Chroot: fmt.Sprintf("/proc/%s/root", strconv.Itoa(containerpid)), 92 | Credential: &Credential{Uid: uint32(uid), Gid: uint32(gid)}, //, Groups: []uint32(groups)}, 93 | }, 94 | }) 95 | if err != nil { 96 | panic(err) 97 | } 98 | proc, err := os.FindProcess(pid) 99 | if err != nil { 100 | panic(fmt.Sprintf("Could not get proc for pid %s", strconv.Itoa(pid))) 101 | } 102 | // FIXME Race condition 103 | cleaner, err := namespaces.SetupCgroups(container, pid) 104 | if err != nil { 105 | proc.Kill() 106 | proc.Wait() 107 | panic(fmt.Sprintf("SetupCgroups failed: %s", err.Error())) 108 | } 109 | if cleaner != nil { 110 | defer cleaner.Cleanup() 111 | } 112 | 113 | var wstatus WaitStatus 114 | _, err1 := Wait4(pid, &wstatus, 0, nil) 115 | if err != nil { 116 | panic(err1) 117 | } 118 | 119 | return nil 120 | } 121 | -------------------------------------------------------------------------------- /proxy.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io" 6 | "net" 7 | ) 8 | 9 | func proxyConn(remoteAddr string, conn *net.TCPConn) { 10 | rAddr, err := net.ResolveTCPAddr("tcp", remoteAddr) 11 | if err != nil { 12 | fmt.Printf("%v", err) 13 | return 14 | } 15 | 16 | rConn, err := net.DialTCP("tcp", nil, rAddr) 17 | if err != nil { 18 | fmt.Printf("%v", err) 19 | return 20 | } 21 | defer rConn.Close() 22 | 23 | go io.Copy(conn, rConn) 24 | io.Copy(rConn, conn) 25 | } 26 | 27 | func handleConn(remoteAddr string, in <-chan *net.TCPConn, out chan<- *net.TCPConn) { 28 | for conn := range in { 29 | proxyConn(remoteAddr, conn) 30 | out <- conn 31 | } 32 | } 33 | 34 | func closeConn(in <-chan *net.TCPConn) { 35 | for conn := range in { 36 | conn.Close() 37 | } 38 | } 39 | 40 | func proxyMain(localAddr string, remoteAddr string) { 41 | fmt.Printf("Listening: %v\nProxying: %v\n\n", localAddr, remoteAddr) 42 | 43 | addr, err := net.ResolveTCPAddr("tcp", localAddr) 44 | if err != nil { 45 | fmt.Printf("%v", err) 46 | return 47 | } 48 | 49 | listener, err := net.ListenTCP("tcp", addr) 50 | if err != nil { 51 | fmt.Printf("%v", err) 52 | return 53 | } 54 | 55 | pending, complete := make(chan *net.TCPConn), make(chan *net.TCPConn) 56 | 57 | for i := 0; i < 5; i++ { 58 | go handleConn(remoteAddr, pending, complete) 59 | } 60 | go closeConn(complete) 61 | 62 | for { 63 | conn, err := listener.AcceptTCP() 64 | if err != nil { 65 | fmt.Printf("%v", err) 66 | return 67 | } 68 | pending <- conn 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /testutils/docker: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "$*" > docker.in 4 | 5 | ARG1=$1 6 | if [ "$ARG1" == "inspect" ];then 7 | echo 666 8 | fi 9 | 10 | exit 0 11 | 12 | -------------------------------------------------------------------------------- /user.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "os/user" 7 | "strconv" 8 | ) 9 | 10 | func getCurrentUser() (username string, homedir string, uid int, gid int, err error) { 11 | user, err := user.Current() 12 | if err != nil { 13 | return "", "", 0, 0, errors.New(fmt.Sprintf("could not get current user: %v", err)) 14 | } 15 | return getUser(user) 16 | } 17 | 18 | func getUser(user *user.User) (username string, homedir string, uid int, gid int, err error) { 19 | if user.HomeDir == "" { 20 | return "", "", 0, 0, errors.New("didn't get a home directory") 21 | } 22 | if user.Username == "" { 23 | return "", "", 0, 0, errors.New("didn't get a username") 24 | } 25 | uid, err = strconv.Atoi(user.Uid) 26 | gid, err = strconv.Atoi(user.Gid) 27 | return user.Username, user.HomeDir, uid, gid, nil 28 | } 29 | -------------------------------------------------------------------------------- /user_test.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "testing" 4 | import "os/user" 5 | 6 | func Test_getCurrentUser_1(t *testing.T) { 7 | _, _, _, _, err := getCurrentUser() 8 | if err != nil { 9 | t.Error("Error from getCurrentUser") 10 | } 11 | } 12 | 13 | func Test_getUser_1(t *testing.T) { 14 | mockuser := &user.User{Username: "vagrant", HomeDir: "/home/vagrant", Uid: "1000", Gid: "1000"} 15 | username, homedir, uid, gid, err := getUser(mockuser) 16 | if err != nil { 17 | t.Error("Got error from getUser " + err.Error()) 18 | } 19 | if username == "vagrant" { 20 | t.Log("username passed.") 21 | } else { 22 | t.Errorf("Username failed: %s", username) 23 | } 24 | if homedir == "/home/vagrant" { 25 | t.Log("homedir passed.") 26 | } else { 27 | t.Errorf("homedir failed: %s", homedir) 28 | } 29 | if uid == 1000 { 30 | t.Log("uid passed.") 31 | } else { 32 | t.Errorf("uid failed: %i", uid) 33 | } 34 | if gid == 1000 { 35 | t.Log("git passed.") 36 | } else { 37 | t.Errorf("gid failed: %i", gid) 38 | } 39 | } 40 | 41 | func Test_getUser_2(t *testing.T) { 42 | mockuser := &user.User{Username: "", HomeDir: "/home/vagrant", Uid: "1000", Gid: "1000"} 43 | _, _, _, _, err := getUser(mockuser) 44 | if err == nil { 45 | t.Error("No error from getUser") 46 | } 47 | } 48 | 49 | func Test_getUser_3(t *testing.T) { 50 | mockuser := &user.User{Username: "Foo", HomeDir: "", Uid: "1000", Gid: "1000"} 51 | _, _, _, _, err := getUser(mockuser) 52 | if err == nil { 53 | t.Error("No error from getUser") 54 | } 55 | } 56 | --------------------------------------------------------------------------------