This post describes how I’ve put together a simple static content server for kubernetes clusters using a Pod with a persistent volume and multiple containers: an sftp server to manage contents, a web server to publish them with optional access control and another one to run scripts which need access to the volume filesystem.
The sftp server runs using
MySecureShell, the web
server is nginx and the script runner uses the
webhook tool to publish endpoints to call
them (the calls will come from other Pods that run backend servers or are
executed from Jobs or CronJobs).
History
The system was developed because we had a NodeJS API with endpoints to upload
files and store them on S3 compatible services that were later accessed via
HTTPS, but the requirements changed and we needed to be able to publish folders
instead of individual files using their original names and apply access
restrictions using our API.
Thinking about our requirements the use of a regular filesystem to keep the files and folders was a good option, as uploading and serving files is simple.
For the upload I decided to use the sftp protocol, mainly because I already had an sftp container image based on mysecureshell prepared; once we settled on that we added sftp support to the API server and configured it to upload the files to our server instead of using S3 buckets.
To publish the files we added a nginx container configured to work as a reverse proxy that uses the ngx_http_auth_request_module to validate access to the files (the sub request is configurable, in our deployment we have configured it to call our API to check if the user can access a given URL).
Finally we added a third container when we needed to execute some tasks
directly on the filesystem (using kubectl exec with the existing containers
did not seem a good idea, as that is not supported by CronJobs objects, for
example).
The solution we found avoiding the NIH Syndrome (i.e. write our own tool) was to use the webhook tool to provide the endpoints to call the scripts; for now we have three:
- one to get the disc usage of a
PATH, - one to
hardlinkall the files that are identical on the filesystem, - one to copy files and folders from S3 buckets to our filesystem.
Container definitions
mysecureshell
The mysecureshell container can be used to provide an sftp service with
multiple users (although the files are owned by the same UID and GID) using
standalone containers (launched with docker or podman) or in an
orchestration system like kubernetes, as we are going to do here.
The image is generated using the following Dockerfile:
ARG ALPINE_VERSION=3.16.2
FROM alpine:$ALPINE_VERSION as builder
LABEL maintainer="Sergio Talens-Oliag <sto@mixinet.net>"
RUN apk update &&\
apk add --no-cache alpine-sdk git musl-dev &&\
git clone https://github.com/sto/mysecureshell.git &&\
cd mysecureshell &&\
./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man\
--localstatedir=/var --with-shutfile=/var/lib/misc/sftp.shut --with-debug=2 &&\
make all && make install &&\
rm -rf /var/cache/apk/*
FROM alpine:$ALPINE_VERSION
LABEL maintainer="Sergio Talens-Oliag <sto@mixinet.net>"
COPY --from=builder /usr/bin/mysecureshell /usr/bin/mysecureshell
COPY --from=builder /usr/bin/sftp-* /usr/bin/
RUN apk update &&\
apk add --no-cache openssh shadow pwgen &&\
sed -i -e "s|^.*\(AuthorizedKeysFile\).*$|\1 /etc/ssh/auth_keys/%u|"\
/etc/ssh/sshd_config &&\
mkdir /etc/ssh/auth_keys &&\
cat /dev/null > /etc/motd &&\
add-shell '/usr/bin/mysecureshell' &&\
rm -rf /var/cache/apk/*
COPY bin/* /usr/local/bin/
COPY etc/sftp_config /etc/ssh/
COPY entrypoint.sh /
EXPOSE 22
VOLUME /sftp
ENTRYPOINT ["/entrypoint.sh"]
CMD ["server"]The /etc/sftp_config file is used to
configure
the mysecureshell server to have all the user homes under /sftp/data, only
allow them to see the files under their home directories as if it were at the
root of the server and close idle connections after 5m of inactivity:
# Default mysecureshell configuration
<Default>
# All users will have access their home directory under /sftp/data
Home /sftp/data/$USER
# Log to a file inside /sftp/logs/ (only works when the directory exists)
LogFile /sftp/logs/mysecureshell.log
# Force users to stay in their home directory
StayAtHome true
# Hide Home PATH, it will be shown as /
VirtualChroot true
# Hide real file/directory owner (just change displayed permissions)
DirFakeUser true
# Hide real file/directory group (just change displayed permissions)
DirFakeGroup true
# We do not want users to keep forever their idle connection
IdleTimeOut 5m
</Default>
# vim: ts=2:sw=2:etThe entrypoint.sh script is the one responsible to prepare the container for
the users included on the /secrets/user_pass.txt file (creates the users with
their HOME directories under /sftp/data and a /bin/false shell and
creates the key files from /secrets/user_keys.txt if available).
The script expects a couple of environment variables:
SFTP_UID:UIDused to run the daemon and for all the files, it has to be different than0(all the files managed by this daemon are going to be owned by the same user and group, even if the remote users are different).SFTP_GID:GIDused to run the daemon and for all the files, it has to be different than0.
And can use the SSH_PORT and SSH_PARAMS values if present.
It also requires the following files (they can be mounted as secrets in kubernetes):
/secrets/host_keys.txt: Text file containing the ssh server keys in mime format; the file is processed using thereformimeutility (the one included on busybox) and can be generated using thegen-host-keysscript included on the container (it usesssh-keygenandmakemime)./secrets/user_pass.txt: Text file containing lines of the formusername:password_in_clear_text(only the users included on this file are available on thesftpserver, in fact in our deployment we use only thescsuser for everything).
And optionally can use another one:
/secrets/user_keys.txt: Text file that contains lines of the formusername:public_ssh_ed25519_or_rsa_key; the public keys are installed on the server and can be used to log into thesftpserver if theusernameexists on theuser_pass.txtfile.
