101 lines
3.8 KiB
Docker
101 lines
3.8 KiB
Docker
#
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
|
# contributor license agreements. See the NOTICE file distributed with
|
|
# this work for additional information regarding copyright ownership.
|
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
|
# (the "License"); you may not use this file except in compliance with
|
|
# the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
# Image for use on Mac boxes to get a gpg agent socket available
|
|
# within transient release building ocntainers.
|
|
#
|
|
# build like:
|
|
#
|
|
# docker build --build-arg "UID=$UID" --build-arg "RM_USER=$USER" \
|
|
# --tag org.apache.hbase/gpg-agent-proxy mac-sshd-gpg-agent
|
|
#
|
|
# run like:
|
|
#
|
|
# docker run --rm -p 62222:22 \
|
|
# --mount "type=bind,src=${HOME}/.ssh/id_rsa.pub,dst=/home/${USER}/.ssh/authorized_keys,readonly" \
|
|
# --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
|
|
# org.apache.hbase/gpg-agent-proxy:latest
|
|
#
|
|
# test like:
|
|
#
|
|
# ssh -p 62222 -R "/home/${USER}/.gnupg/S.gpg-agent:$(gpgconf --list-dir agent-extra-socket)" \
|
|
# -i "${HOME}/.ssh/id_rsa" -N -n localhost
|
|
#
|
|
# launch a docker container to do work that shares the mount for the gpg agent
|
|
# expressly does not need to be this same image, but needs to have defined the same user
|
|
#
|
|
# docker run --rm -it \
|
|
# --mount "type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/" \
|
|
# --mount "type=bind,src=${HOME}/projects/hbase-releases/KEYS,dst=/home/${USER}/KEYS,readonly" \
|
|
# --entrypoint /bin/bash --user "${USER}" --workdir "/home/${USER}/" \
|
|
# org.apache.hbase/gpg-agent-proxy:latest
|
|
#
|
|
#
|
|
# Make sure to import the public keys
|
|
#
|
|
# gpg --no-autostart --import < ${HOME}/KEYS
|
|
# Optional?
|
|
# gpg --no-autostart --edit-key ${YOUR_KEY}
|
|
# trust
|
|
# 5
|
|
# y
|
|
# quit
|
|
#
|
|
# echo "foo" > foo
|
|
# gpg --no-autostart --armor --detach --sign foo
|
|
# gpg --no-autostart --verify foo.asc
|
|
#
|
|
# For more info see
|
|
# * gpg forwarding over ssh: https://wiki.gnupg.org/AgentForwarding
|
|
# * example docker for sshd: https://github.com/hotblac/nginx-ssh
|
|
# * why we have to bother with this: https://github.com/docker/for-mac/issues/483
|
|
#
|
|
# If the docker image changes then the host key used by sshd will change and you will get a
|
|
# nastygram when launching ssh about host identification changing. This is expected. you should
|
|
# remove the previous host key.
|
|
#
|
|
# Tested with
|
|
# * Docker Desktop 2.2.0.5
|
|
# * gpg 2.2.20
|
|
# * pinentry-mac 0.9.4
|
|
# * yubikey 5
|
|
#
|
|
FROM ubuntu:18.04
|
|
|
|
# This is all in a single "RUN" command so that if anything changes, "apt update" is run to fetch
|
|
# the most current package versions (instead of potentially using old versions cached by docker).
|
|
#
|
|
# We only need gnupg2 here if we want the ability to test out the gpg-agent forwarding by sshing
|
|
# into the container rather than launching a new docker container.
|
|
RUN DEBIAN_FRONTEND=noninteractive apt-get -qq -y update \
|
|
&& DEBIAN_FRONTEND=noninteractive apt-get -qq -y install --no-install-recommends \
|
|
openssh-server=1:7.6p1-4ubuntu0.3 gnupg2=2.2.4-1ubuntu1.2 && mkdir /run/sshd \
|
|
&& echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
EXPOSE 22
|
|
# Set up our ssh user
|
|
ARG UID
|
|
ARG RM_USER
|
|
RUN groupadd sshgroup && \
|
|
useradd --create-home --shell /bin/bash --groups sshgroup --uid $UID $RM_USER && \
|
|
mkdir /home/$RM_USER/.ssh /home/$RM_USER/.gnupg && \
|
|
chown -R $RM_USER:sshgroup /home/$RM_USER/ && \
|
|
chmod -R 700 /home/$RM_USER/
|
|
# When we run we run sshd
|
|
ENTRYPOINT ["/usr/sbin/sshd", "-D"]
|