282 lines
12 KiB
Bash
282 lines
12 KiB
Bash
#!/bin/sh
|
|
set -eu
|
|
|
|
echo "=========================================="
|
|
echo " docker-bastion starting"
|
|
echo "=========================================="
|
|
|
|
# Trust every git repo regardless of UID — the bastion is a single-tenant
|
|
# isolated container, and ownership-mismatch on a bind-mounted repo
|
|
# (host uid != bastion uid) is the normal case here, not an attack vector.
|
|
# Without this, git refuses with "fatal: detected dubious ownership".
|
|
git config --system --add safe.directory '*' 2>/dev/null || true
|
|
echo "Date: $(date)"
|
|
echo "Hostname: $(hostname)"
|
|
echo "OpenSSH: $(/usr/sbin/sshd -V 2>&1 | head -1 || echo n/a)"
|
|
echo "Docker CLI: $(docker --version 2>/dev/null || echo n/a)"
|
|
echo "=========================================="
|
|
|
|
SSH_USER="agent"
|
|
SSH_PORT="${SSH_PORT:-22}"
|
|
HTTP_PORT="${HTTP_PORT:-8080}"
|
|
FORCE_COMMAND_VALUE="${FORCE_COMMAND:-}"
|
|
AUTHORIZED_KEYS_HOST="${AUTHORIZED_KEYS_HOST:-/etc/bastion/authorized_keys.host}"
|
|
AUTHORIZED_KEYS_REPO="${AUTHORIZED_KEYS_REPO:-/etc/bastion/authorized_keys.repo}"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 1) Validate config
|
|
# ---------------------------------------------------------------------------
|
|
if [ -z "$FORCE_COMMAND_VALUE" ]; then
|
|
echo "FATAL: FORCE_COMMAND must be set."
|
|
echo " e.g. FORCE_COMMAND='docker exec -it app bash'"
|
|
echo " or FORCE_COMMAND='cd /workspace && ./deploy.sh'"
|
|
exit 1
|
|
fi
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 2) Host keys — generate on first boot, persist via /etc/ssh/keys volume
|
|
# ---------------------------------------------------------------------------
|
|
echo "[1/5] Host keys..."
|
|
mkdir -p /etc/ssh/keys
|
|
chmod 700 /etc/ssh/keys
|
|
for keytype in ed25519 rsa; do
|
|
keyfile="/etc/ssh/keys/ssh_host_${keytype}_key"
|
|
if [ ! -f "$keyfile" ]; then
|
|
echo " Generating new $keytype host key"
|
|
ssh-keygen -t "$keytype" -f "$keyfile" -N "" -q
|
|
else
|
|
echo " Reusing existing $keytype host key"
|
|
fi
|
|
chmod 600 "$keyfile"
|
|
[ -f "${keyfile}.pub" ] && chmod 644 "${keyfile}.pub"
|
|
done
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 3) Merge authorized_keys sources
|
|
# ---------------------------------------------------------------------------
|
|
echo "[2/5] Authorized keys..."
|
|
AUTH_FILE="/home/${SSH_USER}/.ssh/authorized_keys"
|
|
mkdir -p "$(dirname "$AUTH_FILE")"
|
|
: > "$AUTH_FILE"
|
|
|
|
added=0
|
|
for src in "$AUTHORIZED_KEYS_HOST" "$AUTHORIZED_KEYS_REPO"; do
|
|
if [ -f "$src" ]; then
|
|
echo " + Merging $src"
|
|
cat "$src" >> "$AUTH_FILE"
|
|
# Force newline between sources (final file may not end with one).
|
|
printf '\n' >> "$AUTH_FILE"
|
|
added=$((added + 1))