The contents of the entrypoint.sh script are:
#!/bin/sh
set -e
# ---------
# VARIABLES
# ---------
# Expects SSH_UID & SSH_GID on the environment and uses the value of the
# SSH_PORT & SSH_PARAMS variables if present
# SSH_PARAMS
SSH_PARAMS="-D -e -p ${SSH_PORT:=22} ${SSH_PARAMS}"
# Fixed values
# DIRECTORIES
HOME_DIR="/sftp/data"
CONF_FILES_DIR="/secrets"
AUTH_KEYS_PATH="/etc/ssh/auth_keys"
# FILES
HOST_KEYS="$CONF_FILES_DIR/host_keys.txt"
USER_KEYS="$CONF_FILES_DIR/user_keys.txt"
USER_PASS="$CONF_FILES_DIR/user_pass.txt"
USER_SHELL_CMD="/usr/bin/mysecureshell"
# TYPES
HOST_KEY_TYPES="dsa ecdsa ed25519 rsa"
# ---------
# FUNCTIONS
# ---------
# Validate HOST_KEYS, USER_PASS, SFTP_UID and SFTP_GID
_check_environment() {
# Check the ssh server keys ... we don't boot if we don't have them
if [ ! -f "$HOST_KEYS" ]; then
cat <<EOF
We need the host keys on the '$HOST_KEYS' file to proceed.
Call the 'gen-host-keys' script to create and export them on a mime file.
EOF
exit 1
fi
# Check that we have users ... if we don't we can't continue
if [ ! -f "$USER_PASS" ]; then
cat <<EOF
We need at least the '$USER_PASS' file to provision users.
Call the 'gen-users-tar' script to create a tar file to create an archive that
contains public and private keys for users, a 'user_keys.txt' with the public
keys of the users and a 'user_pass.txt' file with random passwords for them
(pass the list of usernames to it).
EOF
exit 1
fi
# Check SFTP_UID
if [ -z "$SFTP_UID" ]; then
echo "The 'SFTP_UID' can't be empty, pass a 'GID'."
exit 1
fi
if [ "$SFTP_UID" -eq "0" ]; then
echo "The 'SFTP_UID' can't be 0, use a different 'UID'"
exit 1
fi
# Check SFTP_GID
if [ -z "$SFTP_GID" ]; then
echo "The 'SFTP_GID' can't be empty, pass a 'GID'."
exit 1
fi
if [ "$SFTP_GID" -eq "0" ]; then
echo "The 'SFTP_GID' can't be 0, use a different 'GID'"
exit 1
fi
}
# Adjust ssh host keys
_setup_host_keys() {
opwd="$(pwd)"
tmpdir="$(mktemp -d)"
cd "$tmpdir"
ret="0"
reformime <"$HOST_KEYS" || ret="1"
for kt in $HOST_KEY_TYPES; do
key="ssh_host_${kt}_key"
pub="ssh_host_${kt}_key.pub"
if [ ! -f "$key" ]; then
echo "Missing '$key' file"
ret="1"
fi
if [ ! -f "$pub" ]; then
echo "Missing '$pub' file"
ret="1"
fi
if [ "$ret" -ne "0" ]; then
continue
fi
cat "$key" >"/etc/ssh/$key"
chmod 0600 "/etc/ssh/$key"
chown root:root "/etc/ssh/$key"
cat "$pub" >"/etc/ssh/$pub"
chmod 0600 "/etc/ssh/$pub"
chown root:root "/etc/ssh/$pub"
done
cd "$opwd"
rm -rf "$tmpdir"
return "$ret"
}
# Create users
_setup_user_pass() {
opwd="$(pwd)"
tmpdir="$(mktemp -d)"
cd "$tmpdir"
ret="0"
[ -d "$HOME_DIR" ] || mkdir "$HOME_DIR"
# Make sure the data dir can be managed by the sftp user
chown "$SFTP_UID:$SFTP_GID" "$HOME_DIR"
# Allow the user (and root) to create directories inside the $HOME_DIR, if
# we don't allow it the directory creation fails on EFS (AWS)
chmod 0755 "$HOME_DIR"
# Create users
echo "sftp:sftp:$SFTP_UID:$SFTP_GID:::/bin/false" >"newusers.txt"
sed -n "/^[^#]/ { s/:/ /p }" "$USER_PASS" | while read -r _u _p; do
echo "$_u:$_p:$SFTP_UID:$SFTP_GID::$HOME_DIR/$_u:$USER_SHELL_CMD"
done >>"newusers.txt"
newusers --badnames newusers.txt
# Disable write permission on the directory to forbid remote sftp users to
# remove their own root dir (they have already done it); we adjust that
# here to avoid issues with EFS (see before)
chmod 0555 "$HOME_DIR"
# Clean up the tmpdir
cd "$opwd"
rm -rf "$tmpdir"
return "$ret"
}
# Adjust user keys
_setup_user_keys() {
if [ -f "$USER_KEYS" ]; then
sed -n "/^[^#]/ { s/:/ /p }" "$USER_KEYS" | while read -r _u _k; do
echo "$_k" >>"$AUTH_KEYS_PATH/$_u"
done
fi
}
# Main function
exec_sshd() {
_check_environment
_setup_host_keys
_setup_user_pass
_setup_user_keys
echo "Running: /usr/sbin/sshd $SSH_PARAMS"
# shellcheck disable=SC2086
exec /usr/sbin/sshd -D $SSH_PARAMS
}
# ----
# MAIN
# ----
case "$1" in
"server") exec_sshd ;;
*) exec "$@" ;;
esac
# vim: ts=2:sw=2:etThe container also includes a couple of auxiliary scripts, the first one can be
used to generate the host_keys.txt file as follows:
$ docker run --rm stodh/mysecureshell gen-host-keys > host_keys.txtWhere the script is as simple as:
#!/bin/sh
set -e
# Generate new host keys
ssh-keygen -A >/dev/null
# Replace hostname
sed -i -e 's/@.*$/@mysecureshell/' /etc/ssh/ssh_host_*_key.pub
# Print in mime format (stdout)
makemime /etc/ssh/ssh_host_*
# vim: ts=2:sw=2:etAnd there is another script to generate a .tar file that contains auth data
for the list of usernames passed to it (the file contains a user_pass.txt
file with random passwords for the users, public and private ssh keys for them
and the user_keys.txt file that matches the generated keys).
