slaprunner: WIP for passwordless shellinabox

* use more recent shellinabox with copy & paste support * URL is now /shellinabox/ for some reason. Runner template has to be updated * PATH now contains /bin/ & /usr/bin/ is it good ? * Fixes for account creation when no .htpassword * Fixes for incorrect $HOME on shellinabox

slaprunner: WIP for passwordless shellinabox
* use more recent shellinabox with copy & paste support * URL is now /shellinabox/ for some reason. Runner template has to be updated * PATH now contains /bin/ & /usr/bin/ is it good ? * Fixes for account creation when no .htpassword * Fixes for incorrect $HOME on shellinabox
8f302f71 · Jérome Perrin · e09d3774 · 8f302f71 · 8f302f71 · 8f302f71
Commit 8f302f71 authored May 01, 2015 by Jérome Perrin
4 changed files
--- a/software/slaprunner/common.cfg
+++ b/software/slaprunner/common.cfg
@@ -46,7 +46,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner.cfg
 output = ${buildout:directory}/template-runner.cfg.in
-md5sum = 7cfa24cdad2822396659d8d68fb02b36
+md5sum = 7e26c2f332dfca5446a6cb1d74e3d467
 mode = 0644

 [template-runner-import-script]
@@ -98,7 +98,7 @@ mode = 0644
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/nginx_conf.in
 download-only = true
-md5sum = 7c0608eafb5c6998846851744a70b3de
+md5sum = d339a25e68b996c458f29b619de4ce77
 filename = nginx_conf.in
 mode = 0644


--- a/software/slaprunner/instance-runner.cfg
+++ b/software/slaprunner/instance-runner.cfg
@@ -4,7 +4,6 @@ parts =
  nginx-launcher
  certificate-authority
  ca-nginx
-  ca-shellinabox
  gunicorn-launcher
  gunicorn-graceful
  sshkeys-dropbear-runner
@@ -16,7 +15,6 @@ parts =
  slaprunner-supervisord-wrapper
  dropbear-promise
  runtestsuite
-  shellinabox-promise
  symlinks
  shellinabox
  slapos-cfg
@@ -269,7 +267,7 @@ scgi_temp_path = $${directory:tmp}/scgi_temp_path

 [nginx-frontend]
 # Options
-nb_workers = 2
+nb_workers = 5
 # Network
 local-ip = $${slap-network-information:local-ipv4}
 global-ip = $${slap-network-information:global-ipv6}
@@ -303,7 +301,7 @@ recipe = slapos.recipe.template:jinja2
 template = ${template_nginx_conf:location}/${template_nginx_conf:filename}
 rendered = $${nginx-frontend:path_nginx_conf}
 context =
-    key shellinabox_port shellinabox:port
+    key shellinabox_socket shellinabox:socket
    key socket gunicorn:socket
    section param_nginx_frontend nginx-frontend
    section param_tempdir tempdirectory
@@ -409,13 +407,6 @@ wrapper = $${directory:services}/nginx-frontend
 # Put domain name
 name = example.com

-[ca-shellinabox]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-executable = $${shellinabox:wrapper}
-wrapper = $${directory:services}/shellinaboxd
-key-file = $${cadirectory:certs}/shellinabox.key
-cert-file = $${cadirectory:certs}/shellinabox.crt
 #--------------------
 #--
 #-- Request frontend
@@ -485,12 +476,6 @@ path = $${directory:promises}/dropbear
 hostname = $${dropbear-runner-server:host}
 port = $${dropbear-runner-server:port}

-[shellinabox-promise]
-recipe = slapos.cookbook:check_port_listening
-path = $${directory:promises}/shellinabox
-hostname = $${shellinabox:ipv6}
-port = $${shellinabox:port}
-
 [symlinks]
 recipe = cns.recipe.symlink
 symlink_target = $${directory:bin}
@@ -532,30 +517,26 @@ context =
  section slaprunner test-runner

