From c44f0289ce1b70080b277b6a850bb6e1fdb24122 Mon Sep 17 00:00:00 2001 From: Tom Kirchner Date: Fri, 11 Oct 2019 15:57:40 -0700 Subject: [PATCH] Add enable-admin-container helper to control container with instructions --- extras/control-container/Dockerfile | 16 +++++++++ extras/control-container/bashrc | 6 ++++ .../control-container/enable-admin-container | 36 +++++++++++++++++++ extras/control-container/motd | 19 ++++++++++ 4 files changed, 77 insertions(+) create mode 100644 extras/control-container/bashrc create mode 100644 extras/control-container/enable-admin-container create mode 100644 extras/control-container/motd diff --git a/extras/control-container/Dockerfile b/extras/control-container/Dockerfile index 9f387bdf8c2..880ace5c3fb 100644 --- a/extras/control-container/Dockerfile +++ b/extras/control-container/Dockerfile @@ -2,6 +2,22 @@ FROM amazonlinux:2 RUN yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm shadow-utils +# Add motd explaining the control container. +RUN rm -f /etc/motd /etc/issue +ADD --chown=root:root motd /etc/ +# Add bashrc that shows the motd. +ADD ./bashrc /etc/skel/.bashrc +# SSM starts sessions with 'sh', not 'bash', which for us is a link to bash. +# Furthermore, it starts sh as an interactive shell, but not a login shell. +# In this mode, the only startup file respected is the one pointed to by the +# ENV environment variable. Point it to our bashrc, which just prints motd. +ENV ENV /etc/skel/.bashrc + +# Add our helper to quickly enable the admin container. +ADD ./enable-admin-container /usr/bin/ +RUN chmod +x /usr/bin/enable-admin-container + +# Create our user in the group that allows API access. RUN groupadd -g 274 api RUN useradd -m -G users,api ssm-user diff --git a/extras/control-container/bashrc b/extras/control-container/bashrc new file mode 100644 index 00000000000..481b030212d --- /dev/null +++ b/extras/control-container/bashrc @@ -0,0 +1,6 @@ +if [ -f /etc/bashrc ]; then + . /etc/bashrc +fi + +cat /etc/motd +echo diff --git a/extras/control-container/enable-admin-container b/extras/control-container/enable-admin-container new file mode 100644 index 00000000000..b1f0fbbad0b --- /dev/null +++ b/extras/control-container/enable-admin-container @@ -0,0 +1,36 @@ +#!/bin/bash + +error() { + echo -e "Error: ${*}\n" >&2 + cat >&2 <<-EOF + You can manually enable the admin container like this: + apiclient -u /settings -m PATCH -d '{"host-containers": {"admin": {"enabled": true}}}' + apiclient -u /settings/commit_and_apply -m POST + EOF + exit 1 +} + +if ! command -v apiclient >/dev/null 2>&1; then + error "can't find 'apiclient'" +fi + +echo "Checking whether there are pending settings; we don't want to silently commit other changes" +PENDING="$(apiclient -u /settings/pending)" +rc="${?}" +if [ "${rc}" -ne 0 ]; then + error "apiclient returned ${rc} - couldn't check pending settings, so we don't know if it's safe to commit changes for enabling admin container.\nTry to check what's pending with \`apiclient -u /settings/pending\`" +elif [ "${PENDING}" != "{}" ]; then + error "found pending settings in API, cowardly refusing to commit them.\nYou can commit them yourself with \`apiclient -u /settings/commit_and_apply -m POST\` and try again.\nPending settings: ${PENDING}" +fi + +echo "Setting admin container to enabled" +if ! apiclient -v -u /settings -m PATCH -d '{"host-containers": {"admin": {"enabled": true}}}'; then + error "failed to change enabled setting of admin container" +fi + +echo "Committing and applying changes" +if ! apiclient -v -u /settings/commit_and_apply -m POST; then + error "failed to commit and apply settings" +fi + +echo "The admin container is now enabled - it should pull and start soon, and then you can SSH in" diff --git a/extras/control-container/motd b/extras/control-container/motd new file mode 100644 index 00000000000..a26af4c9f2e --- /dev/null +++ b/extras/control-container/motd @@ -0,0 +1,19 @@ +Welcome to Thar's control container! + +This container gives you access to the Thar API, which in turn lets you inspect +and configure the system. You'll probably want to use the `apiclient` tool for +that; for example, to inspect the system: + + apiclient -u /settings + +You can run `apiclient --help` for usage details, and check the main Thar +documentation for descriptions of all settings and examples of changing them. + +If you need to debug the system further, you can enable the admin container. +This enables SSH access to the system using the key you specified when you +launched the instance. This environment has more debugging tools installed, +and allows you to get root access to the host. + +To enable the admin container, run: + + enable-admin-container