containerssh / containerssh.github.io Goto Github PK

View Code? Open in Web Editor NEW

32.0 32.0 15.0 39.54 MB

The ContainerSSH website

Home Page: https://containerssh.io/

License: Creative Commons Attribution 4.0 International

HTML 17.97% Python 80.53% Dockerfile 1.09% Shell 0.41%

containerssh infrastructure mkdocs

containerssh.github.io's Introduction

An SSH Server that Launches Containers in Kubernetes and Docker

ContainerSSH in One Minute

In a hurry? This one-minute video explains everything you need to know about ContainerSSH.

Need help?

Join the #containerssh Slack channel on the CNCF Slack »

Use cases

Build a lab

Building a lab environment can be time-consuming. ContainerSSH solves this by providing dynamic SSH access with APIs, automatic cleanup on logout using ephemeral containers, and persistent volumes for storing data. Perfect for vendor and student labs.

Debug a production system

Provide production access to your developers, give them their usual tools while logging all changes. Authorize their access and create short-lived credentials for the database using simple webhooks. Clean up the environment on disconnect.

Run a honeypot

Study SSH attack patterns up close. Drop attackers safely into network-isolated containers or even virtual machines, and capture their every move using the audit logging ContainerSSH provides. The built-in S3 upload ensures you don't lose your data.

The user opens an SSH connection to ContainerSSH.
ContainerSSH calls the authentication server with the users username and password/pubkey to check if its valid.
ContainerSSH calls the config server to obtain backend location and configuration (if configured)
ContainerSSH calls the container backend to launch the container with the specified configuration. All input from the user is sent directly to the backend, output from the container is sent to the user.

▶️ Watch as video » | 🚀 Get started »

Demo

🚀 Get started »

Verify provenance

Each of the releases come with a SLSA provenance data file multiple.intoto.jsonl. This file can be used to verify the source and provenance of the produced artifacts with slsa-verifier.

This aims to ensure the users that the artifacts are coming from containerssh.

An example of verification :

slsa-verifier verify-artifact <artifact-to-verify> \
--provenance-path <path-to-your-provenance> \
--source-uri github.com/containerssh/containerssh

If the verification is successful, the process should produce the following output :

Verifying artifact <artifact-to-verify>: PASSED
PASSED: Verified SLSA provenance

Contributing

If you would like to contribute, please check out our Code of Conduct as well as our contribution documentation.

containerssh.github.io's People

Contributors

Stargazers

Watchers

Forkers

tioan kfox1111 x448 gbvitrano tufeiping peterclauterbach hk92a ductnn paseaf jjournet gaocegege hezhizhen greatness99 kemingy tsipinakis

containerssh.github.io's Issues

Add architecture and development documentation

Website does not have the correct trademark disclaimer

As part of our ongoing effort to cncf/techdocs#198, we noticed that the website does not pass the trademark criteria on CLOMonitor.

To fix this:
Head to the source code of the website. In the <footer> section, add a disclaimer or link to the Linux foundation trademark disclaimer page:

Disclaimer

<footer>
   <p>The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, 
         please see our <a href="https://www.linuxfoundation.org/legal/trademark-usage">Trademark Usage page</a>.
   </p>
</footer>

Link

 <footer>
      <ul>
          <li><a href="https://www.linuxfoundation.org/legal/trademark-usage">Trademarks</a></li>
      </ul>
 </footer>

Improve GPG setup tutorial on Windows

On Windows, you must also add the program that does the signing. I will update the documentation later.

git config --global gpg.program "c:\Program Files (x86)\GnuPG\bin\gpg.exe"

Page: https://containerssh.io/v0.4/development/devenv/gpg/

Kubernetes installation: readOnlyRootFilesystem not working at pod level, only at container level

What would you like to add/change in the documentation?

While going through the installation for Kubernetes in docs/reference/installation.md, I got an error when trying to deploy the deployment as described in the page.

I got the following error:

error: error validating "containerssh.yaml": error validating data: ValidationError(Deployment.spec.template.spec.securityContext): unknown field "readOnlyRootFilesystem" in io.k8s.api.core.v1.PodSecurityContext; if you choose to ignore these errors, turn validation off with --validate=false

I tried to move the the readOnlyRootFilesystem attribute at pod level:

---
# Deploy ContainerSSH with the service account and configmap applied.
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: containerssh
  name: containerssh
  namespace: containerssh
spec:
  replicas: 1
  selector:
    matchLabels:
      app: containerssh
  template:
    metadata:
      labels:
        app: containerssh
    spec:
      automountServiceAccountToken: true
      securityContext:
        runAsNonRoot: true
      containers:
      - image: containerssh/containerssh:0.4.1
        imagePullPolicy: IfNotPresent
        name: containerssh
        ports:
        - containerPort: 2222
          protocol: TCP
        volumeMounts:
        - mountPath: /etc/containerssh/host.key
          name: hostkey
          readOnly: true
          subPath: host.key
        - mountPath: /etc/containerssh/config.yaml
          name: config
          readOnly: true
          subPath: config.yaml
        resources:
          limits:
            cpu: 500m
            memory: 1Gi
        securityContext:
          readOnlyRootFilesystem: true
      restartPolicy: Always
      serviceAccount: containerssh
      serviceAccountName: containerssh
      volumes:
      - name: hostkey
        secret:
          secretName: containerssh-hostkey
      - configMap:
          name: containerssh-config
        name: config

and it works.

so, I don't know if it's an API change or something. I checked the doc about pod security context and it wasn't clear if readOnlyRootFilesystem was limited to container.

I'm running Kubernetes 1.24.3, both clients and cluster.

I will deploy (at least for my dev phase) with that, until I come up with my own pods definition
Could be worse investigating. But as is, the doc doesn't work on 1.24.3

TypeError: unsupported operand type(s) for +: 'int' and 'str'

This is mkdocs bug??

Environment: Python 3.8.10

Error message:
TypeError: unsupported operand type(s) for +: 'int' and 'str'

modify page: nav-item.html (line 10)

level == 1 => level == "1"

{% if nav_item.children %}
    {% if "navigation.sections" in features and level == "1" + (
      "navigation.tabs" in features
    ) %}

Describe the bug

The about us page on the website doesn't work:

https://containerssh.io/about/

It gives an error:

Macro Rendering Error¶
Exception: One or more errors during query: {"data": {"user": null}, "errors": [{"type": "NOT_FOUND", "path": ["user"], "locations": [{"line": 3, "column": 19}], "message": "Could not resolve to a User with the login of 'sanjacodes'."}]}

Left side menu doesn't increase page size

Some pages don't properly render the left side menu on smaller screens, e.g. https://containerssh.io/reference/backends/

Broken link on getting started page

https://github.com/ContainerSSH/containerssh.github.io/blob/main/docs/getting-started/getting-help.md?plain=1#L7

Reference manual points here: https://containerssh.io/reference/index.md
But it is currently 404. Without index.md, it works.