From 0966c4aa7ee047d6ce9191eb83461c792807d563 Mon Sep 17 00:00:00 2001 From: Chris Kretler Date: Tue, 21 Jul 2020 17:43:57 -0400 Subject: [PATCH 1/6] Change based to debian:buster-slim. Use /etc/passwd method for use modifications. --- Dockerfile | 26 ++++++++++++++++++ openshift-artifacts/bc-umich-sftp.json | 12 +++------ openshift-artifacts/dc-umich-sftp.json | 4 +-- README.md => readme.md | 37 +++++++------------------- ubuntu-ssh/sshd_config => sshd_config | 1 + ubuntu-ssh/startup.sh => startup.sh | 12 ++++++--- ubuntu-ssh/Dockerfile | 19 ------------- umich-sftp/Dockerfile | 16 ----------- utility-scripts/update-umich-sftp.sh | 20 -------------- 9 files changed, 51 insertions(+), 96 deletions(-) create mode 100644 Dockerfile rename README.md => readme.md (66%) rename ubuntu-ssh/sshd_config => sshd_config (93%) rename ubuntu-ssh/startup.sh => startup.sh (63%) delete mode 100644 ubuntu-ssh/Dockerfile delete mode 100644 umich-sftp/Dockerfile delete mode 100755 utility-scripts/update-umich-sftp.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7984b71 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,26 @@ +FROM debian:buster-slim + +# https://manpages.debian.org/stretch/openssh-server/sshd.8.en.html +RUN apt-get -y update \ +&& apt-get -y install openssh-server + +RUN mkdir /var/run/sshd + +COPY sshd_config /etc/ssh/sshd_config +RUN chmod g+r /etc/ssh/sshd_config + +# OpenShift pod will run as non-root user, who can't create pid file. +RUN touch /run/sshd.pid \ +&& chmod g+w /run/sshd.pid + +# Create sftpuser. Password authentication is disabled in sshd. +RUN useradd -g root -m sftpuser -p '*' + +# Make /etc/passwd writable by root group. So sftpuser can take UID of running pod. +RUN chmod g+w /etc/passwd + +EXPOSE 2022 + +COPY startup.sh /usr/local/bin +RUN chmod +x /usr/local/bin/startup.sh +CMD ["startup.sh"] diff --git a/openshift-artifacts/bc-umich-sftp.json b/openshift-artifacts/bc-umich-sftp.json index fb4fd06..f844d83 100644 --- a/openshift-artifacts/bc-umich-sftp.json +++ b/openshift-artifacts/bc-umich-sftp.json @@ -29,16 +29,10 @@ }, "strategy": { "dockerStrategy": { - "buildArgs": [ - { - "name": "SFTP_UID", - "value": "REPLACE_ME" - } - ], "from": { "kind": "ImageStreamTag", - "name": "ubuntu-ssh:latest", - "namespace": "openshift" + "name": "debian:buster-slim", + "namespace": "its-curation" } }, "type": "Docker" @@ -47,7 +41,7 @@ "triggers": [ { "imageChange": { - "lastTriggeredImageID": "docker-registry.default.svc:5000/openshift/ubuntu-ssh:latest" + "lastTriggeredImageID": "docker-registry.default.svc:5000/its-curation/umich-sftp:latest" }, "type": "ImageChange" }, diff --git a/openshift-artifacts/dc-umich-sftp.json b/openshift-artifacts/dc-umich-sftp.json index 2f6e049..a3b4978 100644 --- a/openshift-artifacts/dc-umich-sftp.json +++ b/openshift-artifacts/dc-umich-sftp.json @@ -39,7 +39,7 @@ "spec": { "containers": [ { - "image": "docker-registry.default.svc:5000/NAMESPACE/umich-sftp:latest", + "image": "docker-registry.default.svc:5000/openshift/umich-sftp:latest", "imagePullPolicy": "Always", "name": "umich-sftp", "ports": [ @@ -87,7 +87,7 @@ "from": { "kind": "ImageStreamTag", "name": "umich-sftp:latest", - "namespace": "NAMESPACE" + "namespace": "openshift" } }, "type": "ImageChange" diff --git a/README.md b/readme.md similarity index 66% rename from README.md rename to readme.md index 4d3adbc..38bc29e 100644 --- a/README.md +++ b/readme.md @@ -1,5 +1,5 @@ ## umich-sftp -This runs an sftp/ssh server that runs as a non-root user required for multi-tenanted container hosting systems like OpenShift. The build process creates a user: `sftpuser` that is associated with the uid used by an OpenShift project to run all pods. The range for the uid is declared in