Merge pull request #780 from gravitational/ev/docker

Created Docker-based test bed

docker/.bashrc

@@ -0,0 +1,4 @@
+PS1='\[\033[33;1m\]container(\h)\[\033[0;33m\] \w\[\033[00m\]: '
+PATH=$PATH:/teleport/build 
+alias ls="ls --color=auto"
+alias ll="ls -alF"

docker/.dockerignore

@@ -0,0 +1 @@
+data

docker/.gitignore

@@ -0,0 +1 @@
+data

docker/Dockerfile

@@ -0,0 +1,16 @@
+# The base image (buildbox:latest) is built by running `make -C build.assets` 
+# from the base repo directory $GOPATH/gravitational.com/teleport
+FROM teleport-buildbox:latest
+
+# DEBUG=1 is needed for the Web UI to be loaded from static assets instead 
+# of the binary
+ENV DEBUG=1
+
+# htop is useful for testing terminal resizing
+RUN apt-get install -y htop
+
+VOLUME ["/teleport", "/var/lib/teleport"]
+COPY .bashrc /root/.bashrc
+
+# expose only proxy ports (SSH and HTTPS)
+EXPOSE 3023 3080

docker/Makefile

@@ -0,0 +1,61 @@
+TELEBOX=teleport:latest
+HOMEDIR=$(abspath ..)
+THISDIR=`pwd`
+NETNAME=telenet
+DOCKEROPS=--detach=true --net $(NETNAME) -w /teleport -v $(HOMEDIR):/teleport 
+
+#
+# Default target starts two Teleport clusters
+#
+.PHONY:run
+run:
+	# create a docker Teleport image and a network
+	docker build -t $(TELEBOX) .
+	docker network create --subnet=172.10.0.0/16 $(NETNAME)
+	mkdir -p data/one data/two/proxy data/two/node data/two/auth
+	# start the single-node cluster named "one"
+	docker run --name=one \
+		--hostname one \
+		--ip 172.10.1.1 \
+		--publish 3080:3080 -p 3023:3023 \
+		--volume $(THISDIR)/data/one:/var/lib/teleport \
+		$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/one.yaml
+	# start three-node cluster named "two"
+	docker run --name=two-auth \
+		--hostname two-auth \
+		--ip 172.10.1.2 \
+		--volume $(THISDIR)/data/two/auth:/var/lib/teleport \
+		$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/two-auth.yaml
+	docker run --name=two-proxy \
+		--hostname two-proxy \
+		--ip 172.10.1.3 \
+		--publish 5080:5080 -p 5023:5023 \
+		--volume $(THISDIR)/data/two/proxy:/var/lib/teleport \
+		$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/two-proxy.yaml
+	docker run --name=two-node \
+		--hostname two-node \
+		--ip 172.10.1.4 \
+		--volume $(THISDIR)/data/two/node:/var/lib/teleport \
+		$(DOCKEROPS) $(TELEBOX) build/teleport start -c /teleport/docker/two-node.yaml
+
+# 'make stop' stops all Teleport containers, deletes them 
+# and their network
+#
+.PHONY:stop
+stop:
+	-@docker rm -f one two-auth two-proxy two-node
+	-@docker network rm telenet
+
+# `make enter-one` gives you shell inside auth server 
+# of cluster "one"
+#
+.PHONY:enter-one
+enter-one:
+	docker exec -ti one /bin/bash
+
+# `make enter-two` gives you shell inside auth server 
+# of cluster "two"
+#
+.PHONY:enter-two
+enter-two:
+	docker exec -ti two-auth /bin/bash

