From 63765bf74e82485381cb142774383f3a1b366e77 Mon Sep 17 00:00:00 2001 From: Adrian Amaglio Date: Fri, 5 Feb 2021 17:11:47 +0100 Subject: [PATCH] organisation --- .../tp_decouverte_csv/noms.csv | 4 +- test-python-ssh/Dockerfile | 25 +++- test-python-ssh/Readme.md | 30 +++-- test-python-ssh/{app => }/entrypoint.sh | 7 ++ test-python-ssh/{app => nginx}/favicon.ico | Bin test-python-ssh/nginx/nginx.conf | 47 +++++++ .../{app => python_app}/.gitignore | 0 test-python-ssh/{app => python_app}/main.py | 0 .../{app => python_app}/modules/mod1.py | 0 .../modules/myriem/mod2.py | 0 test-python-ssh/{app => python_app}/users.txt | 0 test-python-ssh/sshd/sshd_config | 116 ++++++++++++++++++ 12 files changed, 215 insertions(+), 14 deletions(-) rename test-python-ssh/{app => }/entrypoint.sh (81%) rename test-python-ssh/{app => nginx}/favicon.ico (100%) create mode 100644 test-python-ssh/nginx/nginx.conf rename test-python-ssh/{app => python_app}/.gitignore (100%) rename test-python-ssh/{app => python_app}/main.py (100%) rename test-python-ssh/{app => python_app}/modules/mod1.py (100%) rename test-python-ssh/{app => python_app}/modules/myriem/mod2.py (100%) rename test-python-ssh/{app => python_app}/users.txt (100%) create mode 100644 test-python-ssh/sshd/sshd_config diff --git a/donnees_structurees/tp_decouverte_csv/noms.csv b/donnees_structurees/tp_decouverte_csv/noms.csv index ac288e5..2fec720 100644 --- a/donnees_structurees/tp_decouverte_csv/noms.csv +++ b/donnees_structurees/tp_decouverte_csv/noms.csv @@ -1,5 +1,5 @@ nom,prenom,date_naissance Danioko,Aya,10/05/1995 Glover,Donald,25/09/1983 -Clifford,Simpson,16/07/1996 -Janelle,Monáe,01/12/1995 +Simpson,Clifford,16/07/1996 +Monáe,Janelle,01/12/1995 diff --git a/test-python-ssh/Dockerfile b/test-python-ssh/Dockerfile index 24631cc..87438ba 100644 --- a/test-python-ssh/Dockerfile +++ b/test-python-ssh/Dockerfile @@ -1,7 +1,26 @@ FROM python:3-alpine -RUN apk update && apk add gcc linux-headers build-base +#TODO as an educational env, we sould use debian or centos. more like debian ? A dockerfile each ? + +RUN apk update && apk add gcc linux-headers build-base nginx openssh RUN pip install uwsgi + WORKDIR /usr/share/app -COPY app/* ./ -CMD ["uwsgi", "--http", ":80", "--wsgi-file", "main.py"] + + +# Python app +COPY python_app/* ./ + +ENV UID=33 +ENV MOUNT=/ + +RUN MKDIR /tmp/uwsgi +CMD ["uwsgi", "--chown-socket", "$UID", "-s", "/tmp/uwsgi/uwsgi.sock", "--manage-script-name", "--mount", "$MOUNT=main:prod_app", "--http-timeout", "10", "--master", "--hook-master-start", "unix_signal:15gracefully_kill_them_all", "--need-app", "--die-on-term", "--show-config", "--log-master", "--strict", "--vacuum", "--single-interpreter"] + +# SSH server + +# Nginx server +COPY ./nginx.conf /etc/nginx/nginx.conf + +# Entrypoint +COPY ./entrypoint.sh ./entrypoint.sh ENTRYPOINT ["./entrypoint.sh"] diff --git a/test-python-ssh/Readme.md b/test-python-ssh/Readme.md index c8dab46..396117f 100644 --- a/test-python-ssh/Readme.md +++ b/test-python-ssh/Readme.md @@ -1,9 +1,10 @@ # Python, web and SSH sandbox -For educational purpose. +For educational purpose only! None of this software is industry grade quality. + This repo got several parts : ## A python script -It run with wsgi, see the dockerfile CMD line). +It run with uwsgi, see the dockerfile CMD line. You will need to change it to make it listen on a port. Used to execute any python script in the `module` directory given a certain URL : - /m1/f1 -> execute the f1 function from modules/m1.py - /path/to/m2/f2 -> execute the f2 function from modules/path/to/m2.py @@ -16,32 +17,43 @@ TODO: - configure chroot - create the homes in modules directory - +## A docker image +To bundle everything in one place. +This docker image is not a pretty one, we should split those services into several containers. +But that would be harder to run, so forget that. # Instructions +## Install docker +CF the interweb TODO + ## Build the docker image ``` docker build . -t pythonsandbox ``` +or pull