Commit 8f302f71 authored by Jérome Perrin's avatar Jérome Perrin

slaprunner: WIP for passwordless shellinabox

* use more recent shellinabox with copy & paste support
* URL is now /shellinabox/ for some reason. Runner template has to be updated
* PATH now contains /bin/ & /usr/bin/ is it good ?
* Fixes for account creation when no .htpassword
* Fixes for incorrect $HOME on shellinabox
parent e09d3774
......@@ -46,7 +46,7 @@ mode = 0644
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-runner.cfg
output = ${buildout:directory}/template-runner.cfg.in
md5sum = 7cfa24cdad2822396659d8d68fb02b36
md5sum = 7e26c2f332dfca5446a6cb1d74e3d467
mode = 0644
[template-runner-import-script]
......@@ -98,7 +98,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/nginx_conf.in
download-only = true
md5sum = 7c0608eafb5c6998846851744a70b3de
md5sum = d339a25e68b996c458f29b619de4ce77
filename = nginx_conf.in
mode = 0644
......
......@@ -4,7 +4,6 @@ parts =
nginx-launcher
certificate-authority
ca-nginx
ca-shellinabox
gunicorn-launcher
gunicorn-graceful
sshkeys-dropbear-runner
......@@ -16,7 +15,6 @@ parts =
slaprunner-supervisord-wrapper
dropbear-promise
runtestsuite
shellinabox-promise
symlinks
shellinabox
slapos-cfg
......@@ -269,7 +267,7 @@ scgi_temp_path = $${directory:tmp}/scgi_temp_path
[nginx-frontend]
# Options
nb_workers = 2
nb_workers = 5
# Network
local-ip = $${slap-network-information:local-ipv4}
global-ip = $${slap-network-information:global-ipv6}
......@@ -303,7 +301,7 @@ recipe = slapos.recipe.template:jinja2
template = ${template_nginx_conf:location}/${template_nginx_conf:filename}
rendered = $${nginx-frontend:path_nginx_conf}
context =
key shellinabox_port shellinabox:port
key shellinabox_socket shellinabox:socket
key socket gunicorn:socket
section param_nginx_frontend nginx-frontend
section param_tempdir tempdirectory
......@@ -409,13 +407,6 @@ wrapper = $${directory:services}/nginx-frontend
# Put domain name
name = example.com
[ca-shellinabox]
<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request
executable = $${shellinabox:wrapper}
wrapper = $${directory:services}/shellinaboxd
key-file = $${cadirectory:certs}/shellinabox.key
cert-file = $${cadirectory:certs}/shellinabox.crt
#--------------------
#--
#-- Request frontend
......@@ -485,12 +476,6 @@ path = $${directory:promises}/dropbear
hostname = $${dropbear-runner-server:host}
port = $${dropbear-runner-server:port}
[shellinabox-promise]
recipe = slapos.cookbook:check_port_listening
path = $${directory:promises}/shellinabox
hostname = $${shellinabox:ipv6}
port = $${shellinabox:port}
[symlinks]
recipe = cns.recipe.symlink
symlink_target = $${directory:bin}
......@@ -532,30 +517,26 @@ context =
section slaprunner test-runner
[shellinabox]
recipe = slapos.cookbook:shellinabox
ipv6 = $${slap-network-information:global-ipv6}
port = 8949
shell = $${shell:wrapper}
wrapper = $${directory:bin}/shellinaboxd
shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
password = $${zero-parameters:shell-password}
directory = $${runnerdirectory:home}
login-shell = $${directory:bin}/login
certificate-directory = $${cadirectory:certs}
cert-file = $${ca-shellinabox:cert-file}
key-file = $${ca-shellinabox:key-file}
[shellinabox-code]
recipe = slapos.cookbook:generate.password
storage-path = $${directory:etc}/.scode
bytes = 8
recipe = slapos.recipe.template:jinja2
# We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
socket = $${directory:run}/siab.sock
mode = 0700
rendered = $${directory:services}/shellinaboxd
template = inline:
#!/bin/sh
exec ${shellinabox:location}/bin/shellinaboxd \
--disable-ssl \
--disable-ssl-menu \
--socket=$${:socket} \
--service "/:$(id -u):$(id -g):HOME:$${shell:wrapper}" \
--user-css "Black on White":+${shellinabox:location}/share/doc/shellinabox/black-on-white.css,"White on Black":-${shellinabox:location}/share/doc/shellinabox/white-on-black.css
[shell]
recipe = slapos.cookbook:shell
wrapper = $${directory:bin}/sh
shell = ${bash:location}/bin/bash
home = $${runnerdirectory:home}
path = $${environ:PATH}:${nano:location}/bin:${vim:location}/bin:${screen:location}/bin:${git:location}/bin:${tig:location}/bin
home = $${buildout:directory}
path = $${environ:PATH}:/usr/bin:/bin/:${nano:location}/bin:${vim:location}/bin:${screen:location}/bin:${git:location}/bin:${tig:location}/bin
ps1 = "\\w> "
[environ]
......@@ -617,7 +598,6 @@ key = $${slap-connection:key-file}
cert = $${slap-connection:cert-file}
[public]
shell-password = $${shellinabox-code:passwd}
recovery-code = $${recovery-code:passwd}
[zero-parameters]
......
......@@ -18,6 +18,7 @@ http {
default upgrade;
'' close;
}
server {
listen [{{ param_nginx_frontend['global-ip'] }}]:{{ param_nginx_frontend['global-port'] }} ssl;
server_name _;
......@@ -31,8 +32,12 @@ http {
fastcgi_temp_path {{ param_tempdir['fastcgi_temp_path'] }};
uwsgi_temp_path {{ param_tempdir['uwsgi_temp_path'] }};
scgi_temp_path {{ param_tempdir['scgi_temp_path'] }};
error_page 401 /login;
location / {
# When no .htpasswd exist, redirect the user to account creation page
if ( !-f {{ param_nginx_frontend['etc_dir'] }}/.htpasswd ) {
return 301 /setAccount ;
}
auth_basic "Restricted";
auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
proxy_redirect off;
......@@ -52,8 +57,9 @@ http {
proxy_pass http://unix:{{ socket }};
}
location /shellinabox {
proxy_pass http://[{{ param_nginx_frontend['global-ip'] }}]:{{ shellinabox_port }}/;
proxy_pass http://unix:{{ shellinabox_socket }}:/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
auth_basic "Restricted";
auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
......
......@@ -5,4 +5,5 @@
cd {{ workdir }}
export PATH={{- path }}
export PS1="\w $ "
export LANG="en_GB.UTF-8"
export LANG="en_GB.UTF-8" # XXX jerome - is it good idea ?
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment