From 5d6942dc5785256198b2767e827381ad21d8ae74 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Mon, 15 Jul 2024 22:08:57 -0700 Subject: [PATCH 01/24] add basic bastion container --- docker-compose.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 401156f..ae75c85 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -85,6 +85,23 @@ services: - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro + bastion-dev: + container_name: bastion-dev + image: binlab/bastion + networks: + - dev-backend + - dev-frontend + expose: + - 22/tcp + ports: + - 22222:22/tcp + environment: + PUBKEY_AUTHENTICATION: "true" + volumes: + - ./sysadmin-ssh-keys/rsa_sysadmin:/var/lib/bastion/id_rsa:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/var/lib/bastion/id_rsa.pub:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/var/lib/bastion/authorized_keys:ro + volumes: db-data: name: db-data @@ -94,4 +111,5 @@ volumes: networks: dev-backend: name: dev-backend - + dev-frontend: + name: dev-frontend From 7386b3e572fce8de61f5c46ca51858983c50251e Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 18 Jul 2024 22:47:38 -0700 Subject: [PATCH 02/24] Remove the prebuilt bastion image and add a custom Dockerfile --- bastion/Dockerfile | 32 ++++++++++++++++++++++++++++++++ docker-compose.yml | 12 ++++++------ 2 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 bastion/Dockerfile diff --git a/bastion/Dockerfile b/bastion/Dockerfile new file mode 100644 index 0000000..6876b91 --- /dev/null +++ b/bastion/Dockerfile @@ -0,0 +1,32 @@ +# https://docs.docker.com/engine/reference/builder/ +# https://hub.docker.com/_/debian +FROM debian:bookworm-slim + +# Configure apt not to prompt during docker build +ARG DEBIAN_FRONTEND=noninteractive + +# Configure apt to avoid installing recommended and suggested packages +RUN apt-config dump \ + | grep -E '^APT::Install-(Recommends|Suggests)' \ + | sed -e 's/1/0/' \ + | tee /etc/apt/apt.conf.d/99no-recommends-no-suggests + +# Resynchronize the package index files from their sources +RUN apt-get update + +# Install git +RUN apt-get install -y \ + git \ + ca-certificates \ + && update-ca-certificates + +# Follows the instructions here: +# https://ovh.github.io/the-bastion/installation/basic.html +RUN git clone https://github.com/ovh/the-bastion /opt/bastion +RUN git -C /opt/bastion checkout $(git -C /opt/bastion tag | tail -1) + +RUN /opt/bastion/bin/admin/packages-check.sh -i + +RUN /opt/bastion/bin/admin/install --new-install + +RUN /opt/bastion/bin/admin/setup-first-admin-account.sh sysadmin auto \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index ae75c85..16b5525 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -87,7 +87,9 @@ services: bastion-dev: container_name: bastion-dev - image: binlab/bastion + build: + context: . + dockerfile: bastion/Dockerfile networks: - dev-backend - dev-frontend @@ -95,12 +97,10 @@ services: - 22/tcp ports: - 22222:22/tcp - environment: - PUBKEY_AUTHENTICATION: "true" volumes: - - ./sysadmin-ssh-keys/rsa_sysadmin:/var/lib/bastion/id_rsa:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/var/lib/bastion/id_rsa.pub:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/var/lib/bastion/authorized_keys:ro + - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro volumes: db-data: From 47380dd03a0b0d92c37c1c1ac986f0ea81b65bb0 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 18 Jul 2024 23:11:33 -0700 Subject: [PATCH 03/24] add create sysadmin user and add to sudoers --- bastion/Dockerfile | 30 +++++++++++++++++++++++++++--- docker-compose.yml | 2 +- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/bastion/Dockerfile b/bastion/Dockerfile index 6876b91..2949c78 100644 --- a/bastion/Dockerfile +++ b/bastion/Dockerfile @@ -17,16 +17,40 @@ RUN apt-get update # Install git RUN apt-get install -y \ git \ + sed \ ca-certificates \ + openssh-client \ + openssh-server \ && update-ca-certificates +# Clean up packages: Saves space by removing unnecessary package files and lists +RUN apt-get clean +RUN rm -rf /var/lib/apt/lists/* + +# Create sysadmin user and add to sudoers +RUN useradd -m -s /bin/bash sysadmin && echo "sysadmin:sysadmin" | chpasswd && \ + usermod -aG sudo sysadmin + +# Ensure SSH directory exists with correct permissions +RUN mkdir -p /home/sysadmin/.ssh && \ + chown sysadmin:sysadmin /home/sysadmin/.ssh && \ + chmod 700 /home/sysadmin/.ssh + +# Create privilege separation directory for SSH +RUN mkdir -p /run/sshd + # Follows the instructions here: # https://ovh.github.io/the-bastion/installation/basic.html RUN git clone https://github.com/ovh/the-bastion /opt/bastion RUN git -C /opt/bastion checkout $(git -C /opt/bastion tag | tail -1) - RUN /opt/bastion/bin/admin/packages-check.sh -i - RUN /opt/bastion/bin/admin/install --new-install -RUN /opt/bastion/bin/admin/setup-first-admin-account.sh sysadmin auto \ No newline at end of file +# Allow SSH jumping +RUN sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config + +# Expose SSH port +EXPOSE 22 + +# Start SSH service +ENTRYPOINT ["/opt/bastion/docker/entrypoint.sh"] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 16b5525..4a62215 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -101,7 +101,7 @@ services: - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - + volumes: db-data: name: db-data From ff0272f898c0babb717a4d5e1096d3c080be5ef9 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 23 Jul 2024 22:52:57 -0700 Subject: [PATCH 04/24] add bastion hosts config --- bastion/etc-bastion-config/config | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 bastion/etc-bastion-config/config diff --git a/bastion/etc-bastion-config/config b/bastion/etc-bastion-config/config new file mode 100644 index 0000000..5d01ab7 --- /dev/null +++ b/bastion/etc-bastion-config/config @@ -0,0 +1,14 @@ +Host ansible-dev + HostName ansible-dev + User sysadmin + IdentityFile ~/.ssh/id_rsa + +Host web-dev + HostName web-dev + User sysadmin + IdentityFile ~/.ssh/id_rsa + +Host db-dev + HostName db-dev + User sysadmin + IdentityFile ~/.ssh/id_rsa \ No newline at end of file From bfd9310579d0204901901965cdeda80d3b2a5b05 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 23 Jul 2024 22:53:51 -0700 Subject: [PATCH 05/24] add sysadmin no password config for bastion server --- bastion/etc-sudoers.d/sysadmin_all_nopass | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 bastion/etc-sudoers.d/sysadmin_all_nopass diff --git a/bastion/etc-sudoers.d/sysadmin_all_nopass b/bastion/etc-sudoers.d/sysadmin_all_nopass new file mode 100644 index 0000000..090dd70 --- /dev/null +++ b/bastion/etc-sudoers.d/sysadmin_all_nopass @@ -0,0 +1,5 @@ +# vim: ft=sudoers +# +# This file MUST be edited with `/usr/sbin/visudo -sf FILENAME`. + +%sudo ALL =(ALL) NOPASSWD:ALL From 15dd011f4447fad30307cdea8739856d8a838062 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 23 Jul 2024 22:55:10 -0700 Subject: [PATCH 06/24] revise docker compose for no password config --- bastion/Dockerfile | 3 +++ docker-compose.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/bastion/Dockerfile b/bastion/Dockerfile index 2949c78..5f935cf 100644 --- a/bastion/Dockerfile +++ b/bastion/Dockerfile @@ -31,6 +31,9 @@ RUN rm -rf /var/lib/apt/lists/* RUN useradd -m -s /bin/bash sysadmin && echo "sysadmin:sysadmin" | chpasswd && \ usermod -aG sudo sysadmin +# Copy the sudoers file for sysadmin user to the appropriate directory +COPY ./bastion/etc-sudoers.d/sysadmin_all_nopass /etc/sudoers.d/sysadmin_all_nopass + # Ensure SSH directory exists with correct permissions RUN mkdir -p /home/sysadmin/.ssh && \ chown sysadmin:sysadmin /home/sysadmin/.ssh && \ diff --git a/docker-compose.yml b/docker-compose.yml index 4a62215..401c27f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -101,7 +101,7 @@ services: - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - + - ./bastion/etc-bastion-config/config:/home/sysadmin/.ssh/config:ro volumes: db-data: name: db-data From e731e75b4cb4099396ef0bfdae5173daeb6e2008 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 23 Jul 2024 22:55:44 -0700 Subject: [PATCH 07/24] change the order of commands to get ssh start --- db/startupservice.