From 33a76f9c0ee61e2792d270de1a5c03c456eb6e72 Mon Sep 17 00:00:00 2001 From: Dustin Jenkins Date: Wed, 24 Jul 2024 12:50:27 -0700 Subject: [PATCH] SSHD Docker update. --- cavern-sshd/Dockerfile | 13 ++++--- cavern-sshd/README.md | 4 +-- cavern-sshd/VERSION | 6 ++++ cavern-sshd/src/cadc-sssd-start | 32 +++++++++++++++++ cavern-sshd/src/entrypoint | 7 ++++ cavern-sshd/src/nsswitch.conf | 63 +++++++++++++++++++++++++++++++++ 6 files changed, 119 insertions(+), 6 deletions(-) create mode 100644 cavern-sshd/VERSION create mode 100755 cavern-sshd/src/cadc-sssd-start create mode 100755 cavern-sshd/src/entrypoint create mode 100644 cavern-sshd/src/nsswitch.conf diff --git a/cavern-sshd/Dockerfile b/cavern-sshd/Dockerfile index 1de91ac6..200e1156 100644 --- a/cavern-sshd/Dockerfile +++ b/cavern-sshd/Dockerfile @@ -1,15 +1,20 @@ -FROM centos:7 +FROM almalinux:8 RUN \ - yum -y install openssh-clients openssh-server sssd-client authconfig && \ - yum -y clean all && \ + dnf install -y authconfig authselect openldap-clients openssh-clients openssh-server procps-ng sssd-client sssd-ldap sssd-tools && \ touch /run/utmp -RUN mkdir -p /var/log/sshd +RUN mkdir -p /var/log/sssd # enable sssd-based authentication RUN authconfig --update --enablesssd --enablesssdauth +ADD src/nsswitch.conf /etc/ + +COPY src/entrypoint /entrypoint +COPY src/cadc-sssd-start /usr/bin/cadc-sssd-start + EXPOSE 22 +ENTRYPOINT [ "/entrypoint" ] CMD ["/usr/sbin/sshd", "-D", "-e"] diff --git a/cavern-sshd/README.md b/cavern-sshd/README.md index 68a9d7c2..014b6789 100644 --- a/cavern-sshd/README.md +++ b/cavern-sshd/README.md @@ -8,9 +8,9 @@ docker build -t cavern-sshd:latest -f Dockerfile . ## configuration -/etc/sshd/sshd_conf controls the configuration and should be overwritten with the desired version with a file system mount. The field ChrootDirectory should specify the root of the file system which to expose. (eg /cavern). This must match the value of VOS_FILESYSTEM_ROOT in Cavern.properties. +/etc/sshd/sshd_conf controls the configuration and should be overwritten with the desired version with a file system mount. The field ChrootDirectory should specify the root of the file system which to expose. (eg /cavern). This must match the value of `org.opencadc.cavern.filesystem.baseDir` in the `cavern.properties`. -The public and private keys for the supported cypher algorithms must also exist in directory /etc/ssd/: +The public and private keys for the supported cypher algorithms must also exist in directory /etc/sshd/: ``` ssh_host_ecdsa_key diff --git a/cavern-sshd/VERSION b/cavern-sshd/VERSION new file mode 100644 index 00000000..9a3fcaec --- /dev/null +++ b/cavern-sshd/VERSION @@ -0,0 +1,6 @@ +## deployable containers have a semantic and build tag +# semantic version tag: major.minor +# build version tag: timestamp +VER=0.2.0 +TAGS="${VER} ${VER}-$(date -u +"%Y%m%dT%H%M%S")" +unset VER diff --git a/cavern-sshd/src/cadc-sssd-start b/cavern-sshd/src/cadc-sssd-start new file mode 100755 index 00000000..d41738a3 --- /dev/null +++ b/cavern-sshd/src/cadc-sssd-start @@ -0,0 +1,32 @@ +#!/bin/bash + +SELF=cadc-sssd-start +CONFIG=/etc/sssd/sssd.conf + +TS=$(date) +echo "$TS $SELF START" +echo "user: $USER" +echo "home: $HOME" +CONFIG=/etc/sssd/sssd.conf + +if [ -f $CONFIG ]; then + echo "finding sssd domain" + DOMAIN=$(sed -n "/domains = /s/domains = //p" $CONFIG) + echo "domain=$DOMAIN" +else + echo "missing sssd config: $CONFIG" + exit -1 +fi + +if [ -z ${DOMAIN+x} ]; then + echo "could not find domain in sssd config: $CONFIG" + exit -1 +fi + +TS=$(date) +echo "$TS $SELF DONE" + +/usr/sbin/sssd -D --logger=files + +PID=$(pgrep -x 'sssd') +echo "SSSD PID: $PID" diff --git a/cavern-sshd/src/entrypoint b/cavern-sshd/src/entrypoint new file mode 100755 index 00000000..7e00daf8 --- /dev/null +++ b/cavern-sshd/src/entrypoint @@ -0,0 +1,7 @@ +#!/bin/bash + +# Start the SSSD daemon here to have it running behind SSHD. + +/usr/bin/cadc-sssd-start + +exec ${@} \ No newline at end of file diff --git a/cavern-sshd/src/nsswitch.conf b/cavern-sshd/src/nsswitch.conf new file mode 100644 index 00000000..595090d6 --- /dev/null +++ b/cavern-sshd/src/nsswitch.conf @@ -0,0 +1,63 @@ +# +# /etc/nsswitch.conf +# +# An example Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. +# +# The entry '[NOTFOUND=return]' means that the search for an +# entry should stop if the search in the previous entry turned +# up nothing. Note that if the search failed due to some other reason +# (like no NIS server responding) then the search continues with the +# next entry. +# +# Valid entries include: +# +# nisplus Use NIS+ (NIS version 3) +# nis Use NIS (NIS version 2), also called YP +# dns Use DNS (Domain Name Service) +# files Use the local files +# db Use the local database (.db) files +# compat Use NIS on compat mode +# hesiod Use Hesiod for user lookups +# [NOTFOUND=return] Stop searching if not found so far +# + +# To use db, put the "db" in front of "files" for entries you want to be +# looked up first in the databases +# +# Example: +#passwd: db files nisplus nis +#shadow: db files nisplus nis +#group: db files nisplus nis + +passwd: sss files +shadow: files sss +group: sss files +#initgroups: files sss + +#hosts: db files nisplus nis dns +hosts: files dns myhostname + +# Example - obey only what nisplus tells us... +#services: nisplus [NOTFOUND=return] files +#networks: nisplus [NOTFOUND=return] files +#protocols: nisplus [NOTFOUND=return] files +#rpc: nisplus [NOTFOUND=return] files +#ethers: nisplus [NOTFOUND=return] files +#netmasks: nisplus [NOTFOUND=return] files + +bootparams: nisplus [NOTFOUND=return] files + +ethers: files +netmasks: files +networks: files +protocols: files +rpc: files +services: files sss + +netgroup: nisplus sss + +publickey: nisplus + +automount: files nisplus sss +aliases: files nisplus