Saturday, January 23, 2016

Shellinabox working with Docker

About a week ago, I became interested in Docker after spending hours trying to (unsuccessfully) get Guacamole to work on a lab machine. In frustration, I tried the Docker version. Guacamole was up and running about five minutes after that.

This week, I've been working on a web-based front-end to Docker. So far, I'm able to list containers and start/stop/pause/unpause them. Last night, I added ShellInABox to the mix. In short, I can now access the individual containers via a browser-based termernal. Not wanting to have multiple full-time instances of SIAB, I used the CGI option and came up with the following CGI script:

#!/usr/bin/perl

use CGI;
my $query=new CGI;

my $container_id=$query->param("container_id");
chomp $container_id;

system("sudo shellinaboxd -q -t --cgi --service='/':0:0:'/var/tmp':'/bin/bash -c \"docker exec -it $container_id bash\"'");

Above is called by an url (in the web front-end) that looks like: "http://dockerbox.joat/cgi-bin/siab.cgi?container_id=6402f93179a1". It can also be called via the appropriate POST request.

Noted shortcomings:

  • SIAB appears to not function well with Chrome. In reading various others comments on the topic, it appears that Google made changes to the CSS handler some time in the past and it appears to be on the SIAB author(s) to make adjustments.

    Update: While the bug is quite annoying (ShellInABox output sometimes is mashed into a single line), it becomes minor one once you know the work-around: change your zoom level back to 100% and refresh the page.

  • SIAB does not automatically disconnect from the target container when the browser window is closed. I'm experimenting with Bash shell timeouts in an attempt to compensate.

    Update: The browser timeouts appear to work. Add the following to /root/.bashrc in each container:

    TMOUT=300
    readonly TMOUT
    export TMOUT

    Above will automatically logout the user after 5 minutes of inactivity. Doing so also kills the individual instance of ShellInABox (in CGI mode). Of course, this does nothing for security of the configuration so absolutely DO NOT USE this in production environments.

    Update: You can also add in a "cleanup" system call to kill existing/unused instances of ShellInABox. "killall shellinaboxd" or some such.

  • There's absolutely no security associated with the above method, so add authentication and security (e.g., encryption) before using the above.