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/db/startupservice.sh b/db/startupservice.sh index d21d0ca..b4ae4ef 100644 --- a/db/startupservice.sh +++ b/db/startupservice.sh @@ -6,10 +6,10 @@ set -o nounset E0="$(printf "\e[0m")" # reset E1="$(printf "\e[1m")" # bold +# Start SSH service +/usr/sbin/sshd -D + echo "${E1}Starting mariadb: http://127.0.0.1:3306${E0}" # Start mariadb in the background -docker-entrypoint.sh "$@" - -# Start SSH service -/usr/sbin/sshd -D \ No newline at end of file +docker-entrypoint.sh "$@" \ No newline at end of file From 2ec280dd3cb0c750c7c3379af3bdd71d3e595106 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 25 Jul 2024 10:42:14 -0400 Subject: [PATCH 08/24] update bastion/dockerfile and dockercomose --- bastion/Dockerfile | 21 ++++++++------------- docker-compose.yml | 4 ++++ 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/bastion/Dockerfile b/bastion/Dockerfile index 5f935cf..303fe87 100644 --- a/bastion/Dockerfile +++ b/bastion/Dockerfile @@ -16,12 +16,10 @@ RUN apt-get update # Install git RUN apt-get install -y \ - git \ sed \ - ca-certificates \ openssh-client \ openssh-server \ - && update-ca-certificates + vim # Clean up packages: Saves space by removing unnecessary package files and lists RUN apt-get clean @@ -42,18 +40,15 @@ RUN mkdir -p /home/sysadmin/.ssh && \ # Create privilege separation directory for SSH RUN mkdir -p /run/sshd -# Follows the instructions here: -# https://ovh.github.io/the-bastion/installation/basic.html -RUN git clone https://github.com/ovh/the-bastion /opt/bastion -RUN git -C /opt/bastion checkout $(git -C /opt/bastion tag | tail -1) -RUN /opt/bastion/bin/admin/packages-check.sh -i -RUN /opt/bastion/bin/admin/install --new-install +# Update SSH configuration to disable password authentication +RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && \ + sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config && \ + echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config && \ + echo "GatewayPorts yes" >> /etc/ssh/sshd_config -# Allow SSH jumping -RUN sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/' /etc/ssh/sshd_config # Expose SSH port EXPOSE 22 -# Start SSH service -ENTRYPOINT ["/opt/bastion/docker/entrypoint.sh"] \ No newline at end of file +# Start the SSH daemon +CMD ["/usr/sbin/sshd", "-D"] diff --git a/docker-compose.yml b/docker-compose.yml index 401c27f..fa3c5c8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -102,6 +102,8 @@ services: - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - ./bastion/etc-bastion-config/config:/home/sysadmin/.ssh/config:ro + + volumes: db-data: name: db-data @@ -111,5 +113,7 @@ volumes: networks: dev-backend: name: dev-backend + driver: bridge + dev-frontend: name: dev-frontend From 22a8e1d0c966621f2a6654680b013186c1abfe4c Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 25 Jul 2024 12:35:10 -0400 Subject: [PATCH 09/24] update bastion config file and location --- bastion/etc-bastion-config/config | 14 -------------- bastion/sysadmin-.ssh-config/config | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 14 deletions(-) delete mode 100644 bastion/etc-bastion-config/config create mode 100644 bastion/sysadmin-.ssh-config/config diff --git a/bastion/etc-bastion-config/config b/bastion/etc-bastion-config/config deleted file mode 100644 index 5d01ab7..0000000 --- a/bastion/etc-bastion-config/config +++ /dev/null @@ -1,14 +0,0 @@ -Host ansible-dev - HostName ansible-dev - User sysadmin - IdentityFile ~/.ssh/id_rsa - -Host web-dev - HostName web-dev - User