9 Backends

Elara edited this page 2024-08-13 00:56:09 +00:00

Table of Contents

• docker
• Settings
• Permissions
• Client Commands
• nomad
• Settings
• Permissions
• Client Commands
• serial
• Settings
• Permissions
• Client Commands
• proxy
• Settings
• Permissions
• Client Commands

Tip

You can use a tilde (~) character instead of a colon (:) in Seashell SSH commands if your SSH client doesn't allow the colon character in connection strings. For example, you can use ssh user~proxy@ssh.example.com instead of ssh user:proxy@ssh.example.com.

docker

The Docker backend integrates with a docker daemon running on your system to provide shell access into containers.

Settings

• command (optional, []string): The command to run inside the container. Default is ["/bin/sh"].
• privileged (optional, bool): If true, the command will run in privileged mode. Default is false.
• user (optional, string): The user to run the command as inside the container. If this is not set, user_map will be used to determine the right user, or the seashell username will be used if the user doesn't exist in the map.
• user_map (optional, map[string]string): A map from seashell usernames to docker usernames or UIDs.

Permissions

The docker backend exposes container names to the permissions system. For example, if you wanted to allow group1 access to all containers beginning with g1, you could do:

permissions = {
  group1 = {
    allow = ["g1*"]
  }
}

Client Commands

To access the example container through seashell, with a route configured to match docker\\.(.+), you can use the following command:

ssh user:docker.example@ssh.example.com

nomad

The Nomad backend integrates with a Nomad server to provide shell access into Nomad allocations.

Settings

• server (string): The Nomad server address.
• delimiter (optional, string): The delimiter used for the Seashell argument . Default is ".".
• region (optional, string): The Nomad region.
• namespace (optional, string): The Nomad namespace.
• auth_token (optional, string): The authentication token for Nomad.
• command (optional, []string): The command to run within the Nomad allocation. Default is ["/bin/sh"].

Permissions

The nomad backend exposes job, task, and task group names to the permissions system. For example, if you wanted to allow group1 to access the hello-world job and the hello task group, but not the hello1 task within that task group, you could do:

permissions = {
  group1 = {
    allow = ["job:hello-world", "group:hello"]
    deny = ["task:hello1"]
  }
}

Client Commands

To access a nomad allocation through seashell, with a route configured to match nomad\\.(.+), you can use one of the following command formats based on the number of arguments. If you leave any of the elements except the job name blank, seashell will use the first one it finds:

• 1 argument: The argument corresponds to the job name.

   ssh user:nomad.job_name@ssh.example.com
  

• 2 arguments: The first argument is the job name, and the second is the task name.

  ssh user:nomad.job_name.task_name@ssh.example.com
  

• 3 arguments: The first argument is the job name, the second argument is the task group name, and the third argument is the task name.

  ssh user:nomad.job_name.task_group_name.task_name@ssh.example.com
  

• 4 arguments: The first argument is the job name, the second argument is the allocation UUID or the index of the allocation (e.g. 0, 1), the third argument is the task group name, and the fourth argument is the task name.

  ssh user:nomad.job_name.alloc.task_group_name.task_name@ssh.example.com
  

serial

The Serial backend provides remote access to serial ports.

Settings

• directory (optional, string): The directory where serial files are located (e.g. /dev). Either directory or file must be provided.
• file (optional, string): The specific serial file to use. This setting overrides directory.
• delimiter (optional, string): The delimiter used for the Seashell argument . Default is ".".
• baud_rate (optional, int): The baud rate for the serial connection. If this is not set, the user will have to provide the baud rate in their ssh command.
• config (optional, string): The mode string for the serial connection (e.g. 8n1). If this is not set, the user will have to provide the mode string in their ssh command.

Permissions

If the directory setting is used, the serial backend will expose filenames to the permissions system. For example, to only allow group1 access to ttyUSB0, you could use:

permissions = {
  group1 = {
    allow = ["ttyUSB0"]
  }
}

Client Commands

To access the ttyUSB0 serial port through seashell, if the directory setting is used, with a route configured to match serial\\.(.+), you can use the following command:

ssh user:serial.ttyUSB0@ssh.example.com

To specify the baud rate and mode, you can use the following command:

ssh user:serial.ttyS0.115200.8n1@ssh.example.com

If the file option is used instead of directory, the file name is omitted.

Here's the updated documentation for the proxy backend with the server and port settings replaced by host and hosts:

proxy

The Proxy backend allows SSH connections to be proxied to another server.

Settings

• host (string): The target server's address in the format addr:port. If this is set, it will override hosts.
• hosts ([]string): An array of target server addresses in the format addr:port. The addr portion can accept globs to match with the client-supplied seashell argument.
• user (optional, string): The user to connect as on the proxy server. If this is not set, user_map will be used to determine the right user, or the seashell username will be used if the user doesn't exist in the map.
• privkey (optional, string): The path to the private key for authentication. If this is not provided, users will be asked for the target server's password when they attempt to connect.
• user_map (optional, map[string]string): A map from seashell usernames to target server usernames.

Permissions

The proxy backend exposes the target server's address to the permissions system. For example, to allow group1 to access any local IP except 192.168.1.1, you can do:

permissions = {
  group1 = {
    allow = ["192.168.*"]
    deny = ["192.168.1.1"]
  }
}

Client Commands

If the host setting is configured, the proxy backend will not use the seashell argument. However, if hosts is configured, the argument will be used to match the seashell arguments.

For example, with a route configured to match proxy and host provided, you can use the following command:

ssh user:proxy@ssh.example.com # host = "192.168.1.1"

If the hosts array is provided instead and your route is configured to match proxy\\.(.+), you can use commands like the following:

ssh user:proxy.node00@ssh.example.com # hosts = ["node[0-9][0-9]"]
ssh user:proxy.192.168.1.1@ssh.example.com # hosts = ["192.168.1.*"]

Pages

• Home
• Configuration
• Permissions
• Backends