Merge pull request #133 from jdeathe/master

Release changes ready for centos-6-1.5.0

Dockerfile

@@ -1,7 +1,7 @@
 # =============================================================================
 # jdeathe/centos-ssh
 #
-# CentOS-6 6.7 x86_64 / EPEL/IUS Repos. / OpenSSH / Supervisor.
+# CentOS-6 6.7 x86_64 / SCL/EPEL/IUS Repos. / Supervisor / OpenSSH.
 # 
 # =============================================================================
 FROM centos:centos6.7
@@ -20,6 +20,9 @@ RUN rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 \
 # -----------------------------------------------------------------------------
 RUN rpm --rebuilddb \
 	&& yum -y install \
+	centos-release-scl \
+	centos-release-scl-rh \
+	epel-release \
 	https://centos6.iuscommunity.org/ius-release.rpm \
 	vim-minimal-7.4.629-5.el6 \
 	sudo-1.8.6p3-20.el6_7 \
@@ -48,7 +51,6 @@ RUN rpm --rebuilddb \
 RUN easy_install 'supervisor == 3.2.0' 'supervisor-stdout == 0.1.1' \
 	&& mkdir -p /var/log/supervisor/
 
-
 # -----------------------------------------------------------------------------
 # UTC Timezone & Networking
 # -----------------------------------------------------------------------------
@@ -59,11 +61,10 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
 # Configure SSH for non-root public key authentication
 # -----------------------------------------------------------------------------
 RUN sed -i \
-	-e 's~^UsePAM yes~#UsePAM yes~g' \
-	-e 's~^#UsePAM no~UsePAM no~g' \
 	-e 's~^PasswordAuthentication yes~PasswordAuthentication no~g' \
 	-e 's~^#PermitRootLogin yes~PermitRootLogin no~g' \
 	-e 's~^#UseDNS yes~UseDNS no~g' \
+	-e 's~^\(.*\)/usr/libexec/openssh/sftp-server$~\1internal-sftp~g' \
 	/etc/ssh/sshd_config
 
 # -----------------------------------------------------------------------------
@@ -74,18 +75,25 @@ RUN sed -i 's~^# %wheel\tALL=(ALL)\tALL~%wheel\tALL=(ALL) ALL~g' /etc/sudoers
 # -----------------------------------------------------------------------------
 # Copy files into place
 # -----------------------------------------------------------------------------
-ADD etc/ssh-bootstrap /etc/
+ADD usr/sbin/sshd-bootstrap /usr/sbin/sshd-bootstrap
 ADD etc/services-config/ssh/authorized_keys \
-	etc/services-config/ssh/sshd_config \
-	etc/services-config/ssh/ssh-bootstrap.conf \
+	etc/services-config/ssh/sshd-bootstrap.conf \
+	etc/services-config/ssh/sshd-bootstrap.env \
 	/etc/services-config/ssh/
 ADD etc/services-config/supervisor/supervisord.conf /etc/services-config/supervisor/
+ADD etc/services-config/supervisor/supervisord.d/sshd.conf \
+	etc/services-config/supervisor/supervisord.d/sshd-bootstrap.conf \
+	/etc/services-config/supervisor/supervisord.d/
 
-RUN chmod 600 /etc/services-config/ssh/sshd_config \
-	&& chmod +x /etc/ssh-bootstrap \
-	&& ln -sf /etc/services-config/supervisor/supervisord.conf /etc/supervisord.conf \
+RUN mkdir -p /etc/supervisord.d/ \
+	&& cp -pf /etc/ssh/sshd_config /etc/services-config/ssh/ \
 	&& ln -sf /etc/services-config/ssh/sshd_config /etc/ssh/sshd_config \
-	&& ln -sf /etc/services-config/ssh/ssh-bootstrap.conf /etc/ssh-bootstrap.conf
+	&& ln -sf /etc/services-config/ssh/sshd-bootstrap.conf /etc/sshd-bootstrap.conf \
+	&& ln -sf /etc/services-config/ssh/sshd-bootstrap.env /etc/sshd-bootstrap.env \
+	&& ln -sf /etc/services-config/supervisor/supervisord.conf /etc/supervisord.conf \
+	&& ln -sf /etc/services-config/supervisor/supervisord.d/sshd.conf /etc/supervisord.d/sshd.conf \
+	&& ln -sf /etc/services-config/supervisor/supervisord.d/sshd-bootstrap.conf /etc/supervisord.d/sshd-bootstrap.conf \
+	&& chmod +x /usr/sbin/sshd-bootstrap
 
