From f4d92b109bd781dc22ce6ffd905422d799836319 Mon Sep 17 00:00:00 2001 From: mcbattirola Date: Thu, 9 May 2024 12:31:31 -0300 Subject: [PATCH] Remove `docker` dir --- docker/.dockerignore | 1 - docker/.env | 3 - docker/.gitignore | 1 - docker/Dockerfile | 24 ---- docker/Makefile | 92 -------------- docker/README.md | 172 -------------------------- docker/ansible/playbook.yaml | 26 ---- docker/ansible/rdir/rdir/rdir | 1 - docker/ansible/simple.txt | 1 - docker/ansible/template.j2 | 2 - docker/docker-compose.yml | 143 --------------------- docker/env.file | 2 - docker/one-node.yaml | 28 ----- docker/one-proxy.yaml | 23 ---- docker/one.yaml | 39 ------ docker/sshd/.bashrc | 62 ---------- docker/sshd/.screenrc | 2 - docker/sshd/Dockerfile | 17 --- docker/sshd/ansible/ansible.cfg | 8 -- docker/sshd/ansible/hosts | 3 - docker/sshd/ansible/playbook.yaml | 4 - docker/sshd/etc/ssh/sshd_config | 95 -------------- docker/sshd/etc/teleport.yaml | 23 ---- docker/sshd/pam.d/ssh | 55 -------- docker/sshd/scripts/export.sh | 7 -- docker/sshd/scripts/generate-certs.sh | 23 ---- docker/sshd/scripts/resources.yaml | 31 ----- docker/sshd/scripts/ssh.cfg | 7 -- docker/sshd/scripts/start-sshd.sh | 4 - docker/sshd/scripts/tctl.alias | 3 - docker/sshd/scripts/tsh.alias | 4 - docker/teleport/config/teleport.yaml | 32 ----- docker/two-auth.yaml | 37 ------ docker/two-node.yaml | 26 ---- docker/two-proxy.yaml | 31 ----- docker/two-role-admin.yaml | 14 --- docker/two-tc.yaml | 9 -- 37 files changed, 1055 deletions(-) delete mode 100644 docker/.dockerignore delete mode 100644 docker/.env delete mode 100644 docker/.gitignore delete mode 100644 docker/Dockerfile delete mode 100644 docker/Makefile delete mode 100644 docker/README.md delete mode 100644 docker/ansible/playbook.yaml delete mode 100644 docker/ansible/rdir/rdir/rdir delete mode 100644 docker/ansible/simple.txt delete mode 100644 docker/ansible/template.j2 delete mode 100644 docker/docker-compose.yml delete mode 100644 docker/env.file delete mode 100644 docker/one-node.yaml delete mode 100644 docker/one-proxy.yaml delete mode 100644 docker/one.yaml delete mode 100644 docker/sshd/.bashrc delete mode 100644 docker/sshd/.screenrc delete mode 100644 docker/sshd/Dockerfile delete mode 100644 docker/sshd/ansible/ansible.cfg delete mode 100644 docker/sshd/ansible/hosts delete mode 100644 docker/sshd/ansible/playbook.yaml delete mode 100644 docker/sshd/etc/ssh/sshd_config delete mode 100644 docker/sshd/etc/teleport.yaml delete mode 100644 docker/sshd/pam.d/ssh delete mode 100644 docker/sshd/scripts/export.sh delete mode 100755 docker/sshd/scripts/generate-certs.sh delete mode 100644 docker/sshd/scripts/resources.yaml delete mode 100644 docker/sshd/scripts/ssh.cfg delete mode 100755 docker/sshd/scripts/start-sshd.sh delete mode 100755 docker/sshd/scripts/tctl.alias delete mode 100755 docker/sshd/scripts/tsh.alias delete mode 100644 docker/teleport/config/teleport.yaml delete mode 100644 docker/two-auth.yaml delete mode 100644 docker/two-node.yaml delete mode 100644 docker/two-proxy.yaml delete mode 100644 docker/two-role-admin.yaml delete mode 100644 docker/two-tc.yaml diff --git a/docker/.dockerignore b/docker/.dockerignore deleted file mode 100644 index 1269488f7fb1f..0000000000000 --- a/docker/.dockerignore +++ /dev/null @@ -1 +0,0 @@ -data diff --git a/docker/.env b/docker/.env deleted file mode 100644 index 9e2aadd1a2150..0000000000000 --- a/docker/.env +++ /dev/null @@ -1,3 +0,0 @@ -# file used by docker-compose itself (variables in yaml) -DEBUG=1 -CONTAINERHOME=/root/go/src/github.com/gravitational/teleport diff --git a/docker/.gitignore b/docker/.gitignore deleted file mode 100644 index 1269488f7fb1f..0000000000000 --- a/docker/.gitignore +++ /dev/null @@ -1 +0,0 @@ -data diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index b6524587f1b27..0000000000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -ARG BUILDBOX -FROM $BUILDBOX - -# DEBUG=1 is needed for the Web UI to be loaded from static assets instead -# of the binary -ENV DEBUG=1 GOPATH=/root/go PATH=$PATH:/root/go/src/github.com/gravitational/teleport/build:/root/go/bin - -# htop is useful for testing terminal resizing -RUN apt-get update && \ - apt-get install -y htop vim screen && \ - mkdir -p /root/go/src/github.com/gravitational/teleport - -# allows ansible and ssh testing -RUN apt-get install -y ansible ssh inetutils-syslogd - -RUN mkdir /run/sshd - -VOLUME ["/teleport", "/var/lib/teleport"] -COPY ./sshd/.bashrc /root/.bashrc -COPY ./sshd/.screenrc /root/.screenrc -COPY ./sshd/scripts/start-sshd.sh /usr/bin/start-sshd.sh - -# expose only proxy ports (SSH and HTTPS) -EXPOSE 3023 3080 diff --git a/docker/Makefile b/docker/Makefile deleted file mode 100644 index 90d17575765fc..0000000000000 --- a/docker/Makefile +++ /dev/null @@ -1,92 +0,0 @@ -# location of the test enterprise license file -ENTERPRISE_LICENSE ?