#695: Separate out the reaper env variable names from sshd.

Author: jdeathe

Diff for: .env.example

@@ -1,11 +1,11 @@
+ENABLE_REAPER=false
+REAPER_TIMEOUT=3600
 SSH_AUTHORIZED_KEYS=
-SSH_AUTOSTART_REAPER=false
 SSH_AUTOSTART_SSHD=true
 SSH_AUTOSTART_SSHD_BOOTSTRAP=true
 SSH_CHROOT_DIRECTORY=%h
 SSH_INHERIT_ENVIRONMENT=false
 SSH_PASSWORD_AUTHENTICATION=false
-SSH_REAPER_TIMEOUT=3600
 SSH_SUDO=ALL=(ALL) ALL
 SSH_TIMEZONE=UTC
 SSH_USER=app-admin

Diff for: CHANGELOG.md

@@ -16,8 +16,8 @@ Summary of release changes for Version 2 - CentOS-7
 - Adds improved lock/state file implementation in bootstrap and wrapper scripts.
 - Adds improved `clean` Makefile target; includes exited containers and dangling images.
 - Adds feature to optionally exit the container after a specified timout period.
-- Adds `SSH_AUTOSTART_REAPER` to control startup of `reaper`.
-- Adds `SSH_REAPER_TIMEOUT` with a default value of 3600 seconds (i.e 1 hour).
+- Adds `ENABLE_REAPER` with a default value of `false` to enable the `reaper` service.
+- Adds `REAPER_TIMEOUT` with a default value of `3600` seconds (i.e 1 hour).
 - Fixes port incrementation failures when installing systemd units via `scmi`.
 - Fixes etcd port registration failures when installing systemd units via `scmi` with the `--register` option.
 - Fixes binary paths in systemd unit files for compatibility with both EL and Ubuntu hosts.

Diff for: Dockerfile

@@ -93,15 +93,15 @@ EXPOSE 22
 # Set default environment variables
 # ------------------------------------------------------------------------------
 ENV \
+	ENABLE_REAPER="false" \
+	REAPER_TIMEOUT="3600" \
 	SSH_AUTHORIZED_KEYS="" \
-	SSH_AUTOSTART_REAPER="false" \
 	SSH_AUTOSTART_SSHD="true" \
 	SSH_AUTOSTART_SSHD_BOOTSTRAP="true" \
 	SSH_AUTOSTART_SUPERVISOR_STDOUT="false" \
 	SSH_CHROOT_DIRECTORY="%h" \
 	SSH_INHERIT_ENVIRONMENT="false" \
 	SSH_PASSWORD_AUTHENTICATION="false" \
-	SSH_REAPER_TIMEOUT="3600" \
 	SSH_SUDO="ALL=(ALL) ALL" \
 	SSH_TIMEZONE="UTC" \
 	SSH_USER="app-admin" \

Diff for: default.mk

@@ -41,6 +41,7 @@ DOCKER_PUBLISH := $(shell \
 define DOCKER_CONTAINER_PARAMETERS
 --name $(DOCKER_NAME) \
 --restart $(DOCKER_RESTART_POLICY) \
+--env "REAPER_TIMEOUT=$(REAPER_TIMEOUT)" \
 --env "SSH_AUTHORIZED_KEYS=$(SSH_AUTHORIZED_KEYS)" \
 --env "SSH_AUTOSTART_REAPER=$(SSH_AUTOSTART_REAPER)" \
 --env "SSH_AUTOSTART_SSHD=$(SSH_AUTOSTART_SSHD)" \
@@ -49,7 +50,6 @@ define DOCKER_CONTAINER_PARAMETERS
 --env "SSH_CHROOT_DIRECTORY=$(SSH_CHROOT_DIRECTORY)" \
 --env "SSH_INHERIT_ENVIRONMENT=$(SSH_INHERIT_ENVIRONMENT)" \
 --env "SSH_PASSWORD_AUTHENTICATION=$(SSH_PASSWORD_AUTHENTICATION)" \
---env "SSH_REAPER_TIMEOUT=$(SSH_REAPER_TIMEOUT)" \
 --env "SSH_SUDO=$(SSH_SUDO)" \
 --env "SSH_TIMEZONE=$(SSH_TIMEZONE)" \
 --env "SSH_USER=$(SSH_USER)" \