To generate a tar file for the user scs we can execute the following:
$ docker run --rm stodh/mysecureshell gen-users-tar scs > /tmp/scs-users.tarTo see the contents and the text inside the user_pass.txt file we can do:
$ tar tvf /tmp/scs-users.tar
-rw-r--r-- root/root 21 2022-09-11 15:55 user_pass.txt
-rw-r--r-- root/root 822 2022-09-11 15:55 user_keys.txt
-rw------- root/root 387 2022-09-11 15:55 id_ed25519-scs
-rw-r--r-- root/root 85 2022-09-11 15:55 id_ed25519-scs.pub
-rw------- root/root 3357 2022-09-11 15:55 id_rsa-scs
-rw------- root/root 3243 2022-09-11 15:55 id_rsa-scs.pem
-rw-r--r-- root/root 729 2022-09-11 15:55 id_rsa-scs.pub
$ tar xfO /tmp/scs-users.tar user_pass.txt
scs:20JertRSX2Eaar4xThe source of the script is:
#!/bin/sh
set -e
# ---------
# VARIABLES
# ---------
USER_KEYS_FILE="user_keys.txt"
USER_PASS_FILE="user_pass.txt"
# ---------
# MAIN CODE
# ---------
# Generate user passwords and keys, return 1 if no username is received
if [ "$#" -eq "0" ]; then
return 1
fi
opwd="$(pwd)"
tmpdir="$(mktemp -d)"
cd "$tmpdir"
for u in "$@"; do
ssh-keygen -q -a 100 -t ed25519 -f "id_ed25519-$u" -C "$u" -N ""
ssh-keygen -q -a 100 -b 4096 -t rsa -f "id_rsa-$u" -C "$u" -N ""
# Legacy RSA private key format
cp -a "id_rsa-$u" "id_rsa-$u.pem"
ssh-keygen -q -p -m pem -f "id_rsa-$u.pem" -N "" -P "" >/dev/null
chmod 0600 "id_rsa-$u.pem"
echo "$u:$(pwgen -s 16 1)" >>"$USER_PASS_FILE"
echo "$u:$(cat "id_ed25519-$u.pub")" >>"$USER_KEYS_FILE"
echo "$u:$(cat "id_rsa-$u.pub")" >>"$USER_KEYS_FILE"
done
tar cf - "$USER_PASS_FILE" "$USER_KEYS_FILE" id_* 2>/dev/null
cd "$opwd"
rm -rf "$tmpdir"
# vim: ts=2:sw=2:etnginx-scs
The nginx-scs container is generated using the following Dockerfile:
ARG NGINX_VERSION=1.23.1
FROM nginx:$NGINX_VERSION
LABEL maintainer="Sergio Talens-Oliag <sto@mixinet.net>"
RUN rm -f /docker-entrypoint.d/*
COPY docker-entrypoint.d/* /docker-entrypoint.d/Basically we are removing the existing docker-entrypoint.d scripts from the
standard image and adding a new one that configures the web server as we want
using a couple of environment variables:
AUTH_REQUEST_URI: URL to use for theauth_request, if the variable is not found on the environmentauth_requestis not used.HTML_ROOT: Base directory of the web server, if not passed the default/usr/share/nginx/htmlis used.
Note that if we don’t pass the variables everything works as if we were using
the original nginx image.
The contents of the configuration script are:
#!/bin/sh
# Replace the default.conf nginx file by our own version.
set -e
if [ -z "$HTML_ROOT" ]; then
HTML_ROOT="/usr/share/nginx/html"
fi
if [ "$AUTH_REQUEST_URI" ]; then
cat >/etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
server_name localhost;
location / {
auth_request /.auth;
root $HTML_ROOT;
index index.html index.htm;
}
location /.auth {
internal;
proxy_pass $AUTH_REQUEST_URI;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI \$request_uri;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
EOF
else
cat >/etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
server_name localhost;
location / {
root $HTML_ROOT;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
EOF
fi
# vim: ts=2:sw=2:etAs we will see later the idea is to use the /sftp/data or /sftp/data/scs
folder as the root of the web published by this container and create an
Ingress object to provide access to it outside of our kubernetes cluster.
webhook-scs
The webhook-scs container is generated using the following Dockerfile:
ARG ALPINE_VERSION=3.16.2
ARG GOLANG_VERSION=alpine3.16
FROM golang:$GOLANG_VERSION AS builder
LABEL maintainer="Sergio Talens-Oliag <sto@mixinet.net>"
ENV WEBHOOK_VERSION 2.8.0
ENV WEBHOOK_PR 549
ENV S3FS_VERSION v1.91
WORKDIR /go/src/github.com/adnanh/webhook
RUN apk update &&\
apk add --no-cache -t build-deps curl libc-dev gcc libgcc patch
RUN curl -L --silent -o webhook.tar.gz\
https://github.com/adnanh/webhook/archive/${WEBHOOK_VERSION}.tar.gz &&\
tar xzf webhook.tar.gz --strip 1 &&\
curl -L --silent -o ${WEBHOOK_PR}.patch\
https://patch-diff.githubusercontent.com/raw/adnanh/webhook/pull/${WEBHOOK_PR}.patch &&\
patch -p1 < ${WEBHOOK_PR}.patch &&\
go get -d && \
go build -o /usr/local/bin/webhook
WORKDIR /src/s3fs-fuse
RUN apk update &&\
apk add ca-certificates build-base alpine-sdk libcurl automake autoconf\
libxml2-dev libressl-dev mailcap fuse-dev curl-dev
RUN curl -L --silent -o s3fs.tar.gz\
https://github.com/s3fs-fuse/s3fs-fuse/archive/refs/tags/$S3FS_VERSION.tar.gz &&\
tar xzf s3fs.tar.gz --strip 1 &&\
./autogen.sh &&\
./configure --prefix=/usr/local &&\
make -j && \
make install
FROM alpine:$ALPINE_VERSION
LABEL maintainer="Sergio Talens-Oliag <sto@mixinet.net>"
WORKDIR /webhook
RUN apk update &&\
apk add --no-cache ca-certificates mailcap fuse libxml2 libcurl libgcc\
libstdc++ rsync util-linux-misc &&\
rm -rf /var/cache/apk/*
COPY --from=builder /usr/local/bin/webhook /usr/local/bin/webhook
COPY --from=builder /usr/local/bin/s3fs /usr/local/bin/s3fs
COPY entrypoint.sh /
COPY hooks/* ./hooks/
EXPOSE 9000
ENTRYPOINT ["/entrypoint.sh"]
CMD ["server"]Again, we use a multi-stage build because in production we wanted to support a
functionality that is not already on the official versions (streaming the
command output as a response instead of waiting until the execution ends); this
time we build the image applying the PATCH included on this
pull request against a released
version of the source instead of creating a fork.
