From 610f0865593fb5044781879d9d10460215428fcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
Date: Fri, 1 May 2015 07:31:24 +0000
Subject: [PATCH] slaprunner: use shellinabox from github

Since shellinabox listen on AF_UNIX, we don't need another password for
shellinabox
---
 software/slaprunner/README.txt          |  3 +-
 software/slaprunner/TODO.txt            |  1 -
 software/slaprunner/common.cfg          |  8 +++-
 software/slaprunner/instance-runner.cfg | 49 +++++++------------------
 software/slaprunner/nginx_conf.in       | 12 +++---
 5 files changed, 27 insertions(+), 46 deletions(-)

diff --git a/software/slaprunner/README.txt b/software/slaprunner/README.txt
index b25afb94b..8f615f791 100644
--- a/software/slaprunner/README.txt
+++ b/software/slaprunner/README.txt
@@ -147,7 +147,6 @@ As you can see in instance-runner-*.cfg, the buildout section extends a hard-cod
 List of ports used by the webrunner:
 ------------------------------------
 8602 : slapproxy, while running tests
-8949 : shellinabox
 9684 : apache (monitoring of slaprunner, git access)
 22222 : dropbear
 39986 : supervisord
@@ -156,4 +155,4 @@ List of ports used by the webrunner:
 
 Tips:
 -----
-You can use shellinabox in fullscreen, by accessing : https://[IPV6]:8949
+You can use shellinabox in fullscreen, by accessing : https://[IPV6]:50005/shellinabox/
diff --git a/software/slaprunner/TODO.txt b/software/slaprunner/TODO.txt
index 613819fda..3d6646101 100644
--- a/software/slaprunner/TODO.txt
+++ b/software/slaprunner/TODO.txt
@@ -1,4 +1,3 @@
 - resilient sr: Cloned instances should not launch slapgrid-sr if it was not launched on export instance
-- shellinabox password should be the same in all the resilient instances
 - add test for parameter auto-deploy-instance
 - Add download facility in file browser
diff --git a/software/slaprunner/common.cfg b/software/slaprunner/common.cfg
index b4b8a5ea6..8b229b54e 100644
--- a/software/slaprunner/common.cfg
+++ b/software/slaprunner/common.cfg
@@ -34,6 +34,10 @@ parts =
   rdiff-backup
   collective.recipe.template-egg
 
+# Use shellinabox from github with AF_UNIX support
+[shellinabox]
+<= shellinabox-github
+
 [template]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance.cfg
@@ -45,7 +49,7 @@ mode = 0644
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-runner.cfg
 output = ${buildout:directory}/template-runner.cfg.in
-md5sum = 41c0f9e23f7ea085faa59a2f7bfb0bab
+md5sum = d67efe18c8d2295a9cc1274151bd63ce
 mode = 0644
 
 [template-runner-import-script]
@@ -97,7 +101,7 @@ mode = 0644
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/nginx_conf.in
 download-only = true
-md5sum = 7c0608eafb5c6998846851744a70b3de
+md5sum = 00b902364c32ef21a28461716700fb2b
 filename = nginx_conf.in
 mode = 0644
 
diff --git a/software/slaprunner/instance-runner.cfg b/software/slaprunner/instance-runner.cfg
index bceaf4f91..d971dd8a2 100644
--- a/software/slaprunner/instance-runner.cfg
+++ b/software/slaprunner/instance-runner.cfg
@@ -4,7 +4,6 @@ parts =
   nginx-launcher
   certificate-authority
   ca-nginx
-  ca-shellinabox
   gunicorn-launcher
   gunicorn-graceful
   sshkeys-dropbear-runner
@@ -16,7 +15,6 @@ parts =
   slaprunner-supervisord-wrapper
   dropbear-promise
   runtestsuite
-  shellinabox-promise
   symlinks
   shellinabox
   slapos-cfg
@@ -269,7 +267,7 @@ scgi_temp_path = $${directory:tmp}/scgi_temp_path
 