sysadmin - IdentityFile ~/.ssh/id_rsa - -Host db-dev - HostName db-dev - User sysadmin - IdentityFile ~/.ssh/id_rsa \ No newline at end of file diff --git a/bastion/sysadmin-.ssh-config/config b/bastion/sysadmin-.ssh-config/config new file mode 100644 index 0000000..50478a0 --- /dev/null +++ b/bastion/sysadmin-.ssh-config/config @@ -0,0 +1,18 @@ +Host ansible-dev + HostName ansible-dev + User sysadmin + IdentityFile /home/sysadmin/.ssh/id_rsa + ForwardAgent yes + +Host web-dev + HostName web-dev + User sysadmin + IdentityFile /home/sysadmin/.ssh/id_rsa + ForwardAgent yes + +Host db-dev + HostName db-dev + User sysadmin + IdentityFile /home/sysadmin/.ssh/id_rsa + ForwardAgent yes + From 6b11dc1d9e9675bb8b24c43cb0ec2717da77d114 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 25 Jul 2024 13:36:54 -0400 Subject: [PATCH 10/24] update db files to start the ssh service --- db/Dockerfile | 8 +++++++- db/startupservice.sh | 8 ++++---- docker-compose.yml | 3 --- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/db/Dockerfile b/db/Dockerfile index d367b98..6f864b8 100644 --- a/db/Dockerfile +++ b/db/Dockerfile @@ -28,6 +28,12 @@ RUN mkdir -p /home/sysadmin/.ssh && \ # Create privilege separation directory for SSH RUN mkdir -p /run/sshd +# Configure SSH for agent forwarding and secure settings +RUN echo "AllowAgentForwarding yes" >> /etc/ssh/sshd_config && \ + echo "PermitRootLogin prohibit-password" >> /etc/ssh/sshd_config && \ + echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && \ + echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config + # Expose SSH port EXPOSE 22 EXPOSE 3306 @@ -37,4 +43,4 @@ COPY ./db/startupservice.sh /startupservice.sh RUN chmod +x /startupservice.sh ENTRYPOINT ["/startupservice.sh"] -CMD ["mariadbd"] \ No newline at end of file +CMD ["mariadbd"] diff --git a/db/startupservice.sh b/db/startupservice.sh index b4ae4ef..6997b30 100644 --- a/db/startupservice.sh +++ b/db/startupservice.sh @@ -6,10 +6,10 @@ set -o nounset E0="$(printf "\e[0m")" # reset E1="$(printf "\e[1m")" # bold -# Start SSH service -/usr/sbin/sshd -D - echo "${E1}Starting mariadb: http://127.0.0.1:3306${E0}" # Start mariadb in the background -docker-entrypoint.sh "$@" \ No newline at end of file +docker-entrypoint.sh "$@" + +# Start SSH service +/usr/sbin/sshd -D diff --git a/docker-compose.yml b/docker-compose.yml index fa3c5c8..6068830 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -92,7 +92,6 @@ services: dockerfile: bastion/Dockerfile networks: - dev-backend - - dev-frontend expose: - 22/tcp ports: @@ -115,5 +114,3 @@ networks: name: dev-backend driver: bridge - dev-frontend: - name: dev-frontend From 0d48777e34e18058493f1a205cdb8601a4a76d2d Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 25 Jul 2024 15:32:26 -0400 Subject: [PATCH 11/24] adjust spacing --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6068830..c45b403 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -99,7 +99,7 @@ services: volumes: - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro +······-·./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - ./bastion/etc-bastion-config/config:/home/sysadmin/.ssh/config:ro From a79082286e722d11c09ca169b625e11ddd39e010 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 25 Jul 2024 15:33:55 -0400 Subject: [PATCH 12/24] correcting the space --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c45b403..a3651f3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -99,7 +99,7 @@ services: volumes: - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro -······-·./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro + -·./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - ./bastion/etc-bastion-config/config:/home/sysadmin/.ssh/config:ro From bf9bdcdfd1f98340e07480962a9e69d1d10f1a17 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Mon, 29 Jul 2024 22:24:39 -0700 Subject: [PATCH 13/24] remove db folder and