
Dockersh – a shell that puts users into individual docker containers - whalesalad
https://github.com/Yelp/dockersh
======
scintill76
> This allows you to have a single ssh process on the normal ssh port which
> places user sessions into their own individual docker containers in a secure
> and locked down manor.

Funniest instance of this misused homonym I've seen.

~~~
StavrosK
It's more of a stately home, really.

~~~
teh_klev
Or "tax" raising locale in east end London gangster parlance.

------
donw
I'm not sure if this is related -- because it doesn't require Docker or Linux
-- but I've got a small shell tool for transparent development on remote
machines. Gives you the ability to do something similiar (`ws shell`), and
drop directly into the remote environment you're working in.

I use it to work on my Mac, but develop on a Linux box:

[https://github.com/matadon/workspace](https://github.com/matadon/workspace)

------
rurounijones
With a name like that I hope the patron saint of Dockersh is Sean Connery

------
heavenlyhash
To shamelessly plug a much more minimalist solution,
[https://github.com/polydawn/siphon-cli](https://github.com/polydawn/siphon-
cli) can also give you new shells shells inside existing containers (or
whatever; it's more like screen than anything tightly bound to docker).

Siphon does nothing but create and forward psuedoterminals, so it has a lot
less features to directly interact with docker than dockersh appears to have,
but it's also able to do its job without root or any priviledged syscalls, and
doesn't rely on any knowledge of kernel namespaces at all. Which is more
useful may depend on your perspective and usecases.

------
TeMPOraL
Interesting. I'll take some time to learn it over the weekend. Right now at
work I use the following solution to keep a shell running on containers:

[https://gist.github.com/TeMPOraL/3d134ce0d4a2b2f4232b](https://gist.github.com/TeMPOraL/3d134ce0d4a2b2f4232b)

Basically, it starts a screen instance with a shell and your script running
side by side, so when you Docker-attach to it, you can C-a " to shell.

run.sh would be the script you want to be run in container - the one that
starts your webserver, database, whatever.

I adapted a screen solution from some random StackOverflow comment.

------
rwmj
Pretty similar to libvirt sandbox (done about 4 years ago):

[http://sandbox.libvirt.org/quickstart/](http://sandbox.libvirt.org/quickstart/)

Libvirt sandbox can also put processes, jobs, users etc into real VMs as well
as chroots ^W containers.

~~~
Terretta
> _Pretty similar to libvirt sandbox (done about 4 years ago):_

Or how we ISPs gave dialup modem users their own login shells in mid 1990's:

[http://www.freebsd.org/cgi/man.cgi?query=jail](http://www.freebsd.org/cgi/man.cgi?query=jail)

I can't find docs for the chroot shell we used back then, but what we did was
along the same lines as this:

[http://www.aarongifford.com/computers/chrsh.html](http://www.aarongifford.com/computers/chrsh.html)

------
korzun
I'm not sure if any shell hosting providers post here. I operate one of the
companies in this space since 2001.

This is a fun alternative to proper jails but unfortunately, security wise
this would not last very long on in a real world application.

Not going to lie, would be pretty cool to set something like this up and auto
provision upon payment.

~~~
duskwuff
Which provider? Curious.

~~~
korzun
[http://www.amdwebhost.com](http://www.amdwebhost.com)

Yes, design is outdated. This was great at the time; people were still using
tables for layouts.

------
bertoluci
I've been using Firejail for this purpose:

[http://l3net.wordpress.com/2014/04/16/how-to-restrict-a-
logi...](http://l3net.wordpress.com/2014/04/16/how-to-restrict-a-login-shell-
using-linux-namespaces/)

------
retr0h
I don't get it :/

~~~
jacques_chester
Sometimes, during development or when fixing a deployed app, you want to get
inside the container environment to poke around. Just to work out why the hell
something did or didn't happen.

Right now it is difficult. Docker doesn't support it directly. There is a lot
of demand for it:

[https://github.com/docker/docker/issues/1228](https://github.com/docker/docker/issues/1228)

You have to use nsenter, which is OK, but requires additional installation:

[https://github.com/jpetazzo/nsenter](https://github.com/jpetazzo/nsenter)

It looks as though an-almost-but-not-quite-the-same thing will land in Docker
at some point:

[https://github.com/docker/docker/pull/7409](https://github.com/docker/docker/pull/7409)

And this shell is another attempt to make a very useful feature available.

~~~
thu
Are you sure it is related to entering an existing container (and running a
new process) ?

From reading the README file, it seemed to me it was only spawning a login
shell process in a new container (not an existing one), and possibly resuming
an existing container.

~~~
StavrosK
You are correct, dockersh is a shell. It spawns a "proper" shell (e.g. bash)
in a docker container when you log in.

------
antocv
> This allows you to have a single ssh process on the normal ssh port which
> places user sessions into their own individual docker containers in a secure
> and locked down manner.

No! Warning!

Docker is not secure and locked down. Do not use this for "security".

~~~
StavrosK
Sure, but it's secure enough for giving friends access to my laptop without
them being able to look around the rest of the system.

~~~
antocv
GNU/Linux and ssh is already secure enough for that. File permissions, so they
cant see your files.

~~~
StavrosK
They can't see the homedir, but they can still see config files and anything
else that couldn't be conveniently locked down.