= ../e/fixtures/license-enterprise.pem -# location of the test pro license file -PRO_LICENSE ?= ../e/fixtures/license-pro.pem -# whether to look for enterprise or pro license -MODE ?= enterprise - -# include BUILDBOX_VERSION, BUILDBOX and BUILDBOX_variant variables -include ../build.assets/images.mk - -# -# Default target starts two Teleport clusters -# -.PHONY: up -up: check-license - docker-compose up - -.PHONY: reup -reup: check-license - cd .. && make - docker-compose up - -# 'make down' stops all Teleport containers, deletes them -# and their network -# -.PHONY:down -down: - docker-compose down - -# `make enter-one` gives you shell inside auth server -# of cluster "one" -# -.PHONY:enter-one -enter-one: - docker exec -ti one /bin/bash - -# `make enter-two` gives you shell inside auth server -# of cluster "two" -# -.PHONY:enter-two -enter-two: - docker exec -ti two-auth /bin/bash - -# `make enter-sshd` gives you shell inside sshd container -.PHONY:enter-sshd -enter-sshd: - docker exec -ti one-sshd /bin/bash - -# `make enter-two-proxy` gives you shell inside proxy server -# of cluster "two" -# -.PHONY:enter-two-proxy -enter-two-proxy: - docker exec -ti two-proxy /bin/bash - -# `make enter-two-node` gives you shell inside a node -# of cluster "two" -# -.PHONY:enter-two-node -enter-two-node: - docker exec -ti two-node /bin/bash - -.PHONY: export-certs -export-certs: - docker exec -i one /bin/bash -c "tctl auth export --type=user | sed s/cert-authority\ // > /mnt/shared/certs/teleport.pub" - -.PHONY: setup-tc -setup-tc: - docker exec -i two-auth /bin/bash -c "tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f /root/go/src/github.com/gravitational/teleport/docker/two-tc.yaml" - -.PHONY: delete-tc -delete-tc: - docker exec -i two-auth /bin/bash -c "tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml rm tc/one" - -.PHONY: check-license -check-license: - @if [ $(MODE) = "enterprise" ] && [ -f $(ENTERPRISE_LICENSE) ]; then \ - mkdir -p ./data/one && cp $(ENTERPRISE_LICENSE) ./data/one/license.pem; \ - mkdir -p ./data/two/auth && cp $(ENTERPRISE_LICENSE) ./data/two/auth/license.pem; \ - fi - @if [ $(MODE) = "pro" ] && [ -f $(PRO_LICENSE) ]; then \ - mkdir -p ./data/one && cp $(PRO_LICENSE) ./data/one/license.pem; \ - mkdir -p ./data/two/auth && cp $(PRO_LICENSE) ./data/two/auth/license.pem; \ - fi - -.PHONY: build -build: - docker build --build-arg BUILDBOX=$(BUILDBOX) -t teleport:latest . - -.PHONY: clean -clean: - rm -rf data diff --git a/docker/README.md b/docker/README.md deleted file mode 100644 index 4f376d7c88463..0000000000000 --- a/docker/README.md +++ /dev/null @@ -1,172 +0,0 @@ -## Docker - -This directory contains Docker-based flow to run Teleport clusters locally -for testing & development purposes. - -### Building - -First, you need to build `teleport:latest` Docker image. - -Run the following commands from `$GOPATH/github.com/gravitational/teleport` (repository base dir): - -```bash -$ make docker -$ cd docker -$ make build -``` - -### Starting - -```bash -$ make up -``` - -This will start two Teleport clusters: - -* Single-node cluster `one`, accessible now on https://localhost:3080 -* Three-node cluster `two`, accessible now on https://localhost:5080 - -### Stopping - -```bash -$ make down -``` - -### SSH - -SSH container needs User CA authorities exported: - -```bash -$ make export-certs -``` - -### Configuration - -Look at the [Makefile](Makefile): the containers are started with their -`/var/lib/teleport` mounted to `data/one` or `data/two` on a host. - -The configuration is passed via YAML files located in `/teleport/docker/xxx.yaml` -inside each container. - -Since the cluster data is preserved between restarts, so you can edit the configuration -and restart if you want to change configuration changes. - -### Using TCTL - -To add users to any of the clusters, you have to "enter" into the running -containers of their auth servers and use `tctl` there. - -For cluster "one": - -```bash -$ make enter-one -``` - -and then you'll find yourself inside a container where `teleport` auth daemon -is running, try `ps -ef` for example and you'll get something like this: - -```bash -container(one) /teleport: ps -ef -UID PID PPID C STIME TTY TIME CMD -root 1 0 40 06:04 ? 00:00:06 build/teleport start -c /teleport/docker/one.yaml -root 13 0 0 06:04 ? 00:00:00 /bin/bash -root 19 13 0 06:04 ? 00:00:00 ps -ef -``` - -For cluster "two": - -```bash -$ make enter-two -``` - -... and then you can use stuff like `tctl users add`, etc. Make sure to pass -the YAML file to `tctl` via `-c` flag. - -### Trusted Clusters with Resources - -1. Update `two-role.yaml` and replace `username_goes_here` with your username. -1. Create a `Role` and `TrustedCluster` resource on Cluster Two. - - ```bash - make enter-two - tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-role-admin.yaml - tctl -c /root/go/src/github.com/gravitational/teleport/docker/two-auth.yaml create -f docker/two-tc.yaml - ``` - -### Ansible - -To setup Ansible: - -1. Follow steps in Trusted Cluster section to setup Trusted Clusters. -1. Use `tctl` to issue create user command and follow link on screen to create user. - - ```bash - tctl users add {username} root - ``` -1. Configure Ansible. - - ```bash - # add two-node to ansible hosts file - echo "172.10.1.2:3022" >> /etc/ansible/hosts - - # setup ssh_args that ansible will use to access trusted cluster nodes - sed -i '/ssh_args = -o ControlMaster=auto -o ControlPersist=60s/assh_args = -o "ProxyCommand ssh -p 3023 one -s proxy:%h:%p@two"' /etc/ansible/ansible.cfg - - # use scp over sftp - sed -i '/scp_if_ssh/s/^#//g' /etc/ansible/ansible.cfg - ``` - -1. Start and load OpenSSH agent with keys. - - ```bash - # create directory for ssh config - mkdir ~/.ssh && chmod 700 ~/.ssh - - # start ssh-agent - eval `ssh-agent` - - # log in with the user created before - tsh --proxy=localhost --user=rjones login - - # load keys into ssh-agent - tsh --proxy=localhost --user=rjones agent --load - ``` - -1. Verify Ansible works: - - ```bash - $ ansible all -m ping - 172.10.1.2 | success >> { - "changed": false, - "ping": "pong" - } - ``` - -1. Run an simple playbook: - - ```bash - # cd to directory that contains playbook - cd /root/go/src/github.com/gravitational/teleport/docker/ansible - - # run playbook - ansible-playbook playbook.yaml - ``` - -### Interactive Usage - -Also you can start an empty container from which you can manually invoke `teleport start`. -This is similar to launching an empty Linux VM with a Teleport binary. - -To get shell inside the same "one" (single-node cluster) container without -Teleport running: - -```bash -$ make shell -``` - -NOTE: If you get "network already exists" error, do `make stop` first. - -Once inside, you'll get the same `/var/lib/teleport` as "one", so you -can start (and even build) `teleport` daemon manually. This container also -comes with a fully configured `screen` so you can treat it as a real VM. - diff --git a/docker/ansible/playbook.yaml b/docker/ansible/playbook.yaml deleted file mode 100644 index 6cdf2efa91003..0000000000000 --- a/docker/ansible/playbook.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- hosts: all - tasks: - - name: "simple copy" - copy: - src: /root/go/src/github.com/gravitational/teleport/docker/ansible/simple.txt - dest: /tmp/simple.txt.out - owner: root - group: root - mode: 0644 - - - name: recursive copy - copy: - src: /root/go/src/github.com/gravitational/teleport/docker/ansible/rdir - dest: /tmp - owner: root - group: root - mode: 0644 - - - name: simple template - template: - src: /root/go/src/github.com/gravitational/teleport/docker/ansible/template.j2 - dest: /tmp/template.out - owner: root - group: root - mode: 0644 diff --git a/docker/ansible/rdir/rdir/rdir b/docker/ansible/rdir/rdir/rdir deleted file mode 100644 index 6c89a1a91f484..0000000000000 --- a/docker/ansible/rdir/rdir/rdir +++ /dev/null @@ -1 +0,0 @@ -rdir diff --git a/docker/ansible/simple.txt b/docker/ansible/simple.txt deleted file mode 100644 index 4b5fa63702dd9..0000000000000 --- a/docker/ansible/simple.txt +++ /dev/null @@ -1 +0,0 @@ -hello, world diff --git a/docker/ansible/template.j2 b/docker/ansible/template.j2 deleted file mode 100644 index c9b06fed8ce3d..0000000000000 --- a/docker/ansible/template.j2 +++ /dev/null @@ -1,2 +0,0 @@ -template_host: {{ template_host }} -template_uid: {{ template_uid }} diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index 14a2334bd1175..0000000000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,143 +0,0 @@ -version: '2' -services: - # - # one is a single-node Teleport cluster called "one" (runs all 3 roles: proxy, auth and node) - # - one: - image: teleport:latest - container_name: one - command: ${CONTAINERHOME}/build/teleport start -d -c ${CONTAINERHOME}/docker/one.yaml - mem_limit: 300m - memswap_limit: 0 - ports: - - "3080:3080" - - "3023:3023" - - "3025:3025" - env_file: env.file - volumes: - - ./data/one:/var/lib/teleport - - ../:/root/go/src/github.com/gravitational/teleport - - certs:/mnt/shared/certs - networks: - teleport: - ipv4_address: 172.10.1.1 - aliases: - - one-lb - - # - # one-node is a single-node Teleport cluster called "one" (runs all 3 roles: proxy, auth and node) - # - one-node: - image: teleport:latest - container_name: one-node - command: ${CONTAINERHOME}/build/teleport start -d -c ${CONTAINERHOME}/docker/one-node.yaml - env_file: env.file - mem_limit: 300m - volumes: - - ./data/one-node:/var/lib/teleport - - ../:/root/go/src/github.com/gravitational/teleport - networks: - teleport: - ipv4_address: 172.10.1.20 - - # - # one-sshd is a single-node Teleport cluster called "one" (runs all 3 roles: proxy, auth and node) - # - one-sshd: - image: teleport:latest - container_name: one-sshd - command: /usr/bin/start-sshd.sh - env_file: env.file - mem_limit: 300m - volumes: - - ./sshd/pam.d/ssh:/etc/pam.d/ssh - - ./sshd/etc/ssh/sshd_config:/etc/ssh/sshd_config - - certs:/mnt/shared/certs - networks: - teleport: - ipv4_address: 172.10.1.21 - - # - # one-proxy is a second xproxy of the first cluster - # - one-proxy: - image: teleport:latest - container_name: one-proxy - command: ${CONTAINERHOME}/build/teleport start -d -c ${CONTAINERHOME}/docker/one-proxy.yaml - mem_limit: 300m - ports: - - "4080:3080" - - "4023:3023" - env_file: env.file - volumes: - - ./data/one-proxy:/var/lib/teleport - - ../:/root/go/src/github.com/gravitational/teleport - networks: - teleport: - ipv4_address: 172.10.1.10 - aliases: - - one-lb - - # - # two-auth is a auth server of the second cluster - # - two-auth: - mem_limit: 300m - image: teleport:latest - container_name: two-auth - command: ${CONTAINERHOME}/build/teleport start -d -c ${CONTAINERHOME}/docker/two-auth.yaml --insecure - env_file: env.file - volumes: - - ./data/two/auth:/var/lib/teleport - - ../:/root/go/src/github.com/gravitational/teleport - networks: - teleport: - ipv4_address: 172.10.1.2 - - # - # two-proxy is a proxy service for the second cluster - # - two-proxy: - mem_limit: 300m - image: teleport:latest - container_name: two-proxy - command: ${CONTAINERHOME}/build/teleport start -d -c ${CONTAINERHOME}/docker/two-proxy.yaml - env_file: env.file - ports: - - "5080:5080" - - "5023:5023" - volumes: - - ./data/two/proxy:/var/lib/teleport - - ../:/root/go/src/github.com/gravitational/teleport - networks: - teleport: - ipv4_address: 172.10.1.3 - - # - # two-node is a node service for the second cluster - # - two-node: - mem_limit: 300m - image: teleport:latest - container_name: two-node - command: ${CONTAINERHOME}/build/teleport start -d -c ${CONTAINERHOME}/docker/two-node.yaml - env_file: env.file - volumes: - - ./data/two/node:/var/lib/teleport - - ../:/root/go/src/github.com/gravitational/teleport - networks: - teleport: - ipv4_address: 172.10.1.4 - -networks: - teleport: - driver: bridge - ipam: - driver: default - config: - - subnet: 172.10.1.0/16 - ip_range: 172.10.1.0/24 - gateway: 172.10.1.254 - -volumes: - certs: diff --git a/docker/env.file b/docker/env.file deleted file mode 100644 index b3587613c73b6..0000000000000 --- a/docker/env.file +++ /dev/null @@ -1,2 +0,0 @@ -DEBUG=1 -CONTAINERHOME=/root/go/src/github.com/gravitational/teleport \ No