Diff for: docker-compose.yml

@@ -28,14 +28,14 @@ services:
       context: "."
       dockerfile: "Dockerfile"
     environment:
+      ENABLE_REAPER: "${ENABLE_REAPER}"
+      REAPER_TIMEOUT: "${REAPER_TIMEOUT}"
       SSH_AUTHORIZED_KEYS: "${SSH_AUTHORIZED_KEYS}"
-      SSH_AUTOSTART_REAPER: "${SSH_AUTOSTART_REAPER}"
       SSH_AUTOSTART_SSHD: "${SSH_AUTOSTART_SSHD}"
       SSH_AUTOSTART_SSHD_BOOTSTRAP: "${SSH_AUTOSTART_SSHD_BOOTSTRAP}"
       SSH_CHROOT_DIRECTORY: "${SSH_CHROOT_DIRECTORY}"
       SSH_INHERIT_ENVIRONMENT: "${SSH_INHERIT_ENVIRONMENT}"
       SSH_PASSWORD_AUTHENTICATION: "${SSH_PASSWORD_AUTHENTICATION}"
-      SSH_REAPER_TIMEOUT: "${SSH_REAPER_TIMEOUT}"
       SSH_SUDO: "${SSH_SUDO}"
       SSH_TIMEZONE: "${SSH_TIMEZONE}"
       SSH_USER: "${SSH_USER}"

Diff for: environment.mk

@@ -23,15 +23,15 @@ STARTUP_TIME ?= 2
 # ------------------------------------------------------------------------------
 # Application container configuration
 # ------------------------------------------------------------------------------
+ENABLE_REAPER ?= false
+REAPER_TIMEOUT ?= 3600
 SSH_AUTHORIZED_KEYS ?=
-SSH_AUTOSTART_REAPER ?= false
 SSH_AUTOSTART_SSHD ?= true
 SSH_AUTOSTART_SSHD_BOOTSTRAP ?= true
 SSH_AUTOSTART_SUPERVISOR_STDOUT ?= false
 SSH_CHROOT_DIRECTORY ?= %h
 SSH_INHERIT_ENVIRONMENT ?= false
 SSH_PASSWORD_AUTHENTICATION ?= false
-SSH_REAPER_TIMEOUT ?= 3600
 SSH_SUDO ?= ALL=(ALL) ALL
 SSH_TIMEZONE ?= UTC
 SSH_USER ?= app-admin

Diff for: src/etc/supervisord.d/01-reaper.conf

@@ -1,6 +1,6 @@
 [program:reaper]
 autorestart = false
-autostart = %(ENV_SSH_AUTOSTART_REAPER)s
+autostart = %(ENV_ENABLE_REAPER)s
 command = /usr/sbin/reaper --verbose
 priority = 1
 startsecs = 0

Diff for: src/etc/systemd/system/[email protected]

@@ -56,15 +56,15 @@ Environment="DOCKER_IMAGE_PACKAGE_PATH=/var/opt/scmi/packages"
 Environment="DOCKER_IMAGE_TAG={{RELEASE_VERSION}}"
 Environment="DOCKER_PORT_MAP_TCP_22=2020"
 Environment="DOCKER_USER=jdeathe"
+Environment="ENABLE_REAPER=false"
+Environment="REAPER_TIMEOUT=3600"
 Environment="SSH_AUTHORIZED_KEYS="
-Environment="SSH_AUTOSTART_REAPER=false"
 Environment="SSH_AUTOSTART_SSHD=true"
 Environment="SSH_AUTOSTART_SSHD_BOOTSTRAP=true"
 Environment="SSH_AUTOSTART_SUPERVISOR_STDOUT=false"
 Environment="SSH_CHROOT_DIRECTORY=%%h"
 Environment="SSH_INHERIT_ENVIRONMENT=false"
 Environment="SSH_PASSWORD_AUTHENTICATION=false"
-Environment="SSH_REAPER_TIMEOUT=3600"
 Environment="SSH_SUDO=ALL=(ALL) ALL"
 Environment="SSH_TIMEZONE=UTC"
 Environment="SSH_USER=app-admin"
@@ -131,6 +131,7 @@ ExecStartPre=-/bin/bash -c \
 ExecStart=/bin/bash -c \
   "exec /usr/bin/docker run \
     --name %p.%i \
+    --env \"REAPER_TIMEOUT=${REAPER_TIMEOUT}\" \
     --env \"SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS}\" \
     --env \"SSH_AUTOSTART_REAPER=${SSH_AUTOSTART_REAPER}\" \
     --env \"SSH_AUTOSTART_SSHD=${SSH_AUTOSTART_SSHD}\" \
@@ -139,7 +140,6 @@ ExecStart=/bin/bash -c \
     --env \"SSH_CHROOT_DIRECTORY=${SSH_CHROOT_DIRECTORY}\" \
     --env \"SSH_INHERIT_ENVIRONMENT=${SSH_INHERIT_ENVIRONMENT}\" \
     --env \"SSH_PASSWORD_AUTHENTICATION=${SSH_PASSWORD_AUTHENTICATION}\" \
-    --env \"SSH_REAPER_TIMEOUT=${SSH_REAPER_TIMEOUT}\" \
     --env \"SSH_SUDO=${SSH_SUDO}\" \
     --env \"SSH_TIMEZONE=${SSH_TIMEZONE}\" \
     --env \"SSH_USER=${SSH_USER}\" \

