c-bastion allows you to create users in a docker container via a CLI tool and then log in with these formerly created users. The CLI tool is called cbas and can be found at:
https://github.com/immobilienscout24/cbas
The purpose of this project is to provide an EC2 instance with a Docker container that can be used as a jump-host with dynamically created users. After creation, the user is able to log in into the Docker container by using his/her given SSH key.
The basic flow is as follows:
+-----------------+ +-----------------+ +-----------------+
| | | | | |
| developer | | jump host | | auth server |
| | | | | |
+--------+--------+ +--------+--------+ +--------+--------+
| | |
+----------------------------------------->
| request token | |
<-----------------------------------------+
| receive token | |
| | |
+--------------------> |
| upload key +-------------------->
| | validate token |
| <--------------------+
<--------------------+ |
| upload OK | |
| | |
+--------------------> |
| ssh log in | |
| | |
| | |
| | |
+ + +Where developer is your local machine (desktop, laptop, etc..) auth server is the auth-server and jump host is the jump host. cbas takes care of obtaining the token and uploading the ssh-key.
The bastion host is a slim Ubuntu and contains the following extra features:
- vim-nox
- screen and tmux
- zsh
- python with pip and virtualenv
- Import your Personal Environment via SSH
The main server-code is written Python and everything is packaged as a Docker container. Inside the Docker container we use Supervisor to run multiple processes. You may inspect the file supervisord.conf to see the how it has been configured (and where the log files are).
To run the jump-host you will need a so called auth-server that can provide OpenID Connect Json Web Tokens. To configure this server, please supply the URL via an environment variable called AUTH_URL. Note that is configured as a full url including the protocol and without a trailing slash, e.g. http://auth-server.example.
The project is built with continuous integration on Travis CI. This tests the server code, builds the Docker image and uploads it to Docker Hub via Travis. Hence you may obtain the Docker image from our organization on Docker Hub:
https://hub.docker.com/r/immobilienscout24/c-bastion/
Personally, we use AWS CloudFormation in conjunction with (our own custom version of ) Stups Taupage to deploy. Your milage may vary. Unfortuntaley the templates we use contain private configuartion so we are unable to make those available to the public.
There are a total of three endpoints:
statusCheck if the server is up and running.
createUpload ssh-key-file and create user.
deleteDelete the user again.
versionReport the version as JSON.
Note however, that the preferred way to interact with the server is cbas.
Pull the image from Docker Hub:
$ docker pull immobilienscout24/c-bastionYou can then launch the Docker image using, note how the AUTH_URL is supplied:
$ docker run -p 127.0.0.1:8080:8080 -e AUTH_URL=http://auth-server.example immobilienscout24/c-bastion:latestAnd finally, check that the container has started and that the jump-host server has come up:
$ curl http://127.0.0.1:8080/status
OKYou could also check the current version:
$ curl http://127.0.0.1:8080/version
{'version': '53'}The project is written in Python 2.7 and uses PyBuilder build and test tool.
You should always build and test within a virtual-environment, that contains an up-to-date pip and `pybuilder`:
$ virtualenv venv $ source venv/bin/activate (venv) $ pip install -U pip (venv) $ pip install pybuilder (venv) $ pyb install_dependenciesTo run just the unit-tests, static code analysis and coverage reporting:
(venv) $ pyb ...To build the Docker image:
(venv) $ pyb docker_buildTo system-test the Docker image:
(venv) $ pyb system_testTo build and run all available tests, simply type:
(venv) $ pyb all
Copyright 2016 Immobilien Scout GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.