7

I'm attempting to setup a system that automatically creates a new sandbox on a ssh login to use as a temporary jump box into my server. So to do this I was wonder how to setup lxc to spin up a new shell in the container once there is a ssh connection then destroy that container after the session is closed.

What would be the best way to go about this?

EDIT:

Thanks to everyone that has placed their input. I have been able to devise the method to do this same setup as follows:

/etc/ssh/sshd_config:

match group ssh forceCommand sudo docker run --rm -t -i busybox /bin/sh

What this does is forces the user session to instantly go into a busybox container then delete the changes on exit. One could change or create their own image and specify this in place of busybox. Though this is included here since the only thing the default busybox container offers is wget and telnet which is good enough for most OOB testing/jump-boxes and this was the use case goal with this design.

Dwight Spencer
  • 298
  • 2
  • 11
  • ssh user@host lxc-create -f $CONTAINER_CONFIGPATH -n $CONTAINER_NAME – mikeserv Mar 23 '14 at 06:23
  • Thats probably not the best way. You should be able insert commands in your ssh key, though. Probably thats the best way. – mikeserv Mar 23 '14 at 06:27
  • OK so adding `ForceCommand lxc-create -f $container_configpath -n jailshel` to the /etc/ssh/sshd_config is a given but how does this destroy the container when the ssh session is closed? – Dwight Spencer Mar 23 '14 at 07:15
  • you just `shutdown` instead of `exit` – mikeserv Mar 23 '14 at 07:28
  • 2
    Ok. I get it. You're not who you're trying to jail. Sorry. `ForceCommand sh -i ( readonly con='-n jailshel'; trap 'lxc-destroy $con' EXIT $andtherest ; lxc-create -f $container_configpath $con )` or something. Run it as a child of some process that will exit when a connection quits and execute lxc-destroy in a trap. – mikeserv Mar 23 '14 at 07:41
  • not a lot of developers or general users are going to remember "shutdown" not exit or the more common: click the '[x]' button to close putty. – Dwight Spencer Mar 23 '14 at 07:49
  • Anywho, could you put that script part as an answer? – Dwight Spencer Mar 23 '14 at 07:50
  • Yeah. Had to think twice about that myself. "But wait... ***I*** dont even *`exit`...*" – mikeserv Mar 23 '14 at 07:52
  • 1
    does it work? Dont have any containers configured and didnt test... Dont like to put untested stuff into answers... – mikeserv Mar 23 '14 at 07:54
  • Not quite, I'll have to make up a wrapper script for it to work since more than half the commands require sudo access and ForceCommand in my experience works better with one command and not a full shell script as the exec param. I'll post my findings on my blog then link back here so you and all the other readers can follow along. – Dwight Spencer Mar 23 '14 at 08:20
  • Excellent idea. Ill upvote your answer when you post it here. – mikeserv Mar 23 '14 at 08:21

1 Answers1

5

Okay, your main problem doesn't appear to be the way you execute this. That's relatively easy with ForceCommand inside a Match block of sshd_config.

In order to do what you want to achieve, i.e. a throw-away container that "self-destructs" after use, you can use lxc-start-ephemeral. That's to say your use-case has already been considered in the set of LXC userspace tools. Only catch: your LXC version needs to be recent enough.

There's one more thing. You need a container which lxc-start-ephemeral uses as the basis for the ephemeral clone to start. More details can be found in on the man page for lxc-start-ephemeral.

0xC0000022L
  • 16,189
  • 24
  • 102
  • 168
  • That would work but you still need to issue a lxc connect right afterwards there for leaving a race condition. Though I have read up a bit more and think a better solution is to use Docker. – Dwight Spencer May 05 '14 at 05:22
  • For throwaway containers, I'd argue `docker` is better indeed. Why would you need a "connect" though? Wouldn't it be sufficient to give access to the "console" of the container, which the start command should automagically do?! – 0xC0000022L May 05 '14 at 09:22
  • Thanks, sorry about that I did ment console. Guess I was thinking about qemu for a moment there. – Dwight Spencer May 05 '14 at 22:09