#695: Adds feature to self-destruct a container after a (1 hour default) timeout.

Author: jdeathe

Diff for: .env.example

@@ -1,9 +1,11 @@
 SSH_AUTHORIZED_KEYS=
+SSH_AUTOSTART_REAPER=false
 SSH_AUTOSTART_SSHD=true
 SSH_AUTOSTART_SSHD_BOOTSTRAP=true
 SSH_CHROOT_DIRECTORY=%h
 SSH_INHERIT_ENVIRONMENT=false
 SSH_PASSWORD_AUTHENTICATION=false
+SSH_REAPER_TIMEOUT=3600
 SSH_SUDO=ALL=(ALL) ALL
 SSH_TIMEZONE=UTC
 SSH_USER=app-admin
@@ -13,4 +15,4 @@ SSH_USER_ID=500:500
 SSH_USER_PASSWORD=
 SSH_USER_PASSWORD_HASHED=false
 SSH_USER_PRIVATE_KEY=
-SSH_USER_SHELL=/bin/bash
+SSH_USER_SHELL=/bin/bash

Diff for: CHANGELOG.md

@@ -15,6 +15,9 @@ Summary of release changes for Version 2 - CentOS-7
 - Adds `inspect`, `reload` and `top` Makefile targets.
 - Adds improved lock/state file implementation in bootstrap and wrapper scripts.
 - Adds improved `clean` Makefile target; includes exited containers and dangling images.
+- Adds feature to optionally exit the container after a specified timout period.
+- Adds `SSH_AUTOSTART_REAPER` to control startup of `reaper`.
+- Adds `SSH_REAPER_TIMEOUT` with a default value of 3600 seconds (i.e 1 hour).
 - Fixes port incrementation failures when installing systemd units via `scmi`.
 - Fixes etcd port registration failures when installing systemd units via `scmi` with the `--register` option.
 - Fixes binary paths in systemd unit files for compatibility with both EL and Ubuntu hosts.

Diff for: Dockerfile

@@ -28,13 +28,15 @@ RUN rpm --rebuilddb \
 		openssl-1.0.2k-16.el7 \
 		python-setuptools-0.9.8-7.el7 \
 		sudo-1.8.23-3.el7 \
+		sysvinit-tools-2.88-14.dsf.el7 \
 		yum-plugin-versionlock-1.1.31-50.el7 \
 	&& yum versionlock add \
 		openssh \
 		openssh-server \
 		openssh-clients \
 		python-setuptools \
 		sudo \
+		sysvinit-tools \
 		yum-plugin-versionlock \
 	&& yum clean all \
 	&& easy_install \
@@ -83,7 +85,7 @@ RUN ln -sf \
 	&& chmod 644 \
 		/etc/{supervisord.conf,supervisord.d/sshd-{bootstrap,wrapper}.conf} \
 	&& chmod 700 \
-		/usr/{bin/healthcheck,sbin/{scmi,sshd-{bootstrap,wrapper}}}
+		/usr/{bin/healthcheck,sbin/{reaper,scmi,sshd-{bootstrap,wrapper}}}
 
 EXPOSE 22
 
@@ -92,12 +94,14 @@ EXPOSE 22
 # ------------------------------------------------------------------------------
 ENV \
 	SSH_AUTHORIZED_KEYS="" \
+	SSH_AUTOSTART_REAPER="false" \
 	SSH_AUTOSTART_SSHD="true" \
 	SSH_AUTOSTART_SSHD_BOOTSTRAP="true" \
 	SSH_AUTOSTART_SUPERVISOR_STDOUT="false" \
 	SSH_CHROOT_DIRECTORY="%h" \
 	SSH_INHERIT_ENVIRONMENT="false" \
 	SSH_PASSWORD_AUTHENTICATION="false" \
+	SSH_REAPER_TIMEOUT="3600" \
 	SSH_SUDO="ALL=(ALL) ALL" \
 	SSH_TIMEZONE="UTC" \
 	SSH_USER="app-admin" \

