From 9a06da88bed5c8c9000bc42f78e779909415446b Mon Sep 17 00:00:00 2001 From: Nikolaus Demmel Date: Fri, 5 Aug 2016 22:08:54 +0200 Subject: [PATCH 1/5] Never use proxy when communicating with the vault. Without this, building Dockerfiles with ONVAULT fails in the presence of an http proxy. --- ONVAULT | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ONVAULT b/ONVAULT index 54edcf4..30b8e2a 100755 --- a/ONVAULT +++ b/ONVAULT @@ -22,6 +22,10 @@ log () { echo -e "${GREEN}[Dockito Vault]${NC} $@" } +# don't go through proxy for accessing vault +no_proxy_old="$no_proxy" +export no_proxy="$VAULT_HOST" + if ! curl -s "${VAULT_URI}/_ping"; then COUNTER=0 echo 'Waiting 10s for dockito/vault to be ready...' @@ -54,6 +58,9 @@ if curl -s "${VAULT_URI}/_ping"; then echo -e "\nHost *\nIdentityFile ~/.ssh/$VAULT_SSH_KEY" >> ~/.ssh/config fi + # restore 'no_proxy' for executing the actual command + export no_proxy="$no_proxy_old" + log "Executing command: $@" eval $@ From 3cd68ccb17f4d4def2d97f74efff2b2a6c938393 Mon Sep 17 00:00:00 2001 From: Nikolaus Demmel Date: Fri, 5 Aug 2016 22:09:53 +0200 Subject: [PATCH 2/5] remove temporary tared archive of .ssh folder --- index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/index.js b/index.js index 6de406a..d28a6c5 100644 --- a/index.js +++ b/index.js @@ -33,6 +33,7 @@ app.get('/ssh.tgz', function (req, res) { var filestream = fs.createReadStream(file); filestream.pipe(res); + fs.unlink(file) }); }); }); From a57692e029485f5f1b2b43c43fb0e37a41f11a25 Mon Sep 17 00:00:00 2001 From: Nikolaus Demmel Date: Fri, 5 Aug 2016 22:12:00 +0200 Subject: [PATCH 3/5] make sure /vault/.ssh exists (e.g. in case we start the container with an empty volume) --- index.js | 4 +++- package.json | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index d28a6c5..af904c0 100644 --- a/index.js +++ b/index.js @@ -2,7 +2,8 @@ var express = require('express'), fs = require('fs'), exec = require('child_process').exec, mime = require('mime'), - path = require('path'); + path = require('path'), + mkdirp = require('mkdirp'); var host = process.env.HTTP_HOST || '0.0.0.0'; @@ -21,6 +22,7 @@ app.get('/_ping', function (req, res) { Bundle containing all the user's private keys and ssh configuration */ app.get('/ssh.tgz', function (req, res) { + mkdirp("/vault/.ssh"); exec('mktemp -q /tmp/ssh.XXXXXX', function (err, stdout) { var file = stdout.match(/(.+)/)[0]; diff --git a/package.json b/package.json index c8bfb35..0843fb6 100644 --- a/package.json +++ b/package.json @@ -11,6 +11,7 @@ "license": "ISC", "dependencies": { "express": "^4.12.3", - "mime": "^1.3.4" + "mime": "^1.3.4", + "mkdirp": "^0.5.1" } } From b1f14381a3ced41579f239a2cc8e1846953377e7 Mon Sep 17 00:00:00 2001 From: Nikolaus Demmel Date: Fri, 5 Aug 2016 22:12:36 +0200 Subject: [PATCH 4/5] make sure ONVAULT works with empty .ssh folder --- ONVAULT | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ONVAULT b/ONVAULT index 30b8e2a..6ca92f5 100755 --- a/ONVAULT +++ b/ONVAULT @@ -49,8 +49,8 @@ if curl -s "${VAULT_URI}/_ping"; then log "Downloading private keys..." curl -s "${VAULT_URI}/ssh.tgz" | tar -C ~/.ssh/ -zxf - - chown `whoami` ~/.ssh/* - chmod 600 ~/.ssh/* + chown -f `whoami` ~/.ssh/* || true + chmod -f 600 ~/.ssh/* || true log "Using ssh key: $VAULT_SSH_KEY" if [[ "$VAULT_SSH_KEY" != "id_rsa" ]]; then From 743cf018b7a3f926e49e45069776a481f4e5a12e Mon Sep 17 00:00:00 2001 From: Nikolaus Demmel Date: Fri, 5 Aug 2016 22:13:13 +0200 Subject: [PATCH 5/5] Add .dockerignore for all except the actually needed files. --- .dockerignore | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..64b2baf --- /dev/null +++ b/.dockerignore @@ -0,0 +1,4 @@ +* +!index.js +!ONVAULT +!package.json