update docker compose as SSH is no longer needed for db --- db/Dockerfile | 40 ---------------------------------------- db/startupservice.sh | 15 --------------- docker-compose.yml | 11 +---------- 3 files changed, 1 insertion(+), 65 deletions(-) delete mode 100644 db/Dockerfile delete mode 100644 db/startupservice.sh diff --git a/db/Dockerfile b/db/Dockerfile deleted file mode 100644 index d367b98..0000000 --- a/db/Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# https://docs.docker.com/engine/reference/builder/ - -# https://hub.docker.com/_/mariadb -FROM mariadb - -# Resynchronize the package index files from their sources -RUN apt-get update - -# Install packages for ssh -RUN apt-get install -y \ - openssh-client \ - openssh-server - -# Clean up packages: Saves space by removing unnecessary package files and lists -RUN apt-get clean -RUN rm -rf /var/lib/apt/lists/* - -# Create sysadmin user and add to sudoers -RUN useradd -m -s /bin/bash sysadmin && \ - echo "sysadmin:sysadmin" | chpasswd && \ - usermod -aG sudo sysadmin - -# Ensure SSH directory exists with correct permissions -RUN mkdir -p /home/sysadmin/.ssh && \ - chown sysadmin:sysadmin /home/sysadmin/.ssh && \ - chmod 700 /home/sysadmin/.ssh - -# Create privilege separation directory for SSH -RUN mkdir -p /run/sshd - -# Expose SSH port -EXPOSE 22 -EXPOSE 3306 - -# Add mariadb service startup script -COPY ./db/startupservice.sh /startupservice.sh -RUN chmod +x /startupservice.sh - -ENTRYPOINT ["/startupservice.sh"] -CMD ["mariadbd"] \ No newline at end of file diff --git a/db/startupservice.sh b/db/startupservice.sh deleted file mode 100644 index b4ae4ef..0000000 --- a/db/startupservice.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -o errexit -set -o nounset - -# https://en.wikipedia.org/wiki/ANSI_escape_code -E0="$(printf "\e[0m")" # reset -E1="$(printf "\e[1m")" # bold - -# Start SSH service -/usr/sbin/sshd -D - -echo "${E1}Starting mariadb: http://127.0.0.1:3306${E0}" - -# Start mariadb in the background -docker-entrypoint.sh "$@" \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 401c27f..21abeed 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -65,25 +65,16 @@ services: db-dev: container_name: db-dev - build: - context: . - dockerfile: db/Dockerfile environment: - USER: sysadmin MYSQL_DATABASE: wordpress MYSQL_ROOT_PASSWORD: root MYSQL_USER: root + image: mariadb networks: - dev-backend restart: on-failure - ports: - - "3306:3306" - - "22003:22" volumes: - db-data:/var/lib/mysql - - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro bastion-dev: container_name: bastion-dev From 7a45bbf1f6dfe3476375271eafa8b88b1b91c579 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 30 Jul 2024 22:24:21 -0700 Subject: [PATCH 14/24] fix typo in docker compose file --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 331455f..6140235 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -90,7 +90,7 @@ services: volumes: - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - -·./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - ./bastion/etc-bastion-config/config:/home/sysadmin/.ssh/config:ro From a2de11aaf868bd9da8af07c25f23f2b0de09caae Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 30 Jul 2024 22:48:09 -0700 Subject: [PATCH 15/24] remove duplicate command for ansible-dev --- docker-compose.