a project's annotations. Essentially, the pod runs as the sftpuser. +This runs an sftp/ssh server that runs as a non-root user required for multi-tenanted container hosting systems like OpenShift. The build process makes the /etc/passwd file writable by the root group. And the startup script modifies the UID for the `sftpuser` user, who runs the sshd server, to use that provided to the OpenShift pod. Essentially, the pod runs as the sftpuser. ### Setup Directions @@ -11,52 +11,33 @@ This runs an sftp/ssh server that runs as a non-root user required for multi-ten #### Instructions for use as a local docker container clone repo - `git clone git@gitlab.umich.edu:its-web-platforms/umich-sftp.git` -- `cd umich-sftp` - -There are 2 docker images to build, the first has ubuntu and ssh config: -- `docker build -t ubuntu-ssh ./ubuntu-ssh/` The second image contains user-specific instructions. -- `docker build -t umich-sftp ./umich-sftp/` +- `docker build -t umich-sftp .` Pass in the public keys and startup the container -- `docker run -it -p 2022:2022 -u 1000000000 -v /path/to/keys/:/tmp/keys umich-sftp` +- `docker run -it -p 2022:2022 -v /path/to/keys/:/tmp/keys umich-sftp` And now sftp to the container. - `sftp -oIdentityFile=./ssh_user_ed25519_key -P 2022 sftpuser@localhost` #### Instructions for use in Openshift -The first build is made in the its-curation namespace. This will be updated whenever ubuntu or the code is updated. +The build is made in the its-curation namespace. This will be updated whenever debian:buster-slim or the code is updated. ##### NOTE: this only needs to be done once. Please check if the image already exists in its-curation and don't run these next two steps if it already exists. ``` oc project its-curation -oc new-build https://gitlab.umich.edu/its-web-platforms/umich-sftp.git --context-dir=ubuntu-ssh --name=ubuntu-ssh -oc tag its-curation/ubuntu-ssh:latest openshift/ubuntu-ssh:latest -``` - -The next build leverages the tag in the openshift namespace and is made in a user's project. Determine the UID in use by your project, and create the umich-sftp image with this: -``` -uid=$(oc get project $(oc project -q) -o custom-columns="uid:.metadata.annotations.openshift\.io\/sa\.scc\.uid-range" | tail -n +2) -uid=$(echo $uid | sed -e "s|/10000||g") -sed -i s/REPLACE_ME/$uid/g openshift-artifacts/bc-umich-sftp.json -oc create -f openshift-artifacts/bc-umich-sftp.json -``` - -Alternative build process: -``` -uid=$(oc get project $(oc project -q) -o custom-columns="uid:.metadata.annotations.openshift\.io\/sa\.scc\.uid-range" | tail -n +2) -uid=$(echo $uid | sed -e "s|/10000||g") -oc new-build openshift/ubuntu-ssh~https://gitlab.umich.edu/its-web-platforms/umich-sftp.git --context-dir=umich-sftp --build-arg SFTP_UID=$uid --strategy=docker +oc new-build https://gitlab.umich.edu/its-web-platforms/umich-sftp.git +oc tag its-curation/umich-sftp:latest openshift/umich-sftp:latest ``` Create a secret with the public key you previously generated: - The makerator will create a blank secret of the same name. You will have to delete the existing secret first in a project generated by the makerator. -- `oc create secret generic public-ssh-keys --from-file=/path/to/keys/ssh_user_ed25519_key.pub` +- `oc create secret generic public-ssh-keys --from-file=/path/to/keys/ssh_user_ed25519_key.pub`, or for multiple keys: +- `oc create secret generic public-ssh-keys --from-file=/path/to/keys/*.pub` Create the dc and svc. The first command updates the dc to retrieve the image from the current project: ``` -sed -i s/NAMESPACE/$(oc project -q)/g openshift-artifacts/dc-umich-sftp.json oc create -f openshift-artifacts/dc-umich-sftp.json oc create -f openshift-artifacts/svc-umich-sftp.json ``` @@ -71,12 +52,14 @@ Connect using to that instance on containersnp (need to be on VPN): - `sftp -oIdentityFile=/path/to/keys/ssh_user_ed25519_key -P 30000 sftpuser@tcp.aws-np.web.umich.edu` - NOTE: you will need to subsitute 30000 with the port from the previous command. And `tcp.aws-np.web.umich.edu` will need to be substituted with `tcp.aws.web.umich.edu` if working in the production environment. + #### Persistent Volumes The default deployment does not mount a persistent volume. The makerator or kiri will generally create persistent volume claims and modify the deployment configuration for umich-sftp to leverage them. If you wish to test writing to persistent volumes with using makerator or kiri, perform the following operations: ``` oc set volume dc/umich-sftp --add --name=wps-cms-pvc -t pvc --claim-size=1G --mount-path=/home/sftpuser/wps --overwrite ``` + #### Troubleshooting 1. You are asked for a password when accessing via sftp. This is because your ssh key is not being recognized. - Have you added your key to the secret and restarted the pod? diff --git a/ubuntu-ssh/sshd_config b/sshd_config similarity index 93% rename from ubuntu-ssh/sshd_config rename to sshd_config index 2858b47..68e6829 100644 --- a/ubuntu-ssh/sshd_config +++ b/sshd_config @@ -3,6 +3,7 @@ Port 2022 # Key for running sshd HostKey /etc/ssh/ssh_host_ed25519_key +PasswordAuthentication no # Limited access PermitRootLogin no diff --git a/ubuntu-ssh/startup.sh b/startup.sh similarity index 63% rename from ubuntu-ssh/startup.sh rename to startup.sh index d30e705..0fd6813 100644 --- a/ubuntu-ssh/startup.sh +++ b/startup.sh @@ -1,17 +1,23 @@ #!/bin/bash # The following commands belong in this script, rather than in # the dockerfile, in order to run as the sftpuser. +if [ "$(id -u)" -ge 1000 ] ; then + sed -e "sftpuser:x:$(id -u):$(id -g)::/home/sftpuser:/usr/sbin/nologin" /etc/passwd > /tmp/passwd + cat /tmp/passwd > /etc/passwd + rm /tmp/passwd +fi + +mkdir -p /home/sftpuser/.ssh # If the user has specified keys either from a docker volume or openshift secret, # place those in the authorized_keys file at container start-up. if [ -f /tmp/keys/*.pub ]; then cat /tmp/keys/*.pub > /home/sftpuser/.ssh/authorized_keys + chown sftpuser /home/sftpuser/.ssh/authorized_keys + chmod 400 /home/sftpuser/.ssh/authorized_keys fi -# Ensure public keys have correct permissions. -chmod 400 /home/sftpuser/.ssh/authorized_keys - # https://www.ssh.com/ssh/sshd#command-line-options # -e option is useful for logging to stderr. # -D don't run as daemon, -d debugging mode diff --git a/ubuntu-ssh/Dockerfile b/ubuntu-ssh/Dockerfile deleted file mode 100644 index 5000c0c..0000000 --- a/ubuntu-ssh/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM ubuntu:18.04 - -RUN apt-get -y update \ -&& apt-get -y install openssh-server -# https://help.ubuntu.com/lts/serverguide/openssh-server.html - -RUN mkdir /var/run/sshd - -COPY sshd_config /etc/ssh/sshd_config -RUN chmod g+r /etc/ssh/sshd_config - -# Allow access to server keys for sftpuser -RUN chmod g+r /etc/ssh/ssh_host_ed25519_key - -EXPOSE 2022 - -ADD startup.sh /usr/local/bin -RUN chmod +x /usr/local/bin/startup.sh -CMD ["startup.sh"] diff --git a/umich-sftp/Dockerfile b/umich-sftp/Dockerfile deleted file mode 100644 index 949cb0c..0000000 --- a/umich-sftp/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -FROM ubuntu-ssh:latest - -# This default is overwritten a variable passed into build process -# $ docker build --build-arg SFTP_UID=1000110000 -t umich-sftp . -ARG SFTP_UID=1000000000 - -# http://manpages.ubuntu.com/manpages/bionic/man8/useradd.8.html -# d: which home dir, g: group, l: don't add to lastlog and faillog, m: create home -# s: which shell, o: non-unique, u: uid, -RUN useradd -g root -m -d /home/sftpuser -s /bin/bash -l -o -u $SFTP_UID sftpuser - -RUN su - sftpuser -c "mkdir -p /home/sftpuser/.ssh" - -# Workaround issue where non-root user can't create pid file. -RUN touch /run/sshd.pid -RUN chown sftpuser:root /run/sshd.pid diff --git a/utility-scripts/update-umich-sftp.sh b/utility-scripts/update-umich-sftp.sh deleted file mode 100755 index 8e9c9a1..0000000 --- a/utility-scripts/update-umich-sftp.