the image +``` +TODO: send image to hub +``` ## Run the docker image ``` -docker run -it --rm -p 8880:80 --name pythonsandbox pythonsandbox +docker run -it --network host --name pythonsandbox pythonsandbox ``` Or if you want to save student work outside of the container: ``` -docker run -it --rm -p 8880:80 --name pythonsandbox -v "$(pwd)"/app/modules:/usr/share/app/modules pythonsandbox +docker run -it --network host --name pythonsandbox -v "$(pwd)"/app/modules:/usr/share/app/modules pythonsandbox ``` And with user list file ``` -docker run -it --rm -p 8880:80 --name pythonsandbox -v "$(pwd)"/app/modules:/usr/share/app/modules -v "$(pwd)"/app/users.txt:/usr/share/app/users.txt pythonsandbox +docker run -it --network host --name pythonsandbox -v "$(pwd)"/app/modules:/usr/share/app/modules -v "$(pwd)"/app/users.txt:/usr/share/app/users.txt pythonsandbox ``` +## Roadmap ## Example With the files under `./app/modules` you can get the following URLs : -- http://localhost:8880/mod1/func1_1 -- http://localhost:8880/mod1/func1_2 -- http://localhost:8880/myriem/mod2/func2_1 +- http://localhost/mod1/func1_1 +- http://localhost/mod1/func1_2 +- http://localhost/myriem/mod2/func2_1 diff --git a/test-python-ssh/app/entrypoint.sh b/test-python-ssh/entrypoint.sh similarity index 81% rename from test-python-ssh/app/entrypoint.sh rename to test-python-ssh/entrypoint.sh index 70599e9..99c7bd8 100755 --- a/test-python-ssh/app/entrypoint.sh +++ b/test-python-ssh/entrypoint.sh @@ -18,5 +18,12 @@ if [ ! -f 'passwords.txt' ] ; then done fi +# Nginx +nginx -c '/etc/nginx/nginx.conf' & + +# SSH server +#TODO + # Start watever the container should be doing +# TODO start it as www-data $@ diff --git a/test-python-ssh/app/favicon.ico b/test-python-ssh/nginx/favicon.ico similarity index 100% rename from test-python-ssh/app/favicon.ico rename to test-python-ssh/nginx/favicon.ico diff --git a/test-python-ssh/nginx/nginx.conf b/test-python-ssh/nginx/nginx.conf new file mode 100644 index 0000000..e81cdc2 --- /dev/null +++ b/test-python-ssh/nginx/nginx.conf @@ -0,0 +1,47 @@ +user www-data; +worker_processes auto; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + # server_tokens off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + types_hash_max_size 2048; + types_hash_bucket_size 128; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + error_log /dev/stderr; + access_log /dev/stdout; + gzip on; + +server { + listen 80; + listen [::]:80; + + root /usr/share/app/modules/ + location / { + index index.html main.py; + try_files $uri $uri/ =404; + } + + location ~ \.py { + include uwsgi_params; + #uwsgi_param PATH_INFO "$1"; + #uwsgi_param SCRIPT_NAME /; + uwsgi_pass unix:/tmp/uwsgi/uwsgi.sock; + } +} + +} diff --git a/test-python-ssh/app/.gitignore b/test-python-ssh/python_app/.gitignore similarity index 100% rename from test-python-ssh/app/.gitignore rename to test-python-ssh/python_app/.gitignore diff --git a/test-python-ssh/app/main.py b/test-python-ssh/python_app/main.py similarity index 100% rename from test-python-ssh/app/main.py rename to test-python-ssh/python_app/main.py diff --git a/test-python-ssh/app/modules/mod1.py b/test-python-ssh/python_app/modules/mod1.py similarity index 100% rename from test-python-ssh/app/modules/mod1.py rename to test-python-ssh/python_app/modules/mod1.py diff --git a/test-python-ssh/app/modules/myriem/mod2.py b/test-python-ssh/python_app/modules/myriem/mod2.py similarity index 100% rename from test-python-ssh/app/modules/myriem/mod2.py rename to test-python-ssh/python_app/modules/myriem/mod2.py diff --git a/test-python-ssh/app/users.txt b/test-python-ssh/python_app/users.txt similarity index 100% rename from test-python-ssh/app/users.txt rename to test-python-ssh/python_app/users.txt diff --git a/test-python-ssh/sshd/sshd_config b/test-python-ssh/sshd/sshd_config new file mode 100644 index 0000000..50c9fa6 --- /dev/null +++ b/test-python-ssh/sshd/sshd_config @@ -0,0 +1,116 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server