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 6140235..515db5c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,10 +17,6 @@ services: - "22001:22" environment: - USER=sysadmin - entrypoint: | - sh -c " - exec /usr/sbin/sshd -D - " web-dev: container_name: web-dev From ce8eeec292258ae3fd22094a2b5f9fa65050bb27 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 30 Jul 2024 22:48:43 -0700 Subject: [PATCH 16/24] run ansible playbook command in dockerfile --- ansible/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/Dockerfile b/ansible/Dockerfile index e26e748..5193b27 100644 --- a/ansible/Dockerfile +++ b/ansible/Dockerfile @@ -56,5 +56,5 @@ ENV ANSIBLE_CONFIG=/etc/ansible/ansible.cfg EXPOSE 22 # Start SSH service -CMD ["/usr/sbin/sshd", "-D"] +ENTRYPOINT ["/bin/sh", "-c", "ansible-playbook site.yml && /usr/sbin/sshd -D"] From 30662495bcd17711dc42712151356d5cd5aecb83 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 8 Aug 2024 09:52:57 -0700 Subject: [PATCH 17/24] add ProxyJump config and remove db-dev in sysadmin ssh config for bastion --- bastion/sysadmin-.ssh-config/config | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/bastion/sysadmin-.ssh-config/config b/bastion/sysadmin-.ssh-config/config index 50478a0..e5e4f9d 100644 --- a/bastion/sysadmin-.ssh-config/config +++ b/bastion/sysadmin-.ssh-config/config @@ -2,17 +2,15 @@ Host ansible-dev HostName ansible-dev User sysadmin IdentityFile /home/sysadmin/.ssh/id_rsa - ForwardAgent yes + ProxyJump bastion Host web-dev HostName web-dev User sysadmin IdentityFile /home/sysadmin/.ssh/id_rsa - ForwardAgent yes - -Host db-dev - HostName db-dev - User sysadmin - IdentityFile /home/sysadmin/.ssh/id_rsa - ForwardAgent yes + ProxyJump bastion +Host bastion + HostName bastion-dev + User sysadmin + IdentityFile /home/sysadmin/.ssh/id_rsa \ No newline at end of file From 3fd6a8d750fb5d854c2543586df0ed648f5b24ad Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 8 Aug 2024 10:16:17 -0700 Subject: [PATCH 18/24] revert the ENTRYPOINT change in ansible Dockerfile --- ansible/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/Dockerfile b/ansible/Dockerfile index 5193b27..8dcad5f 100644 --- a/ansible/Dockerfile +++ b/ansible/Dockerfile @@ -56,5 +56,4 @@ ENV ANSIBLE_CONFIG=/etc/ansible/ansible.cfg EXPOSE 22 # Start SSH service -ENTRYPOINT ["/bin/sh", "-c", "ansible-playbook site.yml && /usr/sbin/sshd -D"] - +CMD ["/usr/sbin/sshd", "-D"] \ No newline at end of file From 436b70dcd15505566a0d411ba556d1301f77727f Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Sun, 11 Aug 2024 17:53:07 -0700 Subject: [PATCH 19/24] update README.MD for bastion and ssh config --- README.md | 28 +++++++++++++++++++++++++++- bastion/sysadmin-.ssh-config/config | 15 +++++++++------ docker-compose.yml | 2 -- 3 files changed, 36 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index b721c43..aa7f22c 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ The aim of the project is to establish a robust and localized development enviro The [`docker-compose.yml`](docker-compose.yml) file defines the following containers: -- WIP: Bastion (SSH jump server) +- **bastion-dev** - Bastion (SSH jump server) - **ansible-dev** - Ansible - **web-dev** - Web server (Apache2/WordPress) - **db-dev** - Database server (MariaDB) @@ -89,6 +89,32 @@ The SSH setup has been established and is currently in use for the Ansible conta ssh -i ./sysadmin-ssh-keys/rsa_sysadmin -p 22001 sysadmin@localhost ``` +**SSH connection information**: example local/laptop `~/.ssh/config` configugration +``` +Host ansible-dev + HostName localhost + User sysadmin + Port 22222 + IdentityFile /home/sysadmin/.ssh/id_rsa + ProxyJump bastion + +Host web-dev + HostName localhost + User sysadmin + Port 22001 + IdentityFile /home/sysadmin/.ssh/id_rsa + ProxyJump bastion + +Host bastion-dev + HostName localhost + Port 22002 + User sysadmin + IdentityFile /home/sysadmin/.ssh/id_rsa +``` +- Assume remote username `sysadmin`. Replace these values in your own local/laptop configuration. +- ProxyJump allow you to use `ssh bastion` to connect to the bastion-dev host, and `ssh ansible-dev` or `ssh web-dev`, and SSH will automatically connect through the bastion jump host. + + ## Related Links - [Ansible Documentation](https://docs.ansible.com/) - [FrontPage - Debian Wiki](https://wiki.debian.org/FrontPage) diff --git a/bastion/sysadmin-.ssh-config/config b/bastion/sysadmin-.ssh-config/config index e5e4f9d..2cb1dba 100644 --- a/bastion/sysadmin-.ssh-config/config +++ b/bastion/sysadmin-.ssh-config/config @@ -1,16 +1,19 @@ Host ansible-dev - HostName ansible-dev + HostName localhost User sysadmin + Port 22222 IdentityFile /home/sysadmin/.ssh/id_rsa ProxyJump bastion Host web-dev - HostName web-dev + HostName localhost User sysadmin + Port 22001 IdentityFile /home/sysadmin/.ssh/id_rsa ProxyJump bastion -Host bastion - HostName bastion-dev - User sysadmin - IdentityFile /home/sysadmin/.ssh/id_rsa \ No newline at end of file +Host bastion-dev + HostName localhost + Port 22002 + User sysadmin + IdentityFile /home/sysadmin/.ssh/id_rsa \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 515db5c..d05f5a3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -87,8 +87,6 @@ services: - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - - ./bastion/etc-bastion-config/config:/home/sysadmin/.ssh/config:ro - volumes: db-data: From a60359298d0c634a5a539bbae5caa8716732b6f7 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Sun, 11 Aug 2024 19:12:20 -0700 Subject: [PATCH 20/24] correct ProxyJump in ssh config --- README.md | 4 ++-- bastion/sysadmin-.ssh-config/config | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index aa7f22c..bd6863b 100644 --- a/README.md +++ b/README.md @@ -96,14 +96,14 @@ Host ansible-dev User sysadmin Port 22222 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion + ProxyJump bastion-dev Host web-dev HostName localhost User sysadmin Port 22001 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion + ProxyJump bastion-dev Host bastion-dev HostName localhost diff --git a/bastion/sysadmin-.ssh-config/config b/bastion/sysadmin-.ssh-config/config index 2cb1dba..6899c14 100644 --- a/bastion/sysadmin-.ssh-config/config +++ b/bastion/sysadmin-.ssh-config/config @@ -3,14 +3,14 @@ Host ansible-dev User sysadmin Port 22222 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion + ProxyJump bastion-dev Host web-dev HostName localhost User sysadmin Port 22001 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion + ProxyJump bastion-dev Host bastion-dev HostName localhost From 8b7a3884d34b6a297eca22a1f9c1a7e63298c97e Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Sun, 11 Aug 2024 22:24:30 -0700 Subject: [PATCH 21/24] correct contaniner port in ssh config --- README.md | 16 +++++++--------- bastion/Dockerfile | 7 +++---- bastion/sysadmin-.ssh-config/config | 16 +++++++--------- 3 files changed, 17 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index bd6863b..b9548c5 100644 --- a/README.md +++ b/README.md @@ -91,24 +91,22 @@ The SSH setup has been established and is currently in use for the Ansible conta **SSH connection information**: example local/laptop `~/.ssh/config` configugration ``` -Host ansible-dev +Host bastion-dev HostName localhost User sysadmin Port 22222 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion-dev -Host web-dev - HostName localhost +Host ansible-dev + HostName ansible-dev User sysadmin - Port 22001 + Port 22 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion-dev -Host bastion-dev - HostName localhost - Port 22002 +Host web-dev + HostName web-dev User sysadmin + Port 22 IdentityFile /home/sysadmin/.ssh/id_rsa ``` - Assume remote username `sysadmin`. Replace these values in your own local/laptop configuration. diff --git a/bastion/Dockerfile b/bastion/Dockerfile index 303fe87..4abf634 100644 --- a/bastion/Dockerfile +++ b/bastion/Dockerfile @@ -42,10 +42,9 @@ RUN mkdir -p /run/sshd # Update SSH configuration to disable password authentication RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && \ - sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config && \ - echo "AllowTcpForwarding yes" >> /etc/ssh/sshd_config && \ - echo "GatewayPorts yes" >> /etc/ssh/sshd_config - + sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config && \ + sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \ + sed -i 