[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Remote execution in pods in OpenShift v3



Is there a plan to mark a container that has been accessed via SSH with an attribute in the API server data model to denote that it has been potentially modified?

----- Original Message -----
From: "Clayton Coleman" <ccoleman redhat com>
To: "David Eads" <deads redhat com>
Cc: dev lists openshift redhat com
Sent: Wednesday, March 18, 2015 4:21:38 PM
Subject: Re: Remote execution in pods in OpenShift v3

Right now, and we'll add the bastion (at which point you'll be able to control this fine grained).

----- Original Message -----
> `exec` makes use of the `proxy` verb directly to a node.  By default
> only cluster admins (we make one for you called system:admin) have the
> power to proxy, so only cluster admins can exec into pods.
> 
> 
> 
> On Wed, 2015-03-18 at 20:00 +0100, Akram Ben Aissi wrote:
> > That's greatly powerful !
> > 
> > Can we set a policy yet to allow or disallow it?
> > 
> > Sent from mobile
> > 
> > > On 18 mars 2015, at 19:51, Clayton Coleman <ccoleman redhat com> wrote:
> > > 
> > > Remote execution to containers and pods is now part of the 'osc' command
> > > - big thanks to Andy for driving that upstream in Kube and into
> > > OpenShift.  Some examples:
> > > 
> > >    # get a remote shell to a pod called 'test'
> > >    $ osc exec -itp test -- /bin/bash
> > > 
> > >    # list a file
> > >    $ osc exec -p test -- ls /var/log
> > > 
> > >    # rsync using osc as netcat
> > >    $ rsync -av -e 'osc exec -ip test -- /bin/bash' mylocalfolder/
> > >    /tmp/remote/folder
> > > 
> > > And even SSH, using the ProxyCommand directive and SSHD's inetd support
> > > to an image with sshd installed and the default root user having no
> > > password.
> > > 
> > >    $ cat ~/.ssh/config
> > >    Host testpod
> > >      User root
> > >      ProxyCommand osc exec -ip test -- /bin/bash -c "sshd-keygen &&
> > >      $(which sshd) -o 'AuthenticationMethods password' -o
> > >      'permitemptypasswords yes' -o 'UsePAM no' -o
> > >      'UsePrivilegeSeparation no' -ddd -i -u 256 -E /tmp/log"
> > > 
> > >    $ ssh testpod
> > >    root pod's password:
> > >    Last login: Wed Mar 18 18:28:47 2015 from UNKNOWN
> > >    [root test ~]# ps
> > >      PID TTY          TIME CMD
> > >       24 pts/0    00:00:00 bash
> > >       77 pts/0    00:00:00 yum
> > >      541 pts/0    00:00:00 bash
> > >      557 pts/0    00:00:00 ps
> > > 
> > > There's still some edge cases around command execution we are testing
> > > (sometimes CTRL+C can result in the tty not being reset, so you have to
> > > run 'stty sane' or close your shell).  But hopefully you'll start seeing
> > > these patterns crop up so you can integrate existing tools and workflows
> > > into your OpenShift 3 applications.
> > > 
> > > _______________________________________________
> > > dev mailing list
> > > dev lists openshift redhat com
> > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> > 
> > _______________________________________________
> > dev mailing list
> > dev lists openshift redhat com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
> 
> 
> 

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]