The entrypoint.sh script is used to generate the webhook configuration file
for the existing hooks using environment variables (basically the
WEBHOOK_WORKDIR and the *_TOKEN variables) and launch the webhook
service:
#!/bin/sh
set -e
# ---------
# VARIABLES
# ---------
WEBHOOK_BIN="${WEBHOOK_BIN:-/webhook/hooks}"
WEBHOOK_YML="${WEBHOOK_YML:-/webhook/scs.yml}"
WEBHOOK_OPTS="${WEBHOOK_OPTS:--verbose}"
# ---------
# FUNCTIONS
# ---------
print_du_yml() {
cat <<EOF
- id: du
execute-command: '$WEBHOOK_BIN/du.sh'
command-working-directory: '$WORKDIR'
response-headers:
- name: 'Content-Type'
value: 'application/json'
http-methods: ['GET']
include-command-output-in-response: true
include-command-output-in-response-on-error: true
pass-arguments-to-command:
- source: 'url'
name: 'path'
pass-environment-to-command:
- source: 'string'
envname: 'OUTPUT_FORMAT'
name: 'json'
EOF
}
print_hardlink_yml() {
cat <<EOF
- id: hardlink
execute-command: '$WEBHOOK_BIN/hardlink.sh'
command-working-directory: '$WORKDIR'
http-methods: ['GET']
include-command-output-in-response: true
include-command-output-in-response-on-error: true
EOF
}
print_s3sync_yml() {
cat <<EOF
- id: s3sync
execute-command: '$WEBHOOK_BIN/s3sync.sh'
command-working-directory: '$WORKDIR'
http-methods: ['POST']
include-command-output-in-response: true
include-command-output-in-response-on-error: true
pass-environment-to-command:
- source: 'payload'
envname: 'AWS_KEY'
name: 'aws.key'
- source: 'payload'
envname: 'AWS_SECRET_KEY'
name: 'aws.secret_key'
- source: 'payload'
envname: 'S3_BUCKET'
name: 's3.bucket'
- source: 'payload'
envname: 'S3_REGION'
name: 's3.region'
- source: 'payload'
envname: 'S3_PATH'
name: 's3.path'
- source: 'payload'
envname: 'SCS_PATH'
name: 'scs.path'
stream-command-output: true
EOF
}
print_token_yml() {
if [ "$1" ]; then
cat << EOF
trigger-rule:
match:
type: 'value'
value: '$1'
parameter:
source: 'header'
name: 'X-Webhook-Token'
EOF
fi
}
exec_webhook() {
# Validate WORKDIR
if [ -z "$WEBHOOK_WORKDIR" ]; then
echo "Must define the WEBHOOK_WORKDIR variable!" >&2
exit 1
fi
WORKDIR="$(realpath "$WEBHOOK_WORKDIR" 2>/dev/null)" || true
if [ ! -d "$WORKDIR" ]; then
echo "The WEBHOOK_WORKDIR '$WEBHOOK_WORKDIR' is not a directory!" >&2
exit 1
fi
# Get TOKENS, if the DU_TOKEN or HARDLINK_TOKEN is defined that is used, if
# not if the COMMON_TOKEN that is used and in other case no token is checked
# (that is the default)
DU_TOKEN="${DU_TOKEN:-$COMMON_TOKEN}"
HARDLINK_TOKEN="${HARDLINK_TOKEN:-$COMMON_TOKEN}"
S3_TOKEN="${S3_TOKEN:-$COMMON_TOKEN}"
# Create webhook configuration
{
print_du_yml
print_token_yml "$DU_TOKEN"
echo ""
print_hardlink_yml
print_token_yml "$HARDLINK_TOKEN"
echo ""
print_s3sync_yml
print_token_yml "$S3_TOKEN"
}>"$WEBHOOK_YML"
# Run the webhook command
# shellcheck disable=SC2086
exec webhook -hooks "$WEBHOOK_YML" $WEBHOOK_OPTS
}
# ----
# MAIN
# ----
case "$1" in
"server") exec_webhook ;;
*) exec "$@" ;;
esacThe entrypoint.sh script generates the configuration file for the webhook
server calling functions that print a yaml section for each hook and
optionally adds rules to validate access to them comparing the value of a
X-Webhook-Token header against predefined values.
The expected token values are taken from environment variables, we can define
a token variable for each hook (DU_TOKEN, HARDLINK_TOKEN or S3_TOKEN)
and a fallback value (COMMON_TOKEN); if no token variable is defined for a
hook no check is done and everybody can call it.