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -for project in wps000009 wps000010 wps000012 wps000016 wps000021 wps000023 wps000025 wps000026 wps000027 wps000029 wps000031 wps000032 wps000033 wps000034 -do - echo "project is $project" - oc delete bc,dc,is -l app=umich-sftp -n ${project} - oc delete bc,dc,is -l build=umich-sftp -n ${project} - uid=$(oc get project $project -o custom-columns="uid:.metadata.annotations.openshift\.io/sa\.scc\.uid-range" | tail -n +2) - #echo "uid is $uid" - uid=$(echo $uid | sed -e "s|/10000||g") - echo "uid is $uid" - #oc policy add-role-to-user system:image-puller system-serviceaccount:${project}:builder -n its-curation - #oc policy add-role-to-user system:image-puller system-serviceaccount:${project}:default -n its-curation - oc new-build openshift/ubuntu-ssh~https://gitlab.umich.edu/its-web-platforms/umich-sftp.git --context-dir=umich-sftp --build-arg SFTP_UID=${uid} --strategy=docker -n ${project} - oc create secret generic public-ssh-keys -n ${project} - oc create -f pvc.yaml -n ${project} - cp dc-umich-sftp.yaml dc.yaml - sed -i s/NAMESPACE/${project}/g dc.yaml - oc create -f dc.yaml -n ${project} - rm dc.yaml -done -- GitLab From 1e10448352bd913ebecaf89bb579a071f2111fa9 Mon Sep 17 00:00:00 2001 From: Chris Kretler Date: Wed, 22 Jul 2020 15:44:24 -0400 Subject: [PATCH 2/6] modified to support openshift UID. --- Dockerfile | 9 ++++++--- sshd_config | 5 ++--- startup.sh | 4 +++- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7984b71..ce9ca41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,21 +6,24 @@ RUN apt-get -y update \ RUN mkdir /var/run/sshd -COPY sshd_config /etc/ssh/sshd_config -RUN chmod g+r /etc/ssh/sshd_config +RUN chmod g+r /etc/ssh/ssh_host_ed25519_key # OpenShift pod will run as non-root user, who can't create pid file. RUN touch /run/sshd.pid \ && chmod g+w /run/sshd.pid # Create sftpuser. Password authentication is disabled in sshd. -RUN useradd -g root -m sftpuser -p '*' +RUN useradd -g root sftpuser -p '*' \ +&& chmod g+w /home # Make /etc/passwd writable by root group. So sftpuser can take UID of running pod. RUN chmod g+w /etc/passwd EXPOSE 2022 +COPY sshd_config /etc/ssh/sshd_config +RUN chmod g+r /etc/ssh/sshd_config + COPY startup.sh /usr/local/bin RUN chmod +x /usr/local/bin/startup.sh CMD ["startup.sh"] diff --git a/sshd_config b/sshd_config index 68e6829..92cab58 100644 --- a/sshd_config +++ b/sshd_config @@ -3,8 +3,10 @@ Port 2022 # Key for running sshd HostKey /etc/ssh/ssh_host_ed25519_key +#PidFile /home/sftpuser/sshd.pid PasswordAuthentication no + # Limited access PermitRootLogin no X11Forwarding no @@ -14,8 +16,5 @@ AllowTcpForwarding no Subsystem sftp internal-sftp ForceCommand internal-sftp -# Regardless of explicit dir or var, os pod cannot chroot to chroot dir -#ChrootDirectory /home/sftpuser - # Logging LogLevel VERBOSE diff --git a/startup.sh b/startup.sh index 0fd6813..cbadccc 100644 --- a/startup.sh +++ b/startup.sh @@ -2,12 +2,14 @@ # The following commands belong in this script, rather than in # the dockerfile, in order to run as the sftpuser. if [ "$(id -u)" -ge 1000 ] ; then - sed -e "sftpuser:x:$(id -u):$(id -g)::/home/sftpuser:/usr/sbin/nologin" /etc/passwd > /tmp/passwd + sed -e "/^sftpuser:/c sftpuser:x:$(id -u):$(id -g)::/home/sftpuser:/usr/sbin/nologin" /etc/passwd > /tmp/passwd cat /tmp/passwd > /etc/passwd rm /tmp/passwd fi mkdir -p /home/sftpuser/.ssh +chown -R sftpuser:root /home/sftpuser +#touch /home/sftpuser/sshd.pid # If the user has specified keys either from a docker volume or openshift secret, # place those in the authorized_keys file at container start-up. -- GitLab From d5af4e917c989fa72d7238983206bbbf56ac619a Mon Sep 17 00:00:00 2001 From: Chris Kretler Date: Wed, 22 Jul 2020 17:52:54 -0400 Subject: [PATCH 3/6] remove unnecessary chown cmds in startup script. --- startup.