 [nginx-frontend]
 # Options
-nb_workers = 2
+nb_workers = 5
 # Network
 local-ip = $${slap-network-information:local-ipv4}
 global-ip = $${slap-network-information:global-ipv6}
@@ -303,7 +301,7 @@ recipe = slapos.recipe.template:jinja2
 template = ${template_nginx_conf:location}/${template_nginx_conf:filename}
 rendered = $${nginx-frontend:path_nginx_conf}
 context =
-    key shellinabox_port shellinabox:port
+    key shellinabox_socket shellinabox:socket
     key socket gunicorn:socket
     section param_nginx_frontend nginx-frontend
     section param_tempdir tempdirectory
@@ -409,13 +407,6 @@ wrapper = $${directory:services}/nginx-frontend
 # Put domain name
 name = example.com
 
-[ca-shellinabox]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-executable = $${shellinabox:wrapper}
-wrapper = $${directory:services}/shellinaboxd
-key-file = $${cadirectory:certs}/shellinabox.key
-cert-file = $${cadirectory:certs}/shellinabox.crt
 #--------------------
 #--
 #-- Request frontend
@@ -485,12 +476,6 @@ path = $${directory:promises}/dropbear
 hostname = $${dropbear-runner-server:host}
 port = $${dropbear-runner-server:port}
 
-[shellinabox-promise]
-recipe = slapos.cookbook:check_port_listening
-path = $${directory:promises}/shellinabox
-hostname = $${shellinabox:ipv6}
-port = $${shellinabox:port}
-
 [symlinks]
 recipe = cns.recipe.symlink
 symlink_target = $${directory:bin}
@@ -532,23 +517,18 @@ context =
   section slaprunner test-runner
 
 [shellinabox]
-recipe = slapos.cookbook:shellinabox
-ipv6 = $${slap-network-information:global-ipv6}
-port = 8949
-shell = $${shell:wrapper}
-wrapper = $${directory:bin}/shellinaboxd
-shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
-password = $${zero-parameters:shell-password}
-directory = $${runnerdirectory:home}
-login-shell = $${directory:bin}/login
-certificate-directory = $${cadirectory:certs}
-cert-file = $${ca-shellinabox:cert-file}
-key-file = $${ca-shellinabox:key-file}
-
-[shellinabox-code]
-recipe = slapos.cookbook:generate.password
-storage-path = $${directory:etc}/.scode
-bytes = 8
+recipe = slapos.recipe.template:jinja2
+# We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
+socket = $${directory:run}/siab.sock
+mode = 0700
+rendered = $${directory:services}/shellinaboxd
+template = inline:
+  #!/bin/sh
+  exec ${shellinabox:location}/bin/shellinaboxd \
+    --disable-ssl \
+    --disable-ssl-menu \
+    --unixdomain-only=$${:socket}:$(id -u):$(id -g):0600 \
+    --service "/:$(id -u):$(id -g):HOME:$${shell:wrapper}"
 
 [shell]
 recipe = slapos.cookbook:shell
@@ -617,7 +597,6 @@ key = $${slap-connection:key-file}
 cert = $${slap-connection:cert-file}
 
 [public]
-shell-password = $${shellinabox-code:passwd}
 recovery-code = $${recovery-code:passwd}
 
 [zero-parameters]
diff --git a/software/slaprunner/nginx_conf.in b/software/slaprunner/nginx_conf.in
index e863c6c40..b2a078d37 100644
--- a/software/slaprunner/nginx_conf.in
+++ b/software/slaprunner/nginx_conf.in
@@ -52,18 +52,18 @@ http {
 
             proxy_pass http://unix:{{ socket }};
         }
-	location /shellinabox {
-            proxy_pass  http://[{{ param_nginx_frontend['global-ip'] }}]:{{ shellinabox_port }}/;
+
+        location /shellinabox {
+            proxy_pass http://unix:{{ shellinabox_socket }}:/;
             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
             auth_basic "Restricted";
             auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
             proxy_redirect off;
             proxy_buffering off;
-            proxy_set_header        Host              $host;
             proxy_set_header        X-Real-IP         $remote_addr;
-	    proxy_set_header        X-Forwarded-Proto $scheme;
+            proxy_set_header        X-Forwarded-Proto $scheme;
             proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
-	    proxy_set_header        X-Forwarded-Host  $http_host;
-	}
+            proxy_set_header        X-Forwarded-Host  $http_host;
+      }
     }
 }
-- 
2.30.9