 # -----------------------------------------------------------------------------
 # Purge
@@ -102,10 +110,15 @@ EXPOSE 22
 # Set default environment variables
 # -----------------------------------------------------------------------------
 ENV SSH_AUTHORIZED_KEYS ""
+ENV SSH_CHROOT_DIRECTORY "%h"
+ENV SSH_INHERIT_ENVIRONMENT false
 ENV SSH_SUDO "ALL=(ALL) ALL"
-ENV SSH_USER_PASSWORD ""
 ENV SSH_USER "app-admin"
-ENV SSH_USER_HOME_DIR "/home/app-admin"
+ENV SSH_USER_FORCE_SFTP = false
+ENV SSH_USER_HOME "/home/%u"
+ENV SSH_USER_PASSWORD ""
+ENV SSH_USER_PASSWORD_HASHED false
 ENV SSH_USER_SHELL "/bin/bash"
+ENV SSH_USER_ID "500:500"
 
 CMD ["/usr/bin/supervisord", "--configuration=/etc/supervisord.conf"]

README-short.txt

@@ -1 +1 @@
-CentOS-6 6.7 x86_64 / EPEL/IUS Repos / OpenSSH / Supervisor.
+CentOS-6 6.7 x86_64 / SCL/EPEL/IUS Repos / Supervisor / OpenSSH.

build.conf

@@ -1,3 +1,7 @@
+COLOUR_NEGATIVE=$(tput setaf 1)
+COLOUR_POSITIVE=$(tput setaf 2)
+COLOUR_RESET=$(tput sgr0)
+
 DOCKER_USER=jdeathe
 DOCKER_IMAGE_NAME=centos-ssh
 DOCKER_IMAGE_TAG=latest

build.sh

@@ -6,8 +6,6 @@ if [[ ${DIR_PATH} == */* ]] && [[ ${DIR_PATH} != $( pwd ) ]]; then
 	cd ${DIR_PATH}
 fi
 
-NO_CACHE=$1
-
 source build.conf
 
 show_docker_image ()
@@ -20,23 +18,31 @@ show_docker_image ()
 		NAME_PARTS[1]='latest'
 	fi
 
-	docker images | grep -e "^${NAME_PARTS[0]}[ ]\{1,\}${NAME_PARTS[1]}"
+	docker images | \
+		awk \
+			-v FS='[ ]+' \
+			-v pattern="^${NAME_PARTS[0]}[ ]+${NAME_PARTS[1]} " \
+			'$0 ~ pattern { print $0; }'
 }
 
+NO_CACHE=$1
+
 echo "Building ${DOCKER_IMAGE_REPOSITORY_NAME}"
 
 # Allow cache to be bypassed
-if [[ ${NO_CACHE} == "true" ]]; then
+if [[ ${NO_CACHE} == true ]]; then
 	echo " ---> Skipping cache"
 else
-	NO_CACHE="false"
+	NO_CACHE=false
 fi
 