newline at end of file diff --git a/docker/one-node.yaml b/docker/one-node.yaml deleted file mode 100644 index c2e314af77c32..0000000000000 --- a/docker/one-node.yaml +++ /dev/null @@ -1,28 +0,0 @@ -version: v3 -teleport: - auth_server: one - auth_token: foo - log: - output: /var/lib/teleport/teleport.log - severity: INFO - - data_dir: /var/lib/teleport - storage: - path: /var/lib/teleport/backend - type: dir - -auth_service: - enabled: no - -ssh_service: - enabled: yes - labels: - cluster: one - commands: - - name: kernel - command: [ /bin/uname, -r ] - period: 5m - -proxy_service: - enabled: no - diff --git a/docker/one-proxy.yaml b/docker/one-proxy.yaml deleted file mode 100644 index 2e98f9cefb66a..0000000000000 --- a/docker/one-proxy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# standalone proxy connected to -version: v3 -teleport: - auth_token: foo - nodename: one-proxy - advertise_ip: 172.10.1.10 - log: - output: stdout - severity: DEBUG - auth_server: one:3025 - data_dir: /var/lib/teleport - storage: - path: /var/lib/teleport/backend - type: dir - -auth_service: - enabled: no - -ssh_service: - enabled: no - -proxy_service: - enabled: yes diff --git a/docker/one.yaml b/docker/one.yaml deleted file mode 100644 index a3742456dd1ff..0000000000000 --- a/docker/one.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Single-node Teleport cluster called "one" (runs all 3 roles: proxy, auth and node) -teleport: - nodename: one - advertise_ip: 172.10.1.1 - log: - output: stdout - severity: DEBUG - - data_dir: /var/lib/teleport - storage: - path: /var/lib/teleport/backend - type: dir - -auth_service: - enabled: yes - - authentication: - type: oidc - - cluster_name: one - tokens: - - "node,auth,proxy:foo" - - "trustedcluster:bar" - -ssh_service: - enabled: yes - labels: - cluster: one - commands: - - name: kernel - command: [/bin/uname, -r] - period: 5m - public_addr: ['localhost'] - -proxy_service: - enabled: yes - public_addr: ['localhost:3080'] - - diff --git a/docker/sshd/.bashrc b/docker/sshd/.bashrc deleted file mode 100644 index 4c3cb09f178eb..0000000000000 --- a/docker/sshd/.bashrc +++ /dev/null @@ -1,62 +0,0 @@ -export PS1='\[\033[33;1m\]container(\h)\[\033[0;33m\] \w\[\033[00m\]: ' -export PATH=$PATH:/teleport/build -export LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:" - -alias ls="ls --color=auto" -alias ll="ls -alF" - -# quick way to get into teleport repo dir -alias t="cd $HOME/go/src/github.com/gravitational/teleport" - -# start SSH agent on demo terminal -SSH_ENV="$HOME/.ssh/agent-environment" - -function start_agent { - echo "Initializing new SSH agent..." - mkdir -p $HOME/.ssh - cp -f /mnt/shared/certs/teleport-known_hosts.pub /root/.ssh/known_hosts - cp -f /etc/teleport.d/scripts/ssh.cfg /root/.ssh/config - /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}" - echo succeeded - chmod 600 "${SSH_ENV}" - . "${SSH_ENV}" > /dev/null - cd /mnt/shared/certs && /usr/bin/ssh-add bot; -} - - -if [ "${HOSTNAME}" == "term" ]; then - if [ -f "${SSH_ENV}" ]; then - . "${SSH_ENV}" > /dev/null - ps ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || { - start_agent; - } - else - start_agent; - fi - - # These aliases use identity file behind the scene - alias tsh="/etc/teleport.d/scripts/tsh.alias" - alias tctl="/etc/teleport.d/scripts/tctl.alias" - - echo "Welcome to Teleport Lab." - echo "" - echo "Access servers, databases and web apps in your cluster securely with Teleport." - echo "Try a couple of commands to get started." - echo "" - echo "Teleport speaks SSH. You can SSH into it using OpenSSH:" - echo "" - echo "ssh root@luna.teleport" - echo "" - echo "Teleport is a bastion server for your OpenSSH hosts. SSH into OpenSSH server and record all commands:" - echo "" - echo "ssh root@mars.openssh.teleport" - echo "" - echo "Run ansible on Teleport nodes and OpenSSH servers:" - echo "" - echo "cd /etc/teleport.d/ansible && ansible all -m ping" - echo "" - echo "Try Teleport's client command: tsh. It's like SSH, but with superpowers." - echo "Find all hosts matching label env=example and run hostname command:" - echo "" - echo "tsh ssh root@env=example hostname" -fi diff --git a/docker/sshd/.screenrc b/docker/sshd/.screenrc deleted file mode 100644 index 8d1c73e95fd17..0000000000000 --- a/docker/sshd/.screenrc +++ /dev/null @@ -1,2 +0,0 @@ -# forcefully make bash the default shell -defshell -bash diff --git a/docker/sshd/Dockerfile b/docker/sshd/Dockerfile deleted file mode 100644 index 9be4c53ad22ba..0000000000000 --- a/docker/sshd/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -ARG TELEPORT_TAG -FROM public.ecr.aws/gravitational/teleport:${TELEPORT_TAG} - -# Demo ansible, ssh, htop -RUN apt-get update && apt-get install -y ansible ssh inetutils-syslogd htop - -RUN mkdir /run/sshd - -VOLUME ["/teleport", "/var/lib/teleport"] - -COPY ./etc/teleport.yaml /etc/teleport.d/teleport.yaml -COPY ./.bashrc /root/.bashrc -COPY ./.screenrc /root/.screenrc -COPY ./scripts /etc/teleport.d/scripts -COPY ./ansible /etc/teleport.d/ansible -COPY ./pam.d/ssh /etc/pam.d/ssh -COPY ./etc/ssh/sshd_config /etc/ssh/sshd_config diff --git a/docker/sshd/ansible/ansible.cfg b/docker/sshd/ansible/ansible.cfg deleted file mode 100644 index 47ab0d5c095ea..0000000000000 --- a/docker/sshd/ansible/ansible.cfg +++ /dev/null @@ -1,8 +0,0 @@ -[defaults] -host_key_checking = True -inventory=/etc/teleport.d/ansible/hosts -remote_tmp=/tmp - -[ssh_connection] -scp_if_ssh = True -ssh_args = -F /root/.ssh/config diff --git a/docker/sshd/ansible/hosts b/docker/sshd/ansible/hosts deleted file mode 100644 index 8ca9fb6be0f54..0000000000000 --- a/docker/sshd/ansible/hosts +++ /dev/null @@ -1,3 +0,0 @@ -luna.teleport -mars.openssh.teleport - diff --git a/docker/sshd/ansible/playbook.yaml b/docker/sshd/ansible/playbook.yaml deleted file mode 100644 index 8c97fb938afdc..0000000000000 --- a/docker/sshd/ansible/playbook.yaml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: all - tasks: - - name: "hostname" - command: "hostname" diff --git a/docker/sshd/etc/ssh/sshd_config b/docker/sshd/etc/ssh/sshd_config deleted file mode 100644 index e75156fb7c4a9..0000000000000 --- a/docker/sshd/etc/ssh/sshd_config +++ /dev/null @@ -1,95 +0,0 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - -# Logging -SyslogFacility AUTH -LogLevel DEBUG3 - -# Authentication: -LoginGraceTime 120 -PermitRootLogin without-password -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# allowe users to login -PermitRootLogin yes - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -TrustedUserCAKeys /mnt/shared/certs/teleport.pub -HostKey /mnt/shared/certs/mars.openssh.teleport -HostCertificate /mnt/shared/certs/mars.openssh.teleport-cert.pub diff --git a/docker/sshd/etc/teleport.yaml b/docker/sshd/etc/teleport.yaml deleted file mode 100644 index c273237a3249c..0000000000000 --- a/docker/sshd/etc/teleport.yaml +++ /dev/null @@ -1,23 +0,0 @@ -teleport: - nodename: luna.teleport - data_dir: /var/lib/teleport - log: - output: stderr - severity: INFO -auth_service: - cluster_name: teleport - enabled: "yes" -ssh_service: - enabled: "yes" - labels: - env: example - commands: - - name: hostname - command: [hostname] - period: 1m0s -proxy_service: - enabled: "yes" - # The DNS name of the proxy - public_addr: ["proxy.luna.teleport:443"] - # Web listen host:port - web_listen_addr: "0.0.0.0:443" diff --git a/docker/sshd/pam.d/ssh b/docker/sshd/pam.d/ssh deleted file mode 100644 index 955b02143d98b..0000000000000 --- a/docker/sshd/pam.d/ssh +++ /dev/null @@ -1,55 +0,0 @@ -# PAM configuration for the Secure Shell service - -# Standard Un*x authentication. -@include common-auth - -# Disallow non-root logins when /etc/nologin exists. -account required pam_nologin.so - -# Uncomment and edit /etc/security/access.conf if you need to set complex -# access limits that are hard to express in sshd_config. -# account required pam_access.so - -# Standard Un*x authorization. -@include common-account - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without this it is possible that a -# module could execute code in the wrong domain. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - -# Set the loginuid process attribute. -session optional pam_loginuid.so - -# Create a new session keyring. -session optional pam_keyinit.so force revoke - -# Standard Un*x session setup and teardown. -@include common-session - -# Print the message of the day upon successful login. -# This includes a dynamically generated part from /run/motd.dynamic -# and a static (admin-editable) part from /etc/motd. -session optional pam_motd.so motd=/run/motd.dynamic -session optional pam_motd.so noupdate - -# Print the status of the user's mailbox upon successful login. -session optional pam_mail.so standard noenv # [1] - -# Set up user limits from /etc/security/limits.conf. -session required pam_limits.so - -# Read environment variables from /etc/environment and -# /etc/security/pam_env.conf. -session required pam_env.so # [1] -# In Debian 4.0 (etch), locale-related environment variables were moved to -# /etc/default/locale, so read that as well. -session required pam_env.so user_readenv=1 envfile=/etc/default/locale - -# SELinux needs to intervene at login time to ensure that the process starts -# in the proper default security context. Only sessions which are intended -# to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open - -# Standard Un*x password updating. -@include common-password diff --git a/docker/sshd/scripts/export.sh b/docker/sshd/scripts/export.sh deleted file mode 100644 index abd91a1210f63..0000000000000 --- a/docker/sshd/scripts/export.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -while true -do - tctl auth export --type=user | sed s/cert-authority\ // > /mnt/shared/certs/teleport.pub - sleep 10 -done diff --git a/docker/sshd/scripts/generate-certs.sh b/docker/sshd/scripts/generate-certs.sh deleted file mode 100755 index c36be5dae7a59..0000000000000 --- a/docker/sshd/scripts/generate-certs.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -x -set -o pipefail - -TCTL="/usr/local/bin/tctl --auth-server=proxy.luna.teleport:3025" -cd /mnt/shared/certs || exit 1 - -generate_certs() { - $TCTL auth export --type=user | sed s/cert-authority\ // > ./teleport.pub || return - $TCTL auth export --type=host | sed s/*.teleport/luna.teleport,*.luna.teleport,*.openssh.teleport/ > ./teleport-known_hosts.pub || return - $TCTL create -f /etc/teleport.d/scripts/resources.yaml || return - $TCTL auth sign --user=bot --format=openssh --out=bot --overwrite --ttl=10h || return - $TCTL auth sign --user=bot --format=file --out=bot.pem --overwrite --ttl=10h || return - $TCTL auth sign --user=editor --format=file --out=editor.pem --overwrite --ttl=10h || return - $TCTL auth sign --host=mars.openssh.teleport --format=openssh --overwrite --out=mars.openssh.teleport || return -} - -while true -do - if generate_certs; then echo "Generated certs, exiting"; exit 0; fi; - echo "Failed to generate certs, retry in a second"; - sleep 1; -done diff --git a/docker/sshd/scripts/resources.yaml b/docker/sshd/scripts/resources.yaml deleted file mode 100644 index ce6b550f4f1a2..0000000000000 --- a/docker/sshd/scripts/resources.yaml +++ /dev/null @@ -1,31 +0,0 @@ -kind: role -version: v3 -metadata: - name: bot -spec: - # SSH options used for user sessions - options: - # max_session_ttl defines the TTL (time to live) of SSH certificates - # issued to the users with this role. - max_session_ttl: 10h - - # allow section declares a list of resource/verb combinations that are - # allowed for the users of this role. by default nothing is allowed. - allow: - logins: ['root'] - node_labels: - '*': '*' ---- -kind: user -version: v2 -metadata: - name: bot -spec: - roles: ['bot'] ---- -kind: user -version: v2 -metadata: - name: editor -spec: - roles: ['editor', 'access'] diff --git a/docker/sshd/scripts/ssh.cfg b/docker/sshd/scripts/ssh.cfg deleted file mode 100644 index 26fc0fbc74fa8..0000000000000 --- a/docker/sshd/scripts/ssh.cfg +++ /dev/null @@ -1,7 +0,0 @@ -## Hosts with openssh suffix are OpenSSH nodes listening on port 22 as usual -Host *.openssh.teleport - ProxyCommand ssh -o "ForwardAgent yes" -p 3023 proxy.luna.teleport -s proxy:%h:22 - -# Hosts without openssh suffix are Teleport nodes listening on port 3022 -Host *.teleport !proxy.luna.teleport - ProxyCommand ssh -o "ForwardAgent yes" -p 3023 proxy.luna.teleport -s proxy:%h:3022 diff --git a/docker/sshd/scripts/start-sshd.sh b/docker/sshd/scripts/start-sshd.sh deleted file mode 100755 index 02c5c36dc8cc7..0000000000000 --- a/docker/sshd/scripts/start-sshd.