c-bastion
allows you to create users in a docker container via a CLI tool and then log in with these formerly created users. The CLI tool is called cbas
and can be found at:
https://github.com/immobilienscout24/cbas
The purpose of this project is to provide an EC2 instance with a Docker container that can be used as a jump-host with dynamically created users. After creation, the user is able to log in into the Docker container by using his/her given SSH key.
The basic flow is as follows:
+-----------------+ +-----------------+ +-----------------+
| | | | | |
| developer | | jump host | | auth server |
| | | | | |
+--------+--------+ +--------+--------+ +--------+--------+
| | |
+----------------------------------------->
| request token | |
<-----------------------------------------+
| receive token | |
| | |
+--------------------> |
| upload key +-------------------->
| | validate token |
| <--------------------+
<--------------------+ |
| upload OK | |
| | |
+--------------------> |
| ssh log in | |
| | |
| | |
| | |
+ + +
Where developer
is your local machine (desktop, laptop, etc..) auth server
is the auth-server and jump host
is the jump host. cbas
takes care of obtaining the token and uploading the ssh-key.
The bastion host is a slim Ubuntu and contains the following extra features:
- vim-nox
- screen and tmux
- zsh
- python with pip and virtualenv
- Import your Personal Environment via SSH
The main server-code is written Python and everything is packaged as a Docker container. Inside the Docker container we use Supervisor to run multiple processes. You may inspect the file supervisord.conf
to see the how it has been configured (and where the log files are).
To run the jump-host you will need a so called auth-server that can provide OpenID Connect Json Web Tokens. To configure this server, please supply the URL via an environment variable called AUTH_URL
. Note that is configured as a full url including the protocol and without a trailing slash, e.g. http://auth-server.example
.
The project is built with continuous integration on Travis CI. This tests the server code, builds the Docker image and uploads it to Docker Hub via Travis. Hence you may obtain the Docker image from our organization on Docker Hub:
https://hub.docker.com/r/immobilienscout24/c-bastion/
Personally, we use AWS CloudFormation in conjunction with (our own custom version of ) Stups Taupage to deploy. Your milage may vary. Unfortuntaley the templates we use contain private configuartion so we are unable to make those available to the public.
There are a total of three endpoints:
status
Check if the server is up and running.
create
Upload ssh-key-file and create user.
delete
Delete the user again.
version
Report the version as JSON.
Note however, that the preferred way to interact with the server is cbas
.
Pull the image from Docker Hub:
$ docker pull immobilienscout24/c-bastion
You can then launch the Docker image using, note how the AUTH_URL
is supplied:
$ docker run -p 127.0.0.1:8080:8080 -e AUTH_URL=http://auth-server.example immobilienscout24/c-bastion:latest
And finally, check that the container has started and that the jump-host server has come up:
$ curl http://127.0.0.1:8080/status
OK
You could also check the current version:
$ curl http://127.0.0.1:8080/version
{'version': '53'}
The project is written in Python 2.7 and uses PyBuilder build and test tool.
You should always build and test within a virtual-environment, that contains an up-to-date pip and `pybuilder`:
$ virtualenv venv $ source venv/bin/activate (venv) $ pip install -U pip (venv) $ pip install pybuilder (venv) $ pyb install_dependencies
To run just the unit-tests, static code analysis and coverage reporting:
(venv) $ pyb ...
To build the Docker image:
(venv) $ pyb docker_build
To system-test the Docker image:
(venv) $ pyb system_test
To build and run all available tests, simply type:
(venv) $ pyb all
Copyright 2016 Immobilien Scout GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.