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/startup.sh b/startup.sh index cbadccc..531110d 100644 --- a/startup.sh +++ b/startup.sh @@ -8,8 +8,7 @@ if [ "$(id -u)" -ge 1000 ] ; then fi mkdir -p /home/sftpuser/.ssh -chown -R sftpuser:root /home/sftpuser -#touch /home/sftpuser/sshd.pid +#chown sftpuser:root /home/sftpuser /home/sftpuser/.ssh # If the user has specified keys either from a docker volume or openshift secret, # place those in the authorized_keys file at container start-up. -- GitLab From a38a440bd8055347de65fc200e49360d5f28cc38 Mon Sep 17 00:00:00 2001 From: Chris Kretler Date: Wed, 22 Jul 2020 19:43:30 -0400 Subject: [PATCH 4/6] check for pvc at startup and symlink it. --- startup.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/startup.sh b/startup.sh index 531110d..46413aa 100644 --- a/startup.sh +++ b/startup.sh @@ -10,6 +10,12 @@ fi mkdir -p /home/sftpuser/.ssh #chown sftpuser:root /home/sftpuser /home/sftpuser/.ssh +# If there is a mounted pvc, symlink to it within the user's home dir. +if [ -d /tmp/pvc ]; +then + ln -s /tmp/pvc /home/sftpuser/mwps +fi + # If the user has specified keys either from a docker volume or openshift secret, # place those in the authorized_keys file at container start-up. if [ -f /tmp/keys/*.pub ]; -- GitLab From 41d8208932aab584a175f60dded0988a84918c75 Mon Sep 17 00:00:00 2001 From: Chris Kretler Date: Wed, 22 Jul 2020 19:58:05 -0400 Subject: [PATCH 5/6] modify readme to reflect recent changes. --- readme.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/readme.md b/readme.md index 38bc29e..0d3f636 100644 --- a/readme.md +++ b/readme.md @@ -1,5 +1,5 @@ ## umich-sftp -This runs an sftp/ssh server that runs as a non-root user required for multi-tenanted container hosting systems like OpenShift. The build process makes the /etc/passwd file writable by the root group. And the startup script modifies the UID for the `sftpuser` user, who runs the sshd server, to use that provided to the OpenShift pod. Essentially, the pod runs as the sftpuser. +This runs an sftp/ssh server that runs as a non-root user required for multi-tenanted container hosting systems like OpenShift. The build process makes the /etc/passwd file writable by the root group. And the startup script modifies the UID for the `sftpuser` user, who runs the sshd server, to use that provided to the OpenShift pod. Essentially, the pod runs as the sftpuser. The startup script looks for a mounted volume at /tmp/pvc and symlinks this into the sftpuser's home directory. ### Setup Directions @@ -12,10 +12,13 @@ This runs an sftp/ssh server that runs as a non-root user required for multi-ten clone repo - `git clone git@gitlab.umich.edu:its-web-platforms/umich-sftp.git` -The second image contains user-specific instructions. +Build the image: - `docker build -t umich-sftp .