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -syslogd& -/usr/sbin/sshd -D diff --git a/docker/sshd/scripts/tctl.alias b/docker/sshd/scripts/tctl.alias deleted file mode 100755 index 1315c5f511de4..0000000000000 --- a/docker/sshd/scripts/tctl.alias +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -/usr/local/bin/tctl --auth-server=proxy.luna.teleport:3025 -i /mnt/shared/certs/editor.pem "$@" diff --git a/docker/sshd/scripts/tsh.alias b/docker/sshd/scripts/tsh.alias deleted file mode 100755 index b28ac9705de39..0000000000000 --- a/docker/sshd/scripts/tsh.alias +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -/usr/local/bin/tsh --insecure --proxy=proxy.luna.teleport -i /mnt/shared/certs/bot.pem "$@" - diff --git a/docker/teleport/config/teleport.yaml b/docker/teleport/config/teleport.yaml deleted file mode 100644 index c421d7d42a9ba..0000000000000 --- a/docker/teleport/config/teleport.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# -# A Sample Teleport configuration file. -# Creates a single proxy, auth and node server. -# -# Things to update: -# 1. license.pem: You only need a license from https://dashboard.goteleport.com -# if you are an Enterprise customer. -# -teleport: - nodename: localhost - data_dir: /var/lib/teleport - log: - output: stderr - severity: INFO - ca_pin: "" -auth_service: - enabled: "yes" - listen_addr: 0.0.0.0:3025 -ssh_service: - enabled: "yes" - labels: - env: example - commands: - - name: hostname - command: [hostname] - period: 1m0s -proxy_service: - enabled: "yes" - listen_addr: 0.0.0.0:3023 - https_keypairs: [] - acme: {} - diff --git a/docker/two-auth.yaml b/docker/two-auth.yaml deleted file mode 100644 index 9cdf7292e3c45..0000000000000 --- a/docker/two-auth.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Auth server for cluster "two". Also runs "node" role -teleport: - nodename: two-auth - log: - output: stdout - severity: DEBUG - - data_dir: /var/lib/teleport - storage: - path: /var/lib/teleport/backend - type: dir - -auth_service: - enabled: yes - - authentication: - type: local - second_factor: off - - cluster_name: two - tokens: - - "node,auth,proxy:foo" - - listen_addr: 172.10.1.2:3025 - -ssh_service: - enabled: yes - labels: - cluster: two - role: auth+node - commands: - - name: kernel - command: [/bin/uname, -r] - period: 5m - -proxy_service: - enabled: no diff --git a/docker/two-node.yaml b/docker/two-node.yaml deleted file mode 100644 index f35c489c18962..0000000000000 --- a/docker/two-node.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Dumb SSH node for cluster "two" -version: v3 -teleport: - nodename: node-on-second-cluster - auth_server: two-auth - auth_token: foo - advertise_ip: 172.10.1.4 - log: - output: stdout - severity: DEBUG - data_dir: /var/lib/teleport - storage: - path: /var/lib/teleport/backend - type: dir - -ssh_service: - enabled: yes - labels: - cluster: two - role: dumb_node - -proxy_service: - enabled: no - -auth_service: - enabled: no diff --git a/docker/two-proxy.yaml b/docker/two-proxy.yaml deleted file mode 100644 index 5154626d59959..0000000000000 --- a/docker/two-proxy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Proxy server for cluster "two". Also runs "node" role -version: v3 -teleport: - nodename: two-proxy - auth_server: two-auth - auth_token: foo - log: - output: stdout - severity: DEBUG - data_dir: /var/lib/teleport - storage: - path: /var/lib/teleport/backend - type: dir - -auth_service: - enabled: no - -ssh_service: - enabled: yes - labels: - cluster: two - role: proxy+node - commands: - - name: kernel - command: [ /bin/uname, -r ] - period: 5m - -proxy_service: - enabled: yes - listen_addr: 0.0.0.0:5023 - web_listen_addr: 0.0.0.0:5080 diff --git a/docker/two-role-admin.yaml b/docker/two-role-admin.yaml deleted file mode 100644 index 95d0ca170ab0c..0000000000000 --- a/docker/two-role-admin.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: role -version: v1 -metadata: - description: "" - name: "admin" - namespace: "default" -spec: - logins: [ "root" ] - max_session_ttl: 90h0m0s - namespaces: ["*"] - node_labels: - "*": "*" - resources: - "*": ["read", "write"] diff --git a/docker/two-tc.yaml b/docker/two-tc.yaml deleted file mode 100644 index e41b993d5d962..0000000000000 --- a/docker/two-tc.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: trusted_cluster -version: v2 -metadata: - name: "one" -spec: - enabled: true - token: "bar" - tunnel_addr: one-lb:3024 - web_proxy_addr: one-lb:3080