|
|
fi
|
|
done
|
|
|
|
# awk emits matching lines (non-blank, non-comment), wc -l counts them.
|
|
# Both exit 0 even on empty input — important under `set -e`, which
|
|
# `grep -c` would have triggered (exits 1 when nothing matches).
|
|
file_keys=$(awk 'NF && $0 !~ /^[[:space:]]*#/' "$AUTH_FILE" 2>/dev/null | wc -l)
|
|
file_keys=$(echo "$file_keys" | tr -d ' ') # wc on busybox pads with spaces
|
|
echo " Boot-merged: $file_keys key(s) from $added file source(s)"
|
|
|
|
# Live-read directory — sshd reads this via AuthorizedKeysCommand on every
|
|
# auth attempt. We just report the current count for visibility; new files
|
|
# dropped in later take effect immediately, no restart needed.
|
|
dir_keys=0
|
|
if [ -d "${AUTHORIZED_KEYS_DIR:-/etc/bastion/users.d}" ]; then
|
|
dir_keys=$(find "${AUTHORIZED_KEYS_DIR}" -maxdepth 1 -name '*.pub' -type f 2>/dev/null | wc -l)
|
|
fi
|
|
echo " Live drop-in: $dir_keys key file(s) in $AUTHORIZED_KEYS_DIR"
|
|
|
|
if [ "$file_keys" -eq 0 ] && [ "$dir_keys" -eq 0 ]; then
|
|
echo " WARN: zero authorized keys configured."
|
|
echo " Drop *.pub files into $AUTHORIZED_KEYS_DIR on the host"
|
|
echo " (or mount AUTHORIZED_KEYS_HOST / AUTHORIZED_KEYS_REPO);"
|
|
echo " until then every SSH attempt will fail with 'publickey denied'."
|
|
fi
|
|
|
|
# chown -R is best-effort: if the caller bind-mounts read-only files into
|
|
# /home/agent/.ssh/ (e.g. an id_rsa for git push from FORCE_COMMAND), chown
|
|
# on those will fail with "Read-only file system" — which under `set -e`
|
|
# previously killed the boot script. The dir itself + the file we just
|
|
# wrote are what matter; everything else is the caller's business.
|
|
chown -R "${SSH_USER}:${SSH_USER}" "$(dirname "$AUTH_FILE")" 2>/dev/null || true
|
|
chmod 700 "$(dirname "$AUTH_FILE")"
|
|
chmod 600 "$AUTH_FILE"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 4) ForceCommand wrapper
|
|
#
|
|
# Write the configured command to a plain file, then a small wrapper that
|
|
# exec's `sh -c "$(cat ...)"`. This way:
|
|
# - Shell metacharacters in $FORCE_COMMAND work (&&, |, redirects, cd).
|
|
# - The wrapper itself stays static (no escaping of user input into a
|
|
# heredoc), and the command file is read at session start so changes
|
|
# to $FORCE_COMMAND only need a container restart, not a rebuild.
|
|
# ---------------------------------------------------------------------------
|
|
echo "[3/5] ForceCommand..."
|
|
mkdir -p /etc/bastion
|
|
printf '%s\n' "$FORCE_COMMAND_VALUE" > /etc/bastion/force-command.cmd
|
|
chmod 0644 /etc/bastion/force-command.cmd
|
|
|
|
cat > /etc/bastion/force-command <<'WRAPPER'
|
|
#!/bin/sh
|
|
# Auto-generated by docker-bastion start-container.
|
|
# sshd invokes this script for every authenticated session; the HTTP CGI
|
|
# exec's it after auth.
|
|
# SSH_ORIGINAL_COMMAND is intentionally ignored — clients cannot override.
|
|
#
|
|
# Force HOME for the agent user so git / ssh / xdg lookups land in the
|
|
# right place. sshd sets this already; busybox httpd's CGI doesn't, so
|
|
# without this fix `git push` complains about /root/.config/git/* perms.
|
|
export HOME=/home/agent
|
|
|
|
# If a deploy SSH key is mounted at the conventional location, point git
|
|
# at it explicitly. Setting HOME alone isn't enough when the CGI runs as
|
|
# root (HTTP_AS_ROOT=1) — ssh ignores HOME-based ~/.ssh/ lookup in that
|
|
# path and silently uses /root/.ssh/, which is empty.
|
|
if [ -f /home/agent/.ssh/id_rsa ]; then
|
|
export GIT_SSH_COMMAND="ssh -o IdentityFile=/home/agent/.ssh/id_rsa -o UserKnownHostsFile=/home/agent/.ssh/known_hosts -o StrictHostKeyChecking=accept-new"
|
|
fi
|
|
|
|
exec sh -c "$(cat /etc/bastion/force-command.cmd)"
|
|
WRAPPER
|
|
chmod 0755 /etc/bastion/force-command
|
|
echo " $FORCE_COMMAND_VALUE"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 5) Docker socket — if mounted, align group membership so the agent user
|
|
# can talk to dockerd without --privileged.
|
|
# ---------------------------------------------------------------------------
|
|
echo "[4/5] Docker socket..."