` -Pass in the public keys and startup the container +Pass in the public keys and startup the container: +- `docker run -it -p 2022:2022 -v /path/to/keys/:/tmp/keys umich-sftp` + +Alternatively, pass in public keys and test for mounting volumes: - `docker run -it -p 2022:2022 -v /path/to/keys/:/tmp/keys umich-sftp` And now sftp to the container. @@ -54,9 +57,11 @@ Connect using to that instance on containersnp (need to be on VPN): #### Persistent Volumes -The default deployment does not mount a persistent volume. The makerator or kiri will generally create persistent volume claims and modify the deployment configuration for umich-sftp to leverage them. If you wish to test writing to persistent volumes with using makerator or kiri, perform the following operations: +The default deployment does not mount a persistent volume. The makerator or kiri will generally create persistent volume claims and modify the deployment configuration for umich-sftp to leverage them. + +If you wish to test writing to persistent volumes with using makerator or kiri, perform the following operations: ``` -oc set volume dc/umich-sftp --add --name=wps-cms-pvc -t pvc --claim-size=1G --mount-path=/home/sftpuser/wps --overwrite +oc set volume dc/umich-sftp --add --name=mwps-volume -t pvc --claim-size=1G --mount-path=/tmp/pvc --overwrite ``` -- GitLab From f20c26213e637735397bad7a517ce1d4fdcdbffd Mon Sep 17 00:00:00 2001 From: Chris Kretler Date: Thu, 23 Jul 2020 15:46:08 -0400 Subject: [PATCH 6/6] modify mount point for keys and volume. rename repo and artifacts. --- ...{bc-umich-sftp.json => bc-umich-sshd.json} | 12 +++---- ...{dc-umich-sftp.json => dc-umich-sshd.json} | 22 ++++++------ ...vc-umich-sftp.json => svc-umich-sshd.json} | 8 ++--- readme.md | 34 +++++++++---------- startup.sh | 8 ++--- 5 files changed, 42 insertions(+), 42 deletions(-) rename openshift-artifacts/{bc-umich-sftp.json => bc-umich-sshd.json} (85%) rename openshift-artifacts/{dc-umich-sftp.json => dc-umich-sshd.json} (86%) rename openshift-artifacts/{svc-umich-sftp.json => svc-umich-sshd.json} (78%) diff --git a/openshift-artifacts/bc-umich-sftp.json b/openshift-artifacts/bc-umich-sshd.json similarity index 85% rename from openshift-artifacts/bc-umich-sftp.json rename to openshift-artifacts/bc-umich-sshd.json index f844d83..806909c 100644 --- a/openshift-artifacts/bc-umich-sftp.json +++ b/openshift-artifacts/bc-umich-sshd.json @@ -4,9 +4,9 @@ "metadata": { "creationTimestamp": null, "labels": { - "app": "umich-sftp" + "app": "umich-sshd" }, - "name": "umich-sftp" + "name": "umich-sshd" }, "spec": { "failedBuildsHistoryLimit": 5, @@ -14,16 +14,16 @@ "output": { "to": { "kind": "ImageStreamTag", - "name": "umich-sftp:latest" + "name": "umich-sshd:latest" } }, "postCommit": {}, "resources": {}, "runPolicy": "Serial", "source": { - "contextDir": "umich-sftp", + "contextDir": "umich-sshd", "git": { - "uri": "https://gitlab.umich.edu/its-web-platforms/umich-sftp.git" + "uri": "https://gitlab.umich.edu/its-web-platforms/umich-sshd.git" }, "type": "Git" }, @@ -41,7 +41,7 @@ "triggers": [ { "imageChange": { - "lastTriggeredImageID": "docker-registry.default.svc:5000/its-curation/umich-sftp:latest" + "lastTriggeredImageID": "docker-registry.default.svc:5000/its-curation/umich-sshd:latest" }, "type": "ImageChange" }, diff --git a/openshift-artifacts/dc-umich-sftp.json b/openshift-artifacts/dc-umich-sshd.json similarity index 86% rename from openshift-artifacts/dc-umich-sftp.json rename to openshift-artifacts/dc-umich-sshd.json index a3b4978..751b36d 100644 --- a/openshift-artifacts/dc-umich-sftp.json +++ b/openshift-artifacts/dc-umich-sshd.json @@ -5,16 +5,16 @@ "creationTimestamp": null, "generation": 1, "labels": { - "app": "umich-sftp" + "app": "umich-sshd" }, - "name": "umich-sftp" + "name": "umich-sshd" }, "spec": { "replicas": 1, "revisionHistoryLimit": 10, "selector": { - "app": "umich-sftp", - "deploymentconfig": "umich-sftp" + "app": "umich-sshd", + "deploymentconfig": "umich-sshd" }, "strategy": { "activeDeadlineSeconds": 21600, @@ -32,16 +32,16 @@ "metadata": { "creationTimestamp": null, "labels": { - "app": "umich-sftp", - "deploymentconfig": "umich-sftp" + "app": "umich-sshd", + "deploymentconfig": "umich-sshd" } }, "spec": { "containers": [ { - "image": "docker-registry.default.svc:5000/openshift/umich-sftp:latest", + "image": "docker-registry.default.svc:5000/openshift/umich-sshd:latest", "imagePullPolicy": "Always", - "name": "umich-sftp", + "name": "umich-sshd", "ports": [ { "containerPort": 2022, @@ -53,7 +53,7 @@ "terminationMessagePolicy": "File", "volumeMounts": [ { - "mountPath": "/tmp/keys", + "mountPath": "/mnt/keys", "name": "ssh-key-secret", "readOnly": true } @@ -82,11 +82,11 @@ "imageChangeParams": { "automatic": true, "containerNames": [ - "umich-sftp" + "umich-sshd" ], "from": { "kind": "ImageStreamTag", - "name": "umich-sftp:latest", + "name": "umich-sshd:latest", "namespace": "openshift" } }, diff --git a/openshift-artifacts/svc-umich-sftp.json b/openshift-artifacts/svc-umich-sshd.json similarity index 78% rename from openshift-artifacts/svc-umich-sftp.json rename to openshift-artifacts/svc-umich-sshd.json index 48e7cf1..61b5f63 100644 --- a/openshift-artifacts/svc-umich-sftp.json +++ b/openshift-artifacts/svc-umich-sshd.json @@ -4,9 +4,9 @@ "metadata": { "creationTimestamp": null, "labels": { - "app": "umich-sftp" + "app": "umich-sshd" }, - "name": "umich-sftp" + "name": "umich-sshd" }, "spec": { "ports": [ @@ -18,8 +18,8 @@ } ], "selector": { - "app": "umich-sftp", - "deploymentconfig": "umich-sftp" + "app": "umich-sshd", + "deploymentconfig": "umich-sshd" }, "sessionAffinity": "None", "type": "ClusterIP" diff --git a/readme.md b/readme.md index 0d3f636..e4ec966 100644 --- a/readme.md +++ b/readme.md @@ -1,5 +1,5 @@ -## umich-sftp -This runs an sftp/ssh server that runs as a non-root user required for multi-tenanted container hosting systems like OpenShift. The build process makes the /etc/passwd file writable by the root group. And the startup script modifies the UID for the `sftpuser` user, who runs the sshd server, to use that provided to the OpenShift pod. Essentially, the pod runs as the sftpuser. The startup script looks for a mounted volume at /tmp/pvc and symlinks this into the sftpuser's home directory. +## umich-sshd +This runs a containerized sshd server that runs as a non-root user required by multi-tenanted container hosting systems like OpenShift. The pod runs as the user: `sftpuser`. The startup script looks for a mounted volume at /mnt/pvc and symlinks this into the sftpuser's home directory. ### Setup Directions @@ -10,28 +10,28 @@ This runs an sftp/ssh server that runs as a non-root user required for multi-ten #### Instructions for use as a local docker container clone repo -- `git clone git@gitlab.umich.edu:its-web-platforms/umich-sftp.git` +- `git clone git@gitlab.umich.edu:its-web-platforms/umich-sshd.git` Build the image: -- `docker build -t umich-sftp .` +- `docker build -t umich-sshd .` Pass in the public keys and startup the container: -- `docker run -it -p 2022:2022 -v /path/to/keys/:/tmp/keys umich-sftp` +- `docker run -it -p 2022:2022 -v /path/to/keys/:/mnt/keys -u 100000 umich-sshd` -Alternatively, pass in public keys and test for mounting volumes: -- `docker run -it -p 2022:2022 -v /path/to/keys/:/tmp/keys umich-sftp` +Alternatively, pass in public keys and test for mounting host volumes: +- `docker run -it -p 2022:2022 -v /path/to/keys:/mnt/keys -v /path/to/volume:/mnt/pvc -u 100000 umich-sshd` And now sftp to the container. - `sftp -oIdentityFile=./ssh_user_ed25519_key -P 2022 sftpuser@localhost` #### Instructions for use in Openshift -The build is made in the its-curation namespace. This will be updated whenever debian:buster-slim or the code is updated. +The build is made in the its-curation namespace. This will be updated whenever