The Hook
Definition documentation explains the options you can use for each hook, the
ones we have right now do the following:
du: runs on the$WORKDIRdirectory, passes as first argument to the script the value of thepathquery parameter and sets the variableOUTPUT_FORMATto the fixed valuejson(we use that to print the output of the script in JSON format instead of text).hardlink: runs on the$WORKDIRdirectory and takes no parameters.s3sync: runs on the$WORKDIRdirectory and sets a lot of environment variables from values read from the JSON encoded payload sent by the caller (all the values must be sent by the caller even if they are assigned an empty value, if they are missing thehookfails without calling the script); we also set thestream-command-outputvalue totrueto make the script show its output as it is working (we patched thewebhooksource to be able to use this option).
The du hook script
The du hook script code checks if the argument passed is a directory,
computes its size using the du command and prints the results in text format
or as a JSON dictionary:
#!/bin/sh
set -e
# Script to print disk usage for a PATH inside the scs folder
# ---------
# FUNCTIONS
# ---------
print_error() {
if [ "$OUTPUT_FORMAT" = "json" ]; then
echo "{\"error\":\"$*\"}"
else
echo "$*" >&2
fi
exit 1
}
usage() {
if [ "$OUTPUT_FORMAT" = "json" ]; then
echo "{\"error\":\"Pass arguments as '?path=XXX\"}"
else
echo "Usage: $(basename "$0") PATH" >&2
fi
exit 1
}
# ----
# MAIN
# ----
if [ "$#" -eq "0" ] || [ -z "$1" ]; then
usage
fi
if [ "$1" = "." ]; then
DU_PATH="./"
else
DU_PATH="$(find . -name "$1" -mindepth 1 -maxdepth 1)" || true
fi
if [ -z "$DU_PATH" ] || [ ! -d "$DU_PATH/." ]; then
print_error "The provided PATH ('$1') is not a directory"
fi
# Print disk usage in bytes for the given PATH
OUTPUT="$(du -b -s "$DU_PATH")"
if [ "$OUTPUT_FORMAT" = "json" ]; then
# Format output as {"path":"PATH","bytes":"BYTES"}
echo "$OUTPUT" |
sed -e "s%^\(.*\)\t.*/\(.*\)$%{\"path\":\"\2\",\"bytes\":\"\1\"}%" |
tr -d '\n'
else
# Print du output as is
echo "$OUTPUT"
fi
# vim: ts=2:sw=2:et:ai:sts=2The hardlink hook script
The hardlink hook script is really simple, it just runs the
util-linux version of the
hardlink
command on its working directory:
#!/bin/sh
hardlink --ignore-time --maximize .We use that to reduce the size of the stored content; to manage versions of files and folders we keep each version on a separate directory and when one or more files are not changed this script makes them hardlinks to the same file on disc, reducing the space used on disk.
The s3sync hook script
The s3sync hook script uses the s3fs
tool to mount a bucket and synchronise data between a folder inside the bucket
and a directory on the filesystem using rsync; all values needed to execute
the task are taken from environment variables:
#!/bin/ash
set -euo pipefail
set -o errexit
set -o errtrace
# Functions
finish() {
ret="$1"
echo ""
echo "Script exit code: $ret"
exit "$ret"
}
# Check variables
if [ -z "$AWS_KEY" ] || [ -z "$AWS_SECRET_KEY" ] || [ -z "$S3_BUCKET" ] ||
[ -z "$S3_PATH" ] || [ -z "$SCS_PATH" ]; then
[ "$AWS_KEY" ] || echo "Set the AWS_KEY environment variable"
[ "$AWS_SECRET_KEY" ] || echo "Set the AWS_SECRET_KEY environment variable"
[ "$S3_BUCKET" ] || echo "Set the S3_BUCKET environment variable"
[ "$S3_PATH" ] || echo "Set the S3_PATH environment variable"
[ "$SCS_PATH" ] || echo "Set the SCS_PATH environment variable"
finish 1
fi
if [ "$S3_REGION" ] && [ "$S3_REGION" != "us-east-1" ]; then
EP_URL="endpoint=$S3_REGION,url=https://s3.$S3_REGION.amazonaws.com"
else
EP_URL="endpoint=us-east-1"
fi
# Prepare working directory
WORK_DIR="$(mktemp -p "$HOME" -d)"
MNT_POINT="$WORK_DIR/s3data"
PASSWD_S3FS="$WORK_DIR/.passwd-s3fs"
# Check the moutpoint
if [ ! -d "$MNT_POINT" ]; then
mkdir -p "$MNT_POINT"
elif mountpoint "$MNT_POINT"; then
echo "There is already something mounted on '$MNT_POINT', aborting!"
finish 1
fi
# Create password file
touch "$PASSWD_S3FS"
chmod 0400 "$PASSWD_S3FS"
echo "$AWS_KEY:$AWS_SECRET_KEY" >"$PASSWD_S3FS"
# Mount s3 bucket as a filesystem
s3fs -o dbglevel=info,retries=5 -o "$EP_URL" -o "passwd_file=$PASSWD_S3FS" \
"$S3_BUCKET" "$MNT_POINT"
echo "Mounted bucket '$S3_BUCKET' on '$MNT_POINT'"
# Remove the password file, just in case
rm -f "$PASSWD_S3FS"
# Check source PATH
ret="0"
SRC_PATH="$MNT_POINT/$S3_PATH"
if [ ! -d "$SRC_PATH" ]; then
echo "The S3_PATH '$S3_PATH' can't be found!"
ret=1
fi
# Compute SCS_UID & SCS_GID (by default based on the working directory owner)
SCS_UID="${SCS_UID:=$(stat -c "%u" "." 2>/dev/null)}" || true
SCS_GID="${SCS_GID:=$(stat -c "%g" "." 2>/dev/null)}" || true
# Check destination PATH
DST_PATH="./$SCS_PATH"
if [ "$ret" -eq "0" ] && [ -d "$DST_PATH" ]; then
mkdir -p "$DST_PATH" || ret="$?"
fi
# Copy using rsync
if [ "$ret" -eq "0" ]; then
rsync -rlptv --chown="$SCS_UID:$SCS_GID" --delete --stats \
"$SRC_PATH/" "$DST_PATH/" || ret="$?"
fi
# Unmount the S3 bucket
umount -f "$MNT_POINT"
echo "Called umount for '$MNT_POINT'"
# Remove mount point dir
rmdir "$MNT_POINT"
# Remove WORK_DIR
rmdir "$WORK_DIR"
# We are done
finish "$ret"
# vim: ts=2:sw=2:et:ai:sts=2Deployment objects
The system is deployed as a StatefulSet with one replica.
