Dockerfile

# Copyright 2018 Datawire. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

FROM registry.access.redhat.com/ubi8/python-36:1

# when there is a proxy, build this file like this:
# V=0.101; docker build -f Dockerfile.ocp -t registry.corp.example.com/telepresence/telepresence-k8s:$V  --build-arg  http_proxy="http://proxy.corp.example.com:8080" --build-arg https_proxy="http://proxy.corp.example.com:8080" --build-arg no_proxy=".example.com" . ; docker push registry.corp.example.com/telepresence/telepresence-k8s:$V

WORKDIR ${APP_ROOT}

USER root

COPY requirements.txt ${APP_ROOT}

# Install required python3 modules
RUN pip3 install --no-cache-dir incremental && \
    pip3 install --no-cache-dir -r requirements.txt && \
    yum -y remove gcc && \
    yum clean all && \
    rm -rf /var/cache/yum

COPY forwarder.py ${APP_ROOT}
COPY socks.py ${APP_ROOT}
COPY . ${APP_ROOT}
RUN cp ${APP_ROOT}/run-ocp.sh ${APP_ROOT}/run.sh

RUN chown -R 1001:0 ${APP_ROOT} && \
    fix-permissions ${APP_ROOT} -P && \
    rpm-file-permissions 
    
EXPOSE 8022
USER 1001:0
CMD ${APP_ROOT}/run.sh

main.go

package main

import (
	"context"
	"fmt"
	"io"
	"log"
	"os/exec"

	"github.com/gliderlabs/ssh"
	gossh "golang.org/x/crypto/ssh"
)

func main() {
	srv := CreateServer()
	srv.ListenAndServe()
}

// CreateServer returns a non started ssh service instance
func CreateServer() *ssh.Server {
	forwardHandler := &ssh.ForwardedTCPHandler{}

	srv := &ssh.Server{
		Handler: func(sess ssh.Session) {
			if sess.RawCommand() != "" {
				ExecSession(sess)
				return
			}
			//sess.Exit(-1) // exit kills the whole session and we can't do forward requests
		},
		RequestHandlers: map[string]ssh.RequestHandler{
			"tcpip-forward":        forwardHandler.HandleSSHRequest,
			"cancel-tcpip-forward": forwardHandler.HandleSSHRequest,
			"keepalive@openssh.com": func(ctx ssh.Context, srv *ssh.Server, req *gossh.Request) (bool, []byte) {
				return true, []byte("alive!")
			},
		},
		ChannelHandlers: map[string]ssh.ChannelHandler{
			"session":      ssh.DefaultSessionHandler,
			"direct-tcpip": ssh.DirectTCPIPHandler,
		},
		LocalPortForwardingCallback: func(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
			log.Println("local attempt to bind", destinationHost, destinationPort, "granted")
			return true
		},
		ReversePortForwardingCallback: func(ctx ssh.Context, bindHost string, bindPort uint32) bool {
			log.Println("reverse attempt to bind", bindHost, bindPort, "granted")
			return true
		},
	}

	srv.Addr = ":8022"
	return srv
}

// ExecSession executes a single command
func ExecSession(sess ssh.Session) {

	ctx, cancel := context.WithCancel(context.Background())
	args := []string{"-c"}
	args = append(args, sess.RawCommand())

	cmd := exec.CommandContext(ctx, "/usr/bin/sh", args...)
	defer cancel()

	in, err := cmd.StdinPipe()
	if err != nil {
		fmt.Println(err)
	}
	defer in.Close()

	cmd.Stdout = sess
	cmd.Stderr = sess

	err = cmd.Start()
	if err != nil {
		fmt.Println(err)
	}
	go func() {
		io.Copy(in, sess)
	}()

	cmd.Wait()
	sess.Exit(cmd.ProcessState.ExitCode())
	sess.Close()
}