's/#GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config # Expose SSH port EXPOSE 22 diff --git a/bastion/sysadmin-.ssh-config/config b/bastion/sysadmin-.ssh-config/config index 6899c14..6e9357c 100644 --- a/bastion/sysadmin-.ssh-config/config +++ b/bastion/sysadmin-.ssh-config/config @@ -1,19 +1,17 @@ -Host ansible-dev +Host bastion-dev HostName localhost User sysadmin Port 22222 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion-dev -Host web-dev - HostName localhost +Host ansible-dev + HostName ansible-dev User sysadmin - Port 22001 + Port 22 IdentityFile /home/sysadmin/.ssh/id_rsa - ProxyJump bastion-dev -Host bastion-dev - HostName localhost - Port 22002 +Host web-dev + HostName web-dev User sysadmin + Port 22 IdentityFile /home/sysadmin/.ssh/id_rsa \ No newline at end of file From fcbdf6124ca09f0ec085f0193c0cb7d6c9e7caad Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 15 Aug 2024 11:51:08 -0400 Subject: [PATCH 22/24] update README.md --- README.md | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index b9548c5..de6d322 100644 --- a/README.md +++ b/README.md @@ -89,29 +89,16 @@ The SSH setup has been established and is currently in use for the Ansible conta ssh -i ./sysadmin-ssh-keys/rsa_sysadmin -p 22001 sysadmin@localhost ``` -**SSH connection information**: example local/laptop `~/.ssh/config` configugration -``` -Host bastion-dev - HostName localhost - User sysadmin - Port 22222 - IdentityFile /home/sysadmin/.ssh/id_rsa - -Host ansible-dev - HostName ansible-dev - User sysadmin - Port 22 - IdentityFile /home/sysadmin/.ssh/id_rsa - -Host web-dev - HostName web-dev - User sysadmin - Port 22 - IdentityFile /home/sysadmin/.ssh/id_rsa -``` -- Assume remote username `sysadmin`. Replace these values in your own local/laptop configuration. +**SSH connection from bastion**: - ProxyJump allow you to use `ssh bastion` to connect to the bastion-dev host, and `ssh ansible-dev` or `ssh web-dev`, and SSH will automatically connect through the bastion jump host. - +Execute.the.following.command.to.confirm.the.bastion connection: +....```shell + ssh -J sysadmin@localhost:22222 sysadmin@web-dev +....``` + +....```shell +....ssh.-J.sysadmin@localhost:22222.sysadmin@ansible-dev +....` ## Related Links - [Ansible Documentation](https://docs.ansible.com/) From afc20790e8ac4dbe7869269b637d2ffbc2947a19 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 15 Aug 2024 11:57:47 -0400 Subject: [PATCH 23/24] update README.md --- README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index de6d322..b5e89a4 100644 --- a/README.md +++ b/README.md @@ -91,14 +91,16 @@ The SSH setup has been established and is currently in use for the Ansible conta **SSH connection from bastion**: - ProxyJump allow you to use `ssh bastion` to connect to the bastion-dev host, and `ssh ansible-dev` or `ssh web-dev`, and SSH will automatically connect through the bastion jump host. -Execute.the.following.command.to.confirm.the.bastion connection: -....```shell +- currently, db-dev is not handled through bastion +- Execute the following command to confirm the bastion connection: + + ```shell ssh -J sysadmin@localhost:22222 sysadmin@web-dev -....``` + ``` -....```shell -....ssh.-J.sysadmin@localhost:22222.sysadmin@ansible-dev -....` + ```shell + ssh.-J.sysadmin@localhost:22222.sysadmin@ansible-dev + ``` ## Related Links - [Ansible Documentation](https://docs.ansible.com/) From f4eb225ee8247a30d829c7cf9f8cf73c10b05561 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Thu, 15 Aug 2024 11:59:00 -0400 Subject: [PATCH 24/24] update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b5e89a4..f881310 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ The SSH setup has been established and is currently in use for the Ansible conta ``` ```shell - ssh.-J.sysadmin@localhost:22222.sysadmin@ansible-dev + ssh -J sysadmin@localhost:22222 sysadmin@ansible-dev ``` ## Related Links