Our production deployment is done on AWS and to be
able to scale we use EFS for our
PersistenVolume; the idea is that the volume has no size limit, its
AccessMode can be set to ReadWriteMany and we can mount it from multiple
instances of the Pod without issues, even if they are in different availability
zones.
For development we use k3d and we are also able to scale the
StatefulSet for testing because we use a ReadWriteOnce PVC, but it points
to a hostPath that is backed up by a folder that is mounted on all the
compute nodes, so in reality Pods in different k3d nodes use the same folder
on the host.
secrets.yaml
The secrets file contains the files used by the mysecureshell container that
can be generated using kubernetes pods as follows (we are only creating the
scs user):
$ kubectl run "mysecureshell" --restart='Never' --quiet --rm --stdin \
--image "stodh/mysecureshell:latest" -- gen-host-keys >"./host_keys.txt"
$ kubectl run "mysecureshell" --restart='Never' --quiet --rm --stdin \
--image "stodh/mysecureshell:latest" -- gen-users-tar scs >"./users.tar"Once we have the files we can generate the secrets.yaml file as follows:
$ tar xf ./users.tar user_keys.txt user_pass.txt
$ kubectl --dry-run=client -o yaml create secret generic "scs-secret" \
--from-file="host_keys.txt=host_keys.txt" \
--from-file="user_keys.txt=user_keys.txt" \
--from-file="user_pass.txt=user_pass.txt" > ./secrets.yamlThe resulting secrets.yaml will look like the following file (the base64
would match the content of the files, of course):
apiVersion: v1
data:
host_keys.txt: TWlt...
user_keys.txt: c2Nz...
user_pass.txt: c2Nz...
kind: Secret
metadata:
creationTimestamp: null
name: scs-secretpvc.yaml
The persistent volume claim for a simple deployment (one with only one instance
of the statefulSet) can be as simple as this:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: scs-pvc
labels:
app.kubernetes.io/name: scs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8GiOn this definition we don’t set the storageClassName to use the default one.
Volumes in our development environment (k3d)
In our development deployment we create the following PersistentVolume as
required by the
Local
Persistence Volume Static Provisioner (note that the /volumes/scs-pv has to
be created by hand, in our k3d system we mount the same host directory on the
/volumes path of all the nodes and create the scs-pv directory by hand
before deploying the persistent volume):
apiVersion: v1
kind: PersistentVolume
metadata:
name: scs-pv
labels:
app.kubernetes.io/name: scs
spec:
capacity:
storage: 8Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Delete
claimRef:
name: scs-pvc
storageClassName: local-storage
local:
path: /volumes/scs-pv
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: node.kubernetes.io/instance-type
operator: In
values:
- k3sAnd to make sure that everything works as expected we update the PVC definition
to add the right storageClassName:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: scs-pvc
labels:
app.kubernetes.io/name: scs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: local-storageVolumes in our production environment (aws)
In the production deployment we don’t create the PersistentVolume (we are
using the
aws-efs-csi-driver which
supports Dynamic Provisioning) but we add the storageClassName (we set it
to the one mapped to the EFS driver, i.e. efs-sc) and set ReadWriteMany
as the accessMode:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: scs-pvc
labels:
app.kubernetes.io/name: scs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 8Gi
storageClassName: efs-scstatefulset.yaml
The definition of the statefulSet is as follows:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: scs
labels:
app.kubernetes.io/name: scs
spec:
serviceName: scs
replicas: 1
selector:
matchLabels:
app: scs
template:
metadata:
labels:
app: scs
spec:
containers:
- name: nginx
image: stodh/nginx-scs:latest
ports:
- containerPort: 80
name: http
env:
- name: AUTH_REQUEST_URI
value: ""
- name: HTML_ROOT
value: /sftp/data
volumeMounts:
- mountPath: /sftp
name: scs-datadir
- name: mysecureshell
image: stodh/mysecureshell:latest
ports:
- containerPort: 22
name: ssh
securityContext:
capabilities:
add:
- IPC_OWNER
env:
- name: SFTP_UID
value: '2020'
- name: SFTP_GID
value: '2020'
volumeMounts:
- mountPath: /secrets
name: scs-file-secrets
readOnly: true
- mountPath: /sftp
name: scs-datadir
- name: webhook
image: stodh/webhook-scs:latest
securityContext:
privileged: true
ports:
- containerPort: 9000
name: webhook-http
env:
- name: WEBHOOK_WORKDIR
value: /sftp/data/scs
volumeMounts:
- name: devfuse
mountPath: /dev/fuse
- mountPath: /sftp
name: scs-datadir
volumes:
- name: devfuse
hostPath:
path: /dev/fuse
- name: scs-file-secrets
secret:
secretName: scs-secrets
- name: scs-datadir
persistentVolumeClaim:
claimName: scs-pvcNotes about the containers:
nginx: As this is an example the web server is not using anAUTH_REQUEST_URIand uses the/sftp/datadirectory as the root of the web (to get to the files uploaded for thescsuser we will need to use/scs/as a prefix on the URLs).mysecureshell: We are adding theIPC_OWNERcapability to the container to be able to use some of thesftp-*commands inside it, but they are not really needed, so adding the capability is optional.webhook: We are launching this container in privileged mode to be able to use thes3fs-fuse, as it will not work otherwise for now (see this kubernetes issue); if the functionality is not needed the container can be executed with regular privileges; besides, as we are not enabling public access to this service we don’t define*_TOKENvariables (if required the values should be read from aSecretobject).