|
|
if [ -S /var/run/docker.sock ]; then
|
|
sock_gid=$(stat -c '%g' /var/run/docker.sock)
|
|
echo " Socket present, host gid=$sock_gid"
|
|
|
|
grp_name=$(getent group "$sock_gid" | cut -d: -f1 || true)
|
|
if [ -z "$grp_name" ]; then
|
|
grp_name="dockerhost"
|
|
addgroup -g "$sock_gid" "$grp_name" 2>/dev/null || true
|
|
echo " Created group $grp_name (gid=$sock_gid)"
|
|
else
|
|
echo " Reusing existing group $grp_name (gid=$sock_gid)"
|
|
fi
|
|
addgroup "$SSH_USER" "$grp_name" 2>/dev/null || true
|
|
echo " Added $SSH_USER to $grp_name"
|
|
else
|
|
echo " WARN: /var/run/docker.sock not mounted — docker-based FORCE_COMMAND will fail."
|
|
fi
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 6) Adjust sshd_config port if non-default
|
|
# ---------------------------------------------------------------------------
|
|
if [ "$SSH_PORT" != "22" ]; then
|
|
sed -i "s/^Port 22\$/Port ${SSH_PORT}/" /etc/ssh/sshd_config
|
|
fi
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 7) Optional HTTP listener (opt-in via $HTTP_BASIC_AUTH or $HTTP_TOKEN)
|
|
#
|
|
# Two mutually-exclusive auth modes. Pick one and set the matching env var:
|
|
#
|
|
# HTTP_BASIC_AUTH=user:pass → Basic auth. Works with browser URL bars,
|
|
# `curl -u user:pass`, and the URL syntax
|
|
# `https://user:pass@host/cgi-bin/run`.
|
|
# Handled by busybox's built-in -c auth.
|
|
# HTTP_TOKEN=secret → Bearer auth via Authorization header.
|
|
# `curl -H 'Authorization: Bearer secret'`.
|
|
# Handled by the CGI script.
|
|
#
|
|
# Why mutually exclusive: busybox httpd *strips* `Authorization: Basic` from
|
|
# the CGI env (it expects to handle basic auth itself), so a CGI-side check
|
|
# for Basic doesn't work. Conversely, when busybox is enforcing Basic via
|
|
# its conf file, Bearer requests get rejected by busybox before the CGI runs.
|
|
#
|
|
# Both modes exec the same /etc/bastion/force-command wrapper SSH uses;
|
|
# output streams back as the command produces it.
|
|
# ---------------------------------------------------------------------------
|
|
echo "[5/6] HTTP listener..."
|
|
if [ -n "${HTTP_BASIC_AUTH:-}" ]; then
|
|
echo " Auth: Basic — enabling httpd on port ${HTTP_PORT}"
