From e45e7cf9b2d2906604a005165bbc3496f6152ec5 Mon Sep 17 00:00:00 2001 From: Kostas Lekkas Date: Sun, 8 May 2016 18:59:19 +0300 Subject: [PATCH] dind: add dropbear and prevent passwordless login by default --- Makefile | 3 +++ README.md | 8 ++++++++ tools/dind/Dockerfile | 9 +++++++++ tools/dind/config/dropbear/config | 2 ++ 4 files changed, 22 insertions(+) create mode 100644 tools/dind/config/dropbear/config diff --git a/Makefile b/Makefile index baa771e4..94623be9 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,8 @@ PUBNUB_SUBSCRIBE_KEY = sub-c-bananas PUBNUB_PUBLISH_KEY = pub-c-bananas MIXPANEL_TOKEN = bananasbananas +PASSWORDLESS_DROPBEAR = false + ifdef BASE_DISTRO $(info BASE_DISTRO SPECIFIED. START BUILDING ALPINE SUPERVISOR) IMAGE = "resin/$(ARCH)-supervisor:$(SUPERVISOR_VERSION)-alpine" @@ -55,6 +57,7 @@ clean: -rm Dockerfile supervisor-dind: + sed -i 's/\(ENV PASSWORDLESS_DROPBEAR\).*/\1 ${PASSWORDLESS_DROPBEAR}/' tools/dind/Dockerfile cd tools/dind && docker build --no-cache=$(DISABLE_CACHE) -t resin/resin-supervisor-dind:$(SUPERVISOR_VERSION) . run-supervisor: supervisor-dind stop-supervisor diff --git a/README.md b/README.md index c94ac5df..fc1c8d89 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,14 @@ make ARCH=amd64 PRELOADED_IMAGE=true \ ``` This will make the docker-in-docker instance pull the image specified in apps.json before running the supervisor. +### Enabling passwordless dropbear access + +If you want to enable passwordless dropbear login (e.g. while testing `resin sync`) you can set the `PASSWORDLESS_DROPBEAR` option to `true`, like: + +```bash +make PASSWORDLESS_DROPBEAR=true ARCH=amd64 SUPERVISOR_IMAGE=username/resin-supervisor:master run-supervisor +``` + ### View the containers logs ```bash docker exec -it resin_supervisor_1 journalctl -f diff --git a/tools/dind/Dockerfile b/tools/dind/Dockerfile index 5953360d..7a88326f 100644 --- a/tools/dind/Dockerfile +++ b/tools/dind/Dockerfile @@ -7,22 +7,31 @@ RUN apt-get update \ && apt-get install -y \ ifupdown \ rsync \ + dropbear \ && rm -rf /var/lib/apt/lists/* ENV DOCKER_VERSION 1.10.3 ENV RELEASE_NAME jessie +# Change to 'true' to allow blank password dropbear logins on dind HostOS +ENV PASSWORDLESS_DROPBEAR false + RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D \ && echo deb https://apt.dockerproject.org/repo debian-${RELEASE_NAME} main > /etc/apt/sources.list.d/docker.list \ && apt-get update || true \ && apt-get --force-yes install docker-engine=${DOCKER_VERSION}-0~${RELEASE_NAME} \ && rm -rf /var/lib/apt/lists/* +RUN passwd -d root + # Change os release to a resin-sync compatible one RUN sed -i 's/\(PRETTY_NAME=\).*/\1"ResinOS 1.2.1+dind"/' /etc/os-release COPY config/openvpn/ /etc/openvpn/ +COPY config/dropbear/config /etc/default/dropbear COPY config/services/ /etc/systemd/system/ COPY resin-vars vpn-init /usr/src/app/ +RUN if [ "$PASSWORDLESS_DROPBEAR" = "true" ]; then sed -i 's/\(DROPBEAR_EXTRA_ARGS=\).*/\1"-B"/' /etc/default/dropbear; fi + RUN systemctl enable resin-supervisor-dind diff --git a/tools/dind/config/dropbear/config b/tools/dind/config/dropbear/config new file mode 100644 index 00000000..f4d98c50 --- /dev/null +++ b/tools/dind/config/dropbear/config @@ -0,0 +1,2 @@ +DROPBEAR_EXTRA_ARGS="-s -w -g" +DROPBEAR_PORT="22222"