Notes about the volumes:
- the
devfusevolume is only needed if we plan to use thes3fscommand on thewebhookcontainer, if not we can remove the volume definition and its mounts.
service.yaml
To be able to access the different services on the statefulset we publish the
relevant ports using the following Service object:
apiVersion: v1
kind: Service
metadata:
name: scs-svc
labels:
app.kubernetes.io/name: scs
spec:
ports:
- name: ssh
port: 22
protocol: TCP
targetPort: 22
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: webhook-http
port: 9000
protocol: TCP
targetPort: 9000
selector:
app: scsingress.yaml
To download the scs files from the outside we can add an ingress object like
the following (the definition is for testing using the localhost name):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: scs-ingress
labels:
app.kubernetes.io/name: scs
spec:
ingressClassName: nginx
rules:
- host: 'localhost'
http:
paths:
- path: /scs
pathType: Prefix
backend:
service:
name: scs-svc
port:
number: 80Deployment
To deploy the statefulSet we create a namespace and apply the object
definitions shown before:
$ kubectl create namespace scs-demo
namespace/scs-demo created
$ kubectl -n scs-demo apply -f secrets.yaml
secret/scs-secrets created
$ kubectl -n scs-demo apply -f pvc.yaml
persistentvolumeclaim/scs-pvc created
$ kubectl -n scs-demo apply -f statefulset.yaml
statefulset.apps/scs created
$ kubectl -n scs-demo apply -f service.yaml
service/scs-svc created
$ kubectl -n scs-demo apply -f ingress.yaml
ingress.networking.k8s.io/scs-ingress createdOnce the objects are deployed we can check that all is working using kubectl:
$ kubectl -n scs-demo get all,secrets,ingress
NAME READY STATUS RESTARTS AGE
pod/scs-0 3/3 Running 0 24s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/scs-svc ClusterIP 10.43.0.47 <none> 22/TCP,80/TCP,9000/TCP 21s
NAME READY AGE
statefulset.apps/scs 1/1 24s
NAME TYPE DATA AGE
secret/default-token-mwcd7 kubernetes.io/service-account-token 3 53s
secret/scs-secrets Opaque 3 39s
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/scs-ingress nginx localhost 172.21.0.5 80 17sAt this point we are ready to use the system.
Usage examples
File uploads
As previously mentioned in our system the idea is to use the sftp server from
other Pods, but to test the system we are going to do a kubectl port-forward
and connect to the server using our host client and the password we have
generated (it is on the user_pass.txt file, inside the users.tar archive):
$ kubectl -n scs-demo port-forward service/scs-svc 2020:22 &
Forwarding from 127.0.0.1:2020 -> 22
Forwarding from [::1]:2020 -> 22
$ PF_PID=$!
$ sftp -P 2020 scs@127.0.0.1 1
Handling connection for 2020
The authenticity of host '[127.0.0.1]:2020 ([127.0.0.1]:2020)' can't be \
established.
ED25519 key fingerprint is SHA256:eHNwCnyLcSSuVXXiLKeGraw0FT/4Bb/yjfqTstt+088.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:2020' (ED25519) to the list of known \
hosts.
scs@127.0.0.1's password: **********
Connected to 127.0.0.1.
sftp> ls -la
drwxr-xr-x 2 sftp sftp 4096 Sep 25 14:47 .
dr-xr-xr-x 3 sftp sftp 4096 Sep 25 14:36 ..
sftp> !date -R > /tmp/date.txt 2
sftp> put /tmp/date.txt .
Uploading /tmp/date.txt to /date.txt
date.txt 100% 32 27.8KB/s 00:00
sftp> ls -l
-rw-r--r-- 1 sftp sftp 32 Sep 25 15:21 date.txt
sftp> ln date.txt date.txt.1 3
sftp> ls -l
-rw-r--r-- 2 sftp sftp 32 Sep 25 15:21 date.txt
-rw-r--r-- 2 sftp sftp 32 Sep 25 15:21 date.txt.1
sftp> put /tmp/date.txt date.txt.2 4
Uploading /tmp/date.txt to /date.txt.2
date.txt 100% 32 27.8KB/s 00:00
sftp> ls -l 5
-rw-r--r-- 2 sftp sftp 32 Sep 25 15:21 date.txt
-rw-r--r-- 2 sftp sftp 32 Sep 25 15:21 date.txt.1
-rw-r--r-- 1 sftp sftp 32 Sep 25 15:21 date.txt.2
sftp> exit
$ kill "$PF_PID"
[1] + terminated kubectl -n scs-demo port-forward service/scs-svc 2020:22- We connect to the
sftpservice on the forwarded port with thescsuser. - We put a file we have created on the host on the directory.
- We do a hard link of the uploaded file.
- We put a second copy of the file we created locally.
- On the file list we can see that the two first files have two hardlinks
File retrievals
If our ingress is configured right we can download the date.txt file from the
URL http://localhost/scs/date.txt:
$ curl -s http://localhost/scs/date.txt
Sun, 25 Sep 2022 17:21:51 +0200Use of the webhook container
To finish this post we are going to show how we can call the hooks directly,
from a CronJob and from a Job.
Direct script call (du)
In our deployment the direct calls are done from other Pods, to simulate it we
are going to do a port-forward and call the script with an existing PATH (the
root directory) and a bad one:
$ kubectl -n scs-demo port-forward service/scs-svc 9000:9000 >/dev/null &
$ PF_PID=$!
$ JSON="$(curl -s "http://localhost:9000/hooks/du?path=.")"
$ echo $JSON
{"path":"","bytes":"4160"}
$ JSON="$(curl -s "http://localhost:9000/hooks/du?path=foo")"
$ echo $JSON
{"error":"The provided PATH ('foo') is not a directory"}
$ kill $PF_PIDAs we only have files on the base directory we print the disk usage of the .