 [shellinabox]
-recipe = slapos.cookbook:shellinabox
-ipv6 = $${slap-network-information:global-ipv6}
-port = 8949
-shell = $${shell:wrapper}
-wrapper = $${directory:bin}/shellinaboxd
-shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
-password = $${zero-parameters:shell-password}
-directory = $${runnerdirectory:home}
-login-shell = $${directory:bin}/login
-certificate-directory = $${cadirectory:certs}
-cert-file = $${ca-shellinabox:cert-file}
-key-file = $${ca-shellinabox:key-file}
-
-[shellinabox-code]
-recipe = slapos.cookbook:generate.password
-storage-path = $${directory:etc}/.scode
-bytes = 8
+recipe = slapos.recipe.template:jinja2
+# We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
+socket = $${directory:run}/siab.sock
+mode = 0700
+rendered = $${directory:services}/shellinaboxd
+template = inline:
+  #!/bin/sh
+  exec ${shellinabox:location}/bin/shellinaboxd \
+    --disable-ssl \
+    --disable-ssl-menu \
+    --socket=$${:socket} \
+    --service "/:$(id -u):$(id -g):HOME:$${shell:wrapper}" \
+    --user-css "Black on White":+${shellinabox:location}/share/doc/shellinabox/black-on-white.css,"White on Black":-${shellinabox:location}/share/doc/shellinabox/white-on-black.css

 [shell]
 recipe = slapos.cookbook:shell
 wrapper = $${directory:bin}/sh
 shell = ${bash:location}/bin/bash
-home = $${runnerdirectory:home}
-path = $${environ:PATH}:${nano:location}/bin:${vim:location}/bin:${screen:location}/bin:${git:location}/bin:${tig:location}/bin
+home = $${buildout:directory}
+path = $${environ:PATH}:/usr/bin:/bin/:${nano:location}/bin:${vim:location}/bin:${screen:location}/bin:${git:location}/bin:${tig:location}/bin
 ps1 = "\\w> "

 [environ]
@@ -617,7 +598,6 @@ key = $${slap-connection:key-file}
 cert = $${slap-connection:cert-file}

 [public]
-shell-password = $${shellinabox-code:passwd}
 recovery-code = $${recovery-code:passwd}

 [zero-parameters]

--- a/software/slaprunner/nginx_conf.in
+++ b/software/slaprunner/nginx_conf.in
@@ -6,8 +6,8 @@ error_log {{ param_nginx_frontend['path_error_log'] }};
 daemon off;

 events {
-	worker_connections 1024;
-	accept_mutex off;
+  worker_connections 1024;
+  accept_mutex off;
 }

 http {
@@ -18,6 +18,7 @@ http {
        default upgrade;
        ''      close;
     }
+
     server {
        listen [{{ param_nginx_frontend['global-ip'] }}]:{{ param_nginx_frontend['global-port'] }} ssl;
        server_name _;
@@ -31,8 +32,12 @@ http {
        fastcgi_temp_path {{ param_tempdir['fastcgi_temp_path'] }};
        uwsgi_temp_path {{ param_tempdir['uwsgi_temp_path'] }};
        scgi_temp_path {{ param_tempdir['scgi_temp_path'] }};
-	error_page 401 /login;
+        
        location / {
+            # When no .htpasswd exist, redirect the user to account creation page
+            if ( !-f {{ param_nginx_frontend['etc_dir'] }}/.htpasswd ) {
+                return 301 /setAccount ;
+            }
            auth_basic "Restricted";
            auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
            proxy_redirect off;
@@ -52,8 +57,9 @@ http {

            proxy_pass http://unix:{{ socket }};
        }
-	location /shellinabox {
-            proxy_pass  http://[{{ param_nginx_frontend['global-ip'] }}]:{{ shellinabox_port }}/;
+
+        location /shellinabox {
+            proxy_pass http://unix:{{ shellinabox_socket }}:/;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            auth_basic "Restricted";
            auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
@@ -61,9 +67,9 @@ http {
            proxy_buffering off;
            proxy_set_header        Host              $host;
            proxy_set_header        X-Real-IP         $remote_addr;
-	    proxy_set_header        X-Forwarded-Proto $scheme;
+            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
-	    proxy_set_header        X-Forwarded-Host  $http_host;
-	}
+            proxy_set_header        X-Forwarded-Host  $http_host;
+      }
    }
 }
--- a/software/slaprunner/template/bash_profile.in
+++ b/software/slaprunner/template/bash_profile.in
@@ -5,4 +5,5 @@
 cd {{ workdir }}
 export PATH={{- path }}
 export PS1="\w $ "
-export LANG="en_GB.UTF-8"
+export LANG="en_GB.UTF-8" # XXX jerome - is it good idea ?
+