debian:buster-slim or the code is updated. The build process makes the /etc/passwd file writable by the root group. The startup script modifies the UID for the `sftpuser` user, who runs the sshd server, to use that provided to the OpenShift project. ##### NOTE: this only needs to be done once. Please check if the image already exists in its-curation and don't run these next two steps if it already exists. ``` oc project its-curation -oc new-build https://gitlab.umich.edu/its-web-platforms/umich-sftp.git -oc tag its-curation/umich-sftp:latest openshift/umich-sftp:latest +oc new-build https://gitlab.umich.edu/its-web-platforms/umich-sshd.git +oc tag its-curation/umich-sshd:latest openshift/umich-sshd:latest ``` Create a secret with the public key you previously generated: @@ -41,15 +41,15 @@ Create a secret with the public key you previously generated: Create the dc and svc. The first command updates the dc to retrieve the image from the current project: ``` -oc create -f openshift-artifacts/dc-umich-sftp.json -oc create -f openshift-artifacts/svc-umich-sftp.json +oc create -f openshift-artifacts/dc-umich-sshd.json +oc create -f openshift-artifacts/svc-umich-sshd.json ``` Create a route on the tcp-router: -- `oc expose svc umich-sftp -l router=tcp-router` +- `oc expose svc umich-sshd -l router=tcp-router` Find out the port assigned to your pod: -- `oc get route umich-sftp -o custom-columns=port:.metadata.labels.exposed-port` +- `oc get route umich-sshd -o custom-columns=port:.metadata.labels.exposed-port` Connect using to that instance on containersnp (need to be on VPN): - `sftp -oIdentityFile=/path/to/keys/ssh_user_ed25519_key -P 30000 sftpuser@tcp.aws-np.web.umich.edu` @@ -57,11 +57,11 @@ Connect using to that instance on containersnp (need to be on VPN): #### Persistent Volumes -The default deployment does not mount a persistent volume. The makerator or kiri will generally create persistent volume claims and modify the deployment configuration for umich-sftp to leverage them. +The default deployment does not mount a persistent volume. The makerator or kiri will generally create persistent volume claims and modify the deployment configuration for umich-sshd to leverage them. If you wish to test writing to persistent volumes with using makerator or kiri, perform the following operations: ``` -oc set volume dc/umich-sftp --add --name=mwps-volume -t pvc --claim-size=1G --mount-path=/tmp/pvc --overwrite +oc set volume dc/umich-sshd --add --name=mwps-volume -t pvc --claim-size=1G --mount-path=/mnt/pvc --overwrite ``` @@ -70,7 +70,7 @@ oc set volume dc/umich-sftp --add --name=mwps-volume -t pvc --claim-size=1G --mo - Have you added your key to the secret and restarted the pod? - Are you passing your key with the sftp/ssh command? -2. The umich-sftp pod assumes it is running as a non-root user. +2. The umich-sshd pod assumes it is running as a non-root user. #### Minishift diff --git a/startup.sh b/startup.sh index 46413aa..087f3f8 100644 --- a/startup.sh +++ b/startup.sh @@ -11,16 +11,16 @@ mkdir -p /home/sftpuser/.ssh #chown sftpuser:root /home/sftpuser /home/sftpuser/.ssh # If there is a mounted pvc, symlink to it within the user's home dir. -if [ -d /tmp/pvc ]; +if [ -d /mnt/pvc ]; then - ln -s /tmp/pvc /home/sftpuser/mwps + ln -s /mnt/pvc /home/sftpuser/mwps fi # If the user has specified keys either from a docker volume or openshift secret, # place those in the authorized_keys file at container start-up. -if [ -f /tmp/keys/*.pub ]; +if [ -f /mnt/keys/*.pub ]; then - cat /tmp/keys/*.pub > /home/sftpuser/.ssh/authorized_keys + cat /mnt/keys/*.pub > /home/sftpuser/.ssh/authorized_keys chown sftpuser /home/sftpuser/.ssh/authorized_keys chmod 400 /home/sftpuser/.ssh/authorized_keys fi -- GitLab