Diff for: default.mk

@@ -42,12 +42,14 @@ define DOCKER_CONTAINER_PARAMETERS
 --name $(DOCKER_NAME) \
 --restart $(DOCKER_RESTART_POLICY) \
 --env "SSH_AUTHORIZED_KEYS=$(SSH_AUTHORIZED_KEYS)" \
+--env "SSH_AUTOSTART_REAPER=$(SSH_AUTOSTART_REAPER)" \
 --env "SSH_AUTOSTART_SSHD=$(SSH_AUTOSTART_SSHD)" \
 --env "SSH_AUTOSTART_SSHD_BOOTSTRAP=$(SSH_AUTOSTART_SSHD_BOOTSTRAP)" \
 --env "SSH_AUTOSTART_SUPERVISOR_STDOUT=$(SSH_AUTOSTART_SUPERVISOR_STDOUT)" \
 --env "SSH_CHROOT_DIRECTORY=$(SSH_CHROOT_DIRECTORY)" \
 --env "SSH_INHERIT_ENVIRONMENT=$(SSH_INHERIT_ENVIRONMENT)" \
 --env "SSH_PASSWORD_AUTHENTICATION=$(SSH_PASSWORD_AUTHENTICATION)" \
+--env "SSH_REAPER_TIMEOUT=$(SSH_REAPER_TIMEOUT)" \
 --env "SSH_SUDO=$(SSH_SUDO)" \
 --env "SSH_TIMEZONE=$(SSH_TIMEZONE)" \
 --env "SSH_USER=$(SSH_USER)" \

Diff for: docker-compose.yml

@@ -29,11 +29,13 @@ services:
       dockerfile: "Dockerfile"
     environment:
       SSH_AUTHORIZED_KEYS: "${SSH_AUTHORIZED_KEYS}"
+      SSH_AUTOSTART_REAPER: "${SSH_AUTOSTART_REAPER}"
       SSH_AUTOSTART_SSHD: "${SSH_AUTOSTART_SSHD}"
       SSH_AUTOSTART_SSHD_BOOTSTRAP: "${SSH_AUTOSTART_SSHD_BOOTSTRAP}"
       SSH_CHROOT_DIRECTORY: "${SSH_CHROOT_DIRECTORY}"
       SSH_INHERIT_ENVIRONMENT: "${SSH_INHERIT_ENVIRONMENT}"
       SSH_PASSWORD_AUTHENTICATION: "${SSH_PASSWORD_AUTHENTICATION}"
+      SSH_REAPER_TIMEOUT: "${SSH_REAPER_TIMEOUT}"
       SSH_SUDO: "${SSH_SUDO}"
       SSH_TIMEZONE: "${SSH_TIMEZONE}"
       SSH_USER: "${SSH_USER}"

Diff for: environment.mk

@@ -24,12 +24,14 @@ STARTUP_TIME ?= 2
 # Application container configuration
 # ------------------------------------------------------------------------------
 SSH_AUTHORIZED_KEYS ?=
+SSH_AUTOSTART_REAPER ?= false
 SSH_AUTOSTART_SSHD ?= true
 SSH_AUTOSTART_SSHD_BOOTSTRAP ?= true
 SSH_AUTOSTART_SUPERVISOR_STDOUT ?= false
 SSH_CHROOT_DIRECTORY ?= %h
 SSH_INHERIT_ENVIRONMENT ?= false
 SSH_PASSWORD_AUTHENTICATION ?= false
+SSH_REAPER_TIMEOUT ?= 3600
 SSH_SUDO ?= ALL=(ALL) ALL
 SSH_TIMEZONE ?= UTC
 SSH_USER ?= app-admin

Diff for: src/etc/supervisord.d/01-reaper.conf

@@ -0,0 +1,10 @@
+[program:reaper]
+autorestart = false
+autostart = %(ENV_SSH_AUTOSTART_REAPER)s
+command = /usr/sbin/reaper --verbose
+priority = 1
+startsecs = 0
+stderr_logfile = /dev/stderr
+stderr_logfile_maxbytes = 0
+stdout_logfile = /dev/stdout
+stdout_logfile_maxbytes = 0

Diff for: src/etc/systemd/system/[email protected]