Diff for: src/opt/scmi/default.sh

@@ -46,15 +46,15 @@ fi
 # Common parameters of create and run targets
 DOCKER_CONTAINER_PARAMETERS="--name ${DOCKER_NAME} \
 --restart ${DOCKER_RESTART_POLICY} \
+--env \"ENABLE_REAPER=${ENABLE_REAPER}\" \
+--env \"REAPER_TIMEOUT=${REAPER_TIMEOUT}\" \
 --env \"SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS}\" \
---env \"SSH_AUTOSTART_REAPER=${SSH_AUTOSTART_REAPER}\" \
 --env \"SSH_AUTOSTART_SSHD=${SSH_AUTOSTART_SSHD}\" \
 --env \"SSH_AUTOSTART_SSHD_BOOTSTRAP=${SSH_AUTOSTART_SSHD_BOOTSTRAP}\" \
 --env \"SSH_AUTOSTART_SUPERVISOR_STDOUT=${SSH_AUTOSTART_SUPERVISOR_STDOUT}\" \
 --env \"SSH_CHROOT_DIRECTORY=${SSH_CHROOT_DIRECTORY}\" \
 --env \"SSH_INHERIT_ENVIRONMENT=${SSH_INHERIT_ENVIRONMENT}\" \
 --env \"SSH_PASSWORD_AUTHENTICATION=${SSH_PASSWORD_AUTHENTICATION}\" \
---env \"SSH_REAPER_TIMEOUT=${SSH_REAPER_TIMEOUT}\" \
 --env \"SSH_SUDO=${SSH_SUDO}\" \
 --env \"SSH_TIMEZONE=${SSH_TIMEZONE}\" \
 --env \"SSH_USER=${SSH_USER}\" \

Diff for: src/opt/scmi/environment.sh

@@ -24,15 +24,15 @@ STARTUP_TIME="${STARTUP_TIME:-2}"
 # ------------------------------------------------------------------------------
 # Application container configuration
 # ------------------------------------------------------------------------------
+ENABLE_REAPER="${ENABLE_REAPER:-false}"
+REAPER_TIMEOUT="${REAPER_TIMEOUT:-3600}"
 SSH_AUTHORIZED_KEYS="${SSH_AUTHORIZED_KEYS:-}"
-SSH_AUTOSTART_REAPER="${SSH_AUTOSTART_REAPER:-false}"
 SSH_AUTOSTART_SSHD="${SSH_AUTOSTART_SSHD:-true}"
 SSH_AUTOSTART_SSHD_BOOTSTRAP="${SSH_AUTOSTART_SSHD_BOOTSTRAP:-true}"
 SSH_AUTOSTART_SUPERVISOR_STDOUT="${SSH_AUTOSTART_SUPERVISOR_STDOUT:-false}"
 SSH_CHROOT_DIRECTORY="${SSH_CHROOT_DIRECTORY:-%h}"
 SSH_INHERIT_ENVIRONMENT="${SSH_INHERIT_ENVIRONMENT:-false}"
 SSH_PASSWORD_AUTHENTICATION="${SSH_PASSWORD_AUTHENTICATION:-false}"
-SSH_REAPER_TIMEOUT="${SSH_REAPER_TIMEOUT:-3600}"
 SSH_SUDO="${SSH_SUDO:-ALL=(ALL) ALL}"
 SSH_TIMEZONE="${SSH_TIMEZONE:-UTC}"
 SSH_USER="${SSH_USER:-app-admin}"