|
|
mkdir -p /var/www/cgi-bin
|
|
# httpd.conf format for basic auth: `/path:user:password` per line.
|
|
# Plaintext is supported; for crypt hashes use $1$/$5$/$6$ prefixes.
|
|
printf '/cgi-bin/:%s\n' "$HTTP_BASIC_AUTH" > /etc/bastion/httpd.conf
|
|
# httpd drops to $SSH_USER before reading -c CONFFILE, so the file
|
|
# must be readable by that user. chown rather than world-read because
|
|
# the conf holds the plaintext password.
|
|
chown "${SSH_USER}:${SSH_USER}" /etc/bastion/httpd.conf
|
|
chmod 0600 /etc/bastion/httpd.conf
|
|
# CGI: auth already done by httpd before we got here.
|
|
cat > /var/www/cgi-bin/run <<'CGI'
|
|
#!/bin/sh
|
|
# Auto-generated. Auth was validated by busybox httpd via httpd.conf
|
|
# before this script ran — REMOTE_USER holds the authenticated username.
|
|
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
|
|
exec /etc/bastion/force-command 2>&1
|
|
CGI
|
|
chmod 0755 /var/www/cgi-bin/run
|
|
# -c CONFFILE = auth + content-type rules; httpd reads it as root before
|
|
# dropping to -u USER. CGI scripts then run as USER.
|
|
#
|
|
# Set HTTP_AS_ROOT=1 to skip the -u drop, so httpd (and the CGI it
|
|
# spawns) run as root. Use this when FORCE_COMMAND is a deploy-style
|
|
# script that needs full filesystem write + docker-socket access +
|
|
# arbitrary chown — busybox httpd's `-u USER` drop does setuid/setgid
|
|
# but not setgroups, so supplementary groups (e.g. dockerhost for the
|
|
# mounted /var/run/docker.sock) don't reach the CGI even when the user
|
|
# is a member on paper. Bastion already has socket = host root, so
|
|
# this doesn't enlarge the trust envelope.
|
|
if [ "${HTTP_AS_ROOT:-0}" = "1" ]; then
|
|
echo " HTTP_AS_ROOT=1 — httpd + CGI run as root"
|
|
httpd -f -p "${HTTP_PORT}" -h /var/www -c /etc/bastion/httpd.conf &
|
|
else
|
|
httpd -f -p "${HTTP_PORT}" -h /var/www -u "${SSH_USER}" -c /etc/bastion/httpd.conf &
|
|
fi
|
|
HTTP_PID=$!
|
|
echo " httpd PID ${HTTP_PID}, endpoint: /cgi-bin/run (basic auth)"
|
|
|
|
elif [ -n "${HTTP_TOKEN:-}" ]; then
|
|
echo " Auth: Bearer — enabling httpd on port ${HTTP_PORT}"
|
|
mkdir -p /var/www/cgi-bin
|
|
cat > /var/www/cgi-bin/run <<'CGI'
|
|
#!/bin/sh
|
|
# Auto-generated. Bearer auth handled here in the CGI.
|
|
case "${HTTP_AUTHORIZATION:-}" in
|
|
"Bearer ${HTTP_TOKEN}") ;;
|
|
*)
|
|
printf 'Status: 401 Unauthorized\r\nContent-Type: text/plain\r\nWWW-Authenticate: Bearer\r\n\r\nUnauthorized\n'
|
|
exit 0
|
|
;;
|
|
esac
|
|
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
|
|
exec /etc/bastion/force-command 2>&1
|
|
CGI
|
|
chmod 0755 /var/www/cgi-bin/run
|
|
if [ "${HTTP_AS_ROOT:-0}" = "1" ]; then
|
|
echo " HTTP_AS_ROOT=1 — httpd + CGI run as root"
|
|
httpd -f -p "${HTTP_PORT}" -h /var/www &
|
|
else
|
|
httpd -f -p "${HTTP_PORT}" -h /var/www -u "${SSH_USER}" &
|
|
fi
|
|
HTTP_PID=$!
|
|
echo " httpd PID ${HTTP_PID}, endpoint: /cgi-bin/run (bearer token)"
|
|
|
|
else
|
|
echo " HTTP disabled (set HTTP_BASIC_AUTH or HTTP_TOKEN to enable)"
|
|
fi
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# 8) sshd config sanity check + launch
|
|
# ---------------------------------------------------------------------------
|
|
echo "[6/6] sshd config check..."
|
|
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
|
|
|
|
echo "=========================================="
|
|
echo " SSH: port ${SSH_PORT}"
|
|
[ -n "${HTTP_TOKEN:-}" ] && echo " HTTP: port ${HTTP_PORT} (token-protected)"
|
|
echo " User: ${SSH_USER}"
|
|
echo " ForceCommand: ${FORCE_COMMAND_VALUE}"
|
|
echo "=========================================="
|
|
|
|
# -D = foreground, -e = log to stderr (so docker logs picks it up).
|
|
exec /usr/sbin/sshd -D -e
|