[ARVADOS] created: 1.3.0-3053-g8a17791b5
Git user
git at public.arvados.org
Wed Sep 2 02:29:36 UTC 2020
at 8a17791b5f16b785eeaff86051dbcce84699ceac (commit)
commit 8a17791b5f16b785eeaff86051dbcce84699ceac
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Tue Sep 1 22:07:04 2020 -0400
16796: Add webshell to arvbox
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/tools/arvbox/lib/arvbox/docker/Dockerfile.base b/tools/arvbox/lib/arvbox/docker/Dockerfile.base
index c5c3774a9..bde5ffe89 100644
--- a/tools/arvbox/lib/arvbox/docker/Dockerfile.base
+++ b/tools/arvbox/lib/arvbox/docker/Dockerfile.base
@@ -21,7 +21,7 @@ RUN apt-get update && \
libgnutls28-dev python3-dev vim cadaver cython gnupg dirmngr \
libsecret-1-dev r-base r-cran-testthat libxml2-dev pandoc \
python3-setuptools python3-pip openjdk-8-jdk bsdmainutils net-tools \
- ruby2.3 ruby-dev bundler && \
+ ruby2.3 ruby-dev bundler shellinabox && \
apt-get clean
ENV RUBYVERSION_MINOR 2.3
diff --git a/tools/arvbox/lib/arvbox/docker/cluster-config.sh b/tools/arvbox/lib/arvbox/docker/cluster-config.sh
index db1778092..bebf983b6 100755
--- a/tools/arvbox/lib/arvbox/docker/cluster-config.sh
+++ b/tools/arvbox/lib/arvbox/docker/cluster-config.sh
@@ -110,6 +110,9 @@ Clusters:
ExternalURL: "https://$localip:${services[controller-ssl]}"
InternalURLs:
"http://localhost:${services[controller]}": {}
+ WebShell:
+ InternalURLs: {}
+ ExternalURL: "https://$localip:${services[webshell-ssl]}"
PostgreSQL:
ConnectionPool: 32 # max concurrent connections per arvados server daemon
Connection:
diff --git a/tools/arvbox/lib/arvbox/docker/common.sh b/tools/arvbox/lib/arvbox/docker/common.sh
index 05491c536..e81e8108e 100644
--- a/tools/arvbox/lib/arvbox/docker/common.sh
+++ b/tools/arvbox/lib/arvbox/docker/common.sh
@@ -46,6 +46,8 @@ services=(
[doc]=8001
[websockets]=8005
[websockets-ssl]=8002
+ [webshell]=4201
+ [webshell-ssl]=4202
)
if test "$(id arvbox -u 2>/dev/null)" = 0 ; then
diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run b/tools/arvbox/lib/arvbox/docker/service/nginx/run
index d6fecb443..cfb7788de 100755
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run
@@ -186,6 +186,51 @@ http {
}
}
+
+upstream arvados-webshell {
+ server localhost:${services[webshell]};
+}
+server {
+ listen ${services[webshell-ssl]} ssl;
+ server_name arvados-webshell;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+
+ location / {
+ if (\$request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ if (\$request_method = 'POST') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+ if (\$request_method = 'GET') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+
+ proxy_ssl_session_reuse off;
+ proxy_read_timeout 90;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_pass http://arvados-webshell;
+ }
+}
}
EOF
diff --git a/tools/arvbox/lib/arvbox/docker/service/webshell/log/main/.gitstub b/tools/arvbox/lib/arvbox/docker/service/webshell/log/main/.gitstub
new file mode 100644
index 000000000..e69de29bb
diff --git a/tools/arvbox/lib/arvbox/docker/service/webshell/log/run b/tools/arvbox/lib/arvbox/docker/service/webshell/log/run
new file mode 120000
index 000000000..d6aef4a77
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/webshell/log/run
@@ -0,0 +1 @@
+/usr/local/lib/arvbox/logger
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/webshell/run b/tools/arvbox/lib/arvbox/docker/service/webshell/run
new file mode 100755
index 000000000..c6e3fe5f3
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/webshell/run
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+set -ex
+
+. /usr/local/lib/arvbox/common.sh
+
+/usr/local/lib/arvbox/runsu.sh $0-service
+
+cat > /etc/pam.d/shellinabox <<EOF
+# This example is a stock debian "login" file with pam_arvados
+# replacing pam_unix. It can be installed as /etc/pam.d/shellinabox .
+
+auth optional pam_faildelay.so delay=3000000
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+auth requisite pam_nologin.so
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session required pam_env.so readenv=1
+session required pam_env.so readenv=1 envfile=/etc/default/locale
+
+auth [success=1 default=ignore] /usr/local/lib/pam_arvados.so $localip:${services[controller-ssl]} $localip
+auth requisite pam_deny.so
+auth required pam_permit.so
+
+auth optional pam_group.so
+session required pam_limits.so
+session optional pam_lastlog.so
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so
+session optional pam_mail.so standard
+
+ at include common-account
+ at include common-session
+ at include common-password
+
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+EOF
+
+exec shellinaboxd --verbose --port ${services[webshell]} --user arvbox --group arvbox \
+ --disable-ssl --no-beep --service=/:AUTH:HOME:SHELL
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/webshell/run-service b/tools/arvbox/lib/arvbox/docker/service/webshell/run-service
new file mode 100755
index 000000000..92b0c3de2
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/webshell/run-service
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+. /usr/local/lib/arvbox/common.sh
+. /usr/local/lib/arvbox/go-setup.sh
+
+flock /var/lib/gopath/gopath.lock go build -buildmode=c-shared -o ${GOPATH}/bin/pam_arvados.so git.arvados.org/arvados.git/lib/pam
+install $GOPATH/bin/pam_arvados.so /usr/local/lib
\ No newline at end of file
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list