Diff for: src/opt/scmi/service-unit.sh

@@ -6,6 +6,8 @@ readonly SERVICE_UNIT_ENVIRONMENT_KEYS="
  DOCKER_IMAGE_PACKAGE_PATH
  DOCKER_IMAGE_TAG
  DOCKER_PORT_MAP_TCP_22
+ ENABLE_REAPER
+ REAPER_TIMEOUT
  SSH_AUTHORIZED_KEYS
  SSH_AUTOSTART_REAPER
  SSH_AUTOSTART_SSHD
@@ -14,7 +16,6 @@ readonly SERVICE_UNIT_ENVIRONMENT_KEYS="
  SSH_CHROOT_DIRECTORY
  SSH_INHERIT_ENVIRONMENT
  SSH_PASSWORD_AUTHENTICATION
- SSH_REAPER_TIMEOUT
  SSH_SUDO
  SSH_TIMEZONE
  SSH_USER

Diff for: src/usr/sbin/reaper

@@ -2,13 +2,25 @@
 
 set -e
 
-function __get_ssh_reaper_timeout ()
+function __create_state ()
+{
+	if [[ -n ${state_file} ]]
+	then
+		printf -- \
+			'%s %s\n' \
+			"${session_start}" \
+			"$(( ${session_start} + ${timeout} ))" \
+			> "${state_file}"
+	fi
+}
+
+function __get_reaper_timeout ()
 {
 	local -r default_value="${1:-3600}"
 
-	local value="${SSH_REAPER_TIMEOUT}"
+	local value="${REAPER_TIMEOUT}"
 
-	if ! __is_valid_ssh_reaper_timeout "${value}"
+	if ! __is_valid_reaper_timeout "${value}"
 	then
 		value="${default_value}"
 	fi
@@ -29,26 +41,31 @@ function __is_valid_positive_integer ()
 	return 1
 }
 
-function __is_valid_ssh_reaper_timeout ()
+function __is_valid_reaper_timeout ()
 {
 	__is_valid_positive_integer "${@}"
 }
 
 function __reap ()
 {
-	kill -"${signal:-TERM}" "${pid:-1}"
+	return kill \
+		-s "${signal:-TERM}" \
+		"${pid:-1}"
 }
 
 function main ()
 {
-	local -r warning_timeout="30"
+	local -r state_file="/var/lib/misc/reaper"
+	local -r timeout="$(
+		__get_reaper_timeout
+	)"
 
 	local pid="1"
 	local signal="TERM"
-	local timeout="$(
-		__get_ssh_reaper_timeout
-	)"
+	local session_start
+	local session_end
 	local verbose="false"
+	local warning_timeout="30"
 
 	while [[ "${#}" -gt 0 ]]
 	do
@@ -81,27 +98,31 @@ function main ()
 		trap __reap \
 			EXIT INT TERM
 
-		if (( timeout > warning_timeout ))
+		if (( timeout <= warning_timeout ))
 		then
-			(( timeout -= warning_timeout ))
-		else
 			warning_timeout="0"
 		fi
 
-		if coproc read -t "${timeout}"
+		session_start="$(
+			date -u +%s
+		)"
+
+		__create_state
+
+		if coproc read -t "$(( ${timeout} - ${warning_timeout} ))"
 		then
 			wait "${!}" || :
 
 			if (( warning_timeout > 0 ))
 			then
-				wall "Session expired - exiting in ${warning_timeout} seconds."
+				wall "Session expired - exiting in ${warning_timeout} seconds." || :
 
 				if coproc read -t "${warning_timeout}"
 				then
 					wait "${!}" || :
 				fi
 			else
-				wall "Session expired."
+				wall "Session expired." || :
 			fi
 		fi