 # Build from working directory
 docker build --no-cache=${NO_CACHE} -t ${DOCKER_IMAGE_REPOSITORY_NAME} .
 
-# Display the last docker image
-echo "Docker image:"
-show_docker_image ${DOCKER_IMAGE_REPOSITORY_NAME}
-
-echo " ---> Build complete"
+if [[ ${?} -eq 0 ]]; then
+	printf -- "\n%s:\n" 'Docker image'
+	show_docker_image ${DOCKER_IMAGE_REPOSITORY_NAME}
+	printf -- " ${COLOUR_POSITIVE}--->${COLOUR_RESET} %s\n" 'Build complete'
+else
+	printf -- " ${COLOUR_NEGATIVE}--->${COLOUR_RESET} %s\n" 'ERROR'
+fi

etc/services-config/ssh/sshd-bootstrap.conf

@@ -0,0 +1,12 @@
+SSH_AUTHORIZED_KEYS="${SSH_AUTHORIZED_KEYS:-}"
+SSH_CHROOT_DIRECTORY="${SSH_CHROOT_DIRECTORY:-%h}"
+SSH_INHERIT_ENVIRONMENT="${SSH_INHERIT_ENVIRONMENT:-false}"
+SSH_ROOT_PASSWORD=
+SSH_SUDO="${SSH_SUDO:-ALL=(ALL) ALL}"
+SSH_USER="${SSH_USER:-app-admin}"
+SSH_USER_FORCE_SFTP="${SSH_USER_FORCE_SFTP:-false}"
+SSH_USER_HOME="${SSH_USER_HOME:-/home/%u}"
+SSH_USER_PASSWORD="${SSH_USER_PASSWORD:-}"
+SSH_USER_PASSWORD_HASHED="${SSH_USER_PASSWORD_HASHED:-false}"
+SSH_USER_SHELL="${SSH_USER_SHELL:-/bin/bash}"
+SSH_USER_ID="${SSH_USER_ID:-500:500}"

etc/services-config/ssh/sshd_config

@@ -84,17 +84,17 @@ GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 
-# Set this to 'yes' to enable PAM authentication, account processing, 
-# and session processing. If this is enabled, PAM authentication will 
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-UsePAM no
-#UsePAM yes
+#UsePAM no
+UsePAM yes
 
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -129,7 +129,7 @@ UseDNS no
 #Banner none
 
 # override default of no subsystems
-Subsystem	sftp	/usr/libexec/openssh/sftp-server
+Subsystem	sftp	internal-sftp
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs

etc/services-config/supervisor/supervisord.conf

@@ -8,24 +8,11 @@ minfds = 1024
 minprocs = 200
 nodaemon = true
 
-[program:sshd_bootstrap]
-priority = 5
-command = /etc/ssh-bootstrap
-startsecs = 0
-startretries = 0
-autorestart = false
-stdout_logfile = /var/log/secure
-stdout_events_enabled = true
-
-[program:sshd]
-priority = 10
-command = /usr/sbin/sshd -D -e
-redirect_stderr = true
-stdout_logfile = /var/log/secure
-stdout_events_enabled = true
-
 [eventlistener:supervisor_stdout]
 command = /usr/bin/supervisor_stdout
 buffer_size = 100
 events = PROCESS_LOG
-result_handler = supervisor_stdout:event_handler
+result_handler = supervisor_stdout:event_handler
+
+[include]
+files = supervisord.d/*.conf supervisord.d/*.ini

etc/services-config/supervisor/supervisord.d/sshd-bootstrap.conf

@@ -0,0 +1,9 @@
+[program:sshd-bootstrap]
+priority = 5
+command = bash -c 'env >> /etc/sshd-bootstrap.env; /usr/sbin/sshd-bootstrap'
+startsecs = 0
+startretries = 0
+autorestart = false
+redirect_stderr = true
+stdout_logfile = /var/log/secure
+stdout_events_enabled = true

etc/services-config/supervisor/supervisord.d/sshd.conf

@@ -0,0 +1,6 @@
+[program:sshd]
+priority = 10
+command = bash -c 'sleep 2 && /usr/sbin/sshd -D -e'
+redirect_stderr = true
+stdout_logfile = /var/log/secure
+stdout_events_enabled = true