docker/README.md

@@ -0,0 +1,76 @@
+## Docker
+
+This directory contains Docker-based flow to run Teleport clusters locally
+for testing & development purposes.
+
+### Building 
+
+First, you need to build `teleport:latest` Docker image. This image is built
+automatically when you type `make` BUT...
+
+But you have to build the base image first, by running `make -C build.assets`
+from `$GOPATH/github.com/gravitational/teleport` (repository base dir).
+
+### Starting 
+
+Type:
+
+```bash
+$ make
+```
+
+This will start two Teleport clusters:
+
+* Single-node cluster `one`, accessible now on https://localhost:3080
+* Three-node cluster `two`, accessible now on https://localhost:5080
+
+### Stopping
+
+Type:
+
+```bash
+$ make stop
+```
+
+### Configuration
+
+Look at the [Makefile](Makefile): the containers are started with their 
+`/var/lib/teleport` mounted to `data/one` or `data/two` on a host. 
+
+The configuration is passed via YAML files located in `/teleport/docker/xxx.yaml` 
+inside each container.
+
+The cluster data is preserved between restarts, so you can link these two
+clusters (make them "trusted") by placing certificates within `data` and 
+updating the config files.
+
+### Using TCTL
+
+To add users to any of the clusters, you have to "enter" into the running
+containers of their auth servers and use `tctl` there.
+
+For cluster "one":
+
+```bash
+$ make enter-one
+```
+
+and then you'll find yourself inside a container where `teleport` auth daemon
+is running, try `ps -ef` for example and you'll get something like this:
+
+```bash
+container(one) /teleport: ps -ef
+UID        PID  PPID  C STIME TTY          TIME CMD
+root         1     0 40 06:04 ?        00:00:06 build/teleport start -c /teleport/docker/one.yaml
+root        13     0  0 06:04 ?        00:00:00 /bin/bash
+root        19    13  0 06:04 ?        00:00:00 ps -ef
+```
+
+For cluster "two":
+
+```bash
+$ make enter-two
+```
+
+... and then you can use stuff like `tctl users add`, etc. Make sure to pass 
+the YAML file to `tctl` via `-c` flag.

docker/one.yaml

@@ -0,0 +1,24 @@
+# Single-node Teleport cluster called "one" (runs all 3 roles: proxy, auth and node)
+teleport:
+  nodename: one
+  log:
+    output: /var/lib/teleport/teleport.log
+    severity: INFO
+
+auth_service:
+  enabled: yes
+  cluster_name: one
+  tokens: 
+       - "node,auth,proxy:xxx"
+
+ssh_service:
+  enabled: yes
+  labels:
+      cluster: one
+  commands:
+      - name: kernel
+        command: [/bin/uname, -r]
+        period: 5m
+
+proxy_service:
+  enabled: yes

docker/two-auth.yaml

@@ -0,0 +1,25 @@
+# Auth server for cluster "two". Also runs "node" role
+teleport:
+  nodename: two-auth
+  log:
+    output: /var/lib/teleport/teleport.log
+    severity: INFO
+
+auth_service:
+  enabled: yes
+  cluster_name: two
+  tokens: 
+       - "node,auth,proxy:xxx"
+
+ssh_service:
+  enabled: yes
+  labels:
+      cluster: two
+      role: auth+node
+  commands:
+      - name: kernel
+        command: [/bin/uname, -r]
+        period: 5m
+
+proxy_service:
+  enabled: no

docker/two-node.yaml

@@ -0,0 +1,20 @@
+# Dumb SSH node for cluster "two"
+teleport:
+  nodename: two-node
+  auth_servers: ["two-auth"]
+  auth_token: xxx
+  log:
+    output: /var/lib/teleport/teleport.log
+    severity: INFO
+
+ssh_service:
+  enabled: yes
+  labels:
+      cluster: two
+      role: dumb_node
+
+proxy_service:
+   enabled: no
+
+auth_service:
+  enabled: no

docker/two-proxy.yaml

@@ -0,0 +1,26 @@
+# Proxy server for cluster "two". Also runs "node" role
+teleport:
+  nodename: two-proxy
+  auth_servers: ["two-auth"]
+  auth_token: xxx
+  log:
+    output: /var/lib/teleport/teleport.log
+    severity: INFO
+
+auth_service:
+  enabled: no
+
+ssh_service:
+  enabled: yes
+  labels:
+      cluster: two
+      role: proxy+node
+  commands:
+      - name: kernel
+        command: [/bin/uname, -r]
+        period: 5m
+
+proxy_service:
+   enabled: yes
+   listen_addr: 0.0.0.0:5023
+   web_listen_addr: 0.0.0.0:5080

lib/sshutils/scp/scp.go

@@ -159,7 +159,7 @@ func (cmd *Command) sendFile(r *reader, ch io.ReadWriter, fi os.FileInfo, path s
 
 	// report progress:
 	if cmd.Terminal != nil {
-		defer fmt.Fprintf(cmd.Terminal, "-> %s/%s (%d)\n", path, fi.Name(), fi.Size())
+		defer fmt.Fprintf(cmd.Terminal, "-> %s (%d)\n", path, fi.Size())
 	}
 
 	_, err := io.WriteString(ch, out)