PATH and the output is in json format because we export OUTPUT_FORMAT with
the value json on the webhook configuration.
Cronjobs (hardlink)
As explained before, the webhook container can be used to run cronjobs; the
following one uses an alpine container to call the hardlink script each
minute (that setup is for testing, obviously):
apiVersion: batch/v1
kind: CronJob
metadata:
name: hardlink
labels:
cronjob: 'hardlink'
spec:
schedule: "* */1 * * *"
concurrencyPolicy: Replace
jobTemplate:
spec:
template:
metadata:
labels:
cronjob: 'hardlink'
spec:
containers:
- name: hardlink-cronjob
image: alpine:latest
command: ["wget", "-q", "-O-", "http://scs-svc:9000/hooks/hardlink"]
restartPolicy: NeverThe following console session shows how we create the object, allow a couple of executions and remove it (in production we keep it running but once a day, not each minute):
$ kubectl -n scs-demo apply -f webhook-cronjob.yaml 1
cronjob.batch/hardlink created
$ kubectl -n scs-demo get pods -l "cronjob=hardlink" -w 2
NAME READY STATUS RESTARTS AGE
hardlink-27735351-zvpnb 0/1 Pending 0 0s
hardlink-27735351-zvpnb 0/1 ContainerCreating 0 0s
hardlink-27735351-zvpnb 0/1 Completed 0 2s
^C
$ kubectl -n scs-demo logs pod/hardlink-27735351-zvpnb 3
Mode: real
Method: sha256
Files: 3
Linked: 1 files
Compared: 0 xattrs
Compared: 1 files
Saved: 32 B
Duration: 0.000220 seconds
$ sleep 60
$ kubectl -n scs-demo get pods -l "cronjob=hardlink" 4
NAME READY STATUS RESTARTS AGE
hardlink-27735351-zvpnb 0/1 Completed 0 83s
hardlink-27735352-br5rn 0/1 Completed 0 23s
$ kubectl -n scs-demo logs pod/hardlink-27735352-br5rn 5
Mode: real
Method: sha256
Files: 3
Linked: 0 files
Compared: 0 xattrs
Compared: 0 files
Saved: 0 B
Duration: 0.000070 seconds
$ kubectl -n scs-demo delete -f webhook-cronjob.yaml 6
cronjob.batch "hardlink" deleted- This command creates the cronjob object.
- This checks the pods with our
cronjoblabel, we interrupt it once we see that the first run has been completed. - With this command we see the output of the execution, as this is the fist
execution we see that
date.txt.2has been replaced by a hardlink (the summary does not name the file, but it is the only option knowing the contents from the original upload). - After waiting a little bit we check the pods executed again to get the name of the latest one.
- The log now shows that nothing was done.
- As this is a demo, we delete the cronjob.
Jobs (s3sync)
The following job can be used to synchronise the contents of a directory in a S3 bucket with the SCS Filesystem:
apiVersion: batch/v1
kind: Job
metadata:
name: s3sync
labels:
cronjob: 's3sync'
spec:
template:
metadata:
labels:
cronjob: 's3sync'
spec:
containers:
- name: s3sync-job
image: alpine:latest
command:
- "wget"
- "-q"
- "--header"
- "Content-Type: application/json"
- "--post-file"
- "/secrets/s3sync.json"
- "-O-"
- "http://scs-svc:9000/hooks/s3sync"
volumeMounts:
- mountPath: /secrets
name: job-secrets
readOnly: true
restartPolicy: Never
volumes:
- name: job-secrets
secret:
secretName: webhook-job-secretsThe file with parameters for the script must be something like this:
{
"aws": {
"key": "********************",
"secret_key": "****************************************"
},
"s3": {
"region": "eu-north-1",
"bucket": "blogops-test",
"path": "test"
},
"scs": {
"path": "test"
}
}Once we have both files we can run the Job as follows:
$ kubectl -n scs-demo create secret generic webhook-job-secrets \ 1
--from-file="s3sync.json=s3sync.json"
secret/webhook-job-secrets created
$ kubectl -n scs-demo apply -f webhook-job.yaml 2
job.batch/s3sync created
$ kubectl -n scs-demo get pods -l "cronjob=s3sync" 3
NAME READY STATUS RESTARTS AGE
s3sync-zx2cj 0/1 Completed 0 12s
$ kubectl -n scs-demo logs s3sync-zx2cj 4
Mounted bucket 's3fs-test' on '/root/tmp.jiOjaF/s3data'
sending incremental file list
created directory ./test
./
kyso.png
Number of files: 2 (reg: 1, dir: 1)
Number of created files: 2 (reg: 1, dir: 1)
Number of deleted files: 0
Number of regular files transferred: 1
Total file size: 15,075 bytes
Total transferred file size: 15,075 bytes
Literal data: 15,075 bytes
Matched data: 0 bytes
File list size: 0
File list generation time: 0.147 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 15,183
Total bytes received: 74
sent 15,183 bytes received 74 bytes 30,514.00 bytes/sec
total size is 15,075 speedup is 0.99
Called umount for '/root/tmp.jiOjaF/s3data'
Script exit code: 0
$ kubectl -n scs-demo delete -f webhook-job.yaml 5
job.batch "s3sync" deleted
$ kubectl -n scs-demo delete secrets webhook-job-secrets 6
secret "webhook-job-secrets" deleted- Here we create the
webhook-job-secretssecret that contains thes3sync.jsonfile. - This command runs the job.
- Checking the label
cronjob=s3syncwe get the Pods executed by the job. - Here we print the logs of the completed job.
- Once we are finished we remove the Job.
- And also the secret.
Final remarks
This post has been longer than I expected, but I believe it can be useful for someone; in any case, next time I’ll try to explain something shorter or will split it into multiple entries.