@@ -57,12 +57,14 @@ Environment="DOCKER_IMAGE_TAG={{RELEASE_VERSION}}"
 Environment="DOCKER_PORT_MAP_TCP_22=2020"
 Environment="DOCKER_USER=jdeathe"
 Environment="SSH_AUTHORIZED_KEYS="
+Environment="SSH_AUTOSTART_REAPER=false"
 Environment="SSH_AUTOSTART_SSHD=true"
 Environment="SSH_AUTOSTART_SSHD_BOOTSTRAP=true"
 Environment="SSH_AUTOSTART_SUPERVISOR_STDOUT=false"
 Environment="SSH_CHROOT_DIRECTORY=%%h"
 Environment="SSH_INHERIT_ENVIRONMENT=false"
 Environment="SSH_PASSWORD_AUTHENTICATION=false"
+Environment="SSH_REAPER_TIMEOUT=3600"
 Environment="SSH_SUDO=ALL=(ALL) ALL"
 Environment="SSH_TIMEZONE=UTC"
 Environment="SSH_USER=app-admin"
@@ -130,12 +132,14 @@ ExecStart=/bin/bash -c \
   "exec /usr/bin/docker run \
     --name %p.%i \
     --env \"SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS}\" \
+    --env \"SSH_AUTOSTART_REAPER=${SSH_AUTOSTART_REAPER}\" \
     --env \"SSH_AUTOSTART_SSHD=${SSH_AUTOSTART_SSHD}\" \
     --env \"SSH_AUTOSTART_SSHD_BOOTSTRAP=${SSH_AUTOSTART_SSHD_BOOTSTRAP}\" \
     --env \"SSH_AUTOSTART_SUPERVISOR_STDOUT=${SSH_AUTOSTART_SUPERVISOR_STDOUT}\" \
     --env \"SSH_CHROOT_DIRECTORY=${SSH_CHROOT_DIRECTORY}\" \
     --env \"SSH_INHERIT_ENVIRONMENT=${SSH_INHERIT_ENVIRONMENT}\" \
     --env \"SSH_PASSWORD_AUTHENTICATION=${SSH_PASSWORD_AUTHENTICATION}\" \
+    --env \"SSH_REAPER_TIMEOUT=${SSH_REAPER_TIMEOUT}\" \
     --env \"SSH_SUDO=${SSH_SUDO}\" \
     --env \"SSH_TIMEZONE=${SSH_TIMEZONE}\" \
     --env \"SSH_USER=${SSH_USER}\" \

Diff for: src/opt/scmi/default.sh

@@ -47,12 +47,14 @@ fi
 DOCKER_CONTAINER_PARAMETERS="--name ${DOCKER_NAME} \
 --restart ${DOCKER_RESTART_POLICY} \
 --env \"SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS}\" \
+--env \"SSH_AUTOSTART_REAPER=${SSH_AUTOSTART_REAPER}\" \
 --env \"SSH_AUTOSTART_SSHD=${SSH_AUTOSTART_SSHD}\" \
 --env \"SSH_AUTOSTART_SSHD_BOOTSTRAP=${SSH_AUTOSTART_SSHD_BOOTSTRAP}\" \
 --env \"SSH_AUTOSTART_SUPERVISOR_STDOUT=${SSH_AUTOSTART_SUPERVISOR_STDOUT}\" \
 --env \"SSH_CHROOT_DIRECTORY=${SSH_CHROOT_DIRECTORY}\" \
 --env \"SSH_INHERIT_ENVIRONMENT=${SSH_INHERIT_ENVIRONMENT}\" \
 --env \"SSH_PASSWORD_AUTHENTICATION=${SSH_PASSWORD_AUTHENTICATION}\" \
+--env \"SSH_REAPER_TIMEOUT=${SSH_REAPER_TIMEOUT}\" \
 --env \"SSH_SUDO=${SSH_SUDO}\" \
 --env \"SSH_TIMEZONE=${SSH_TIMEZONE}\" \
 --env \"SSH_USER=${SSH_USER}\" \

Diff for: src/opt/scmi/environment.sh

@@ -25,12 +25,14 @@ STARTUP_TIME="${STARTUP_TIME:-2}"
 # Application container configuration
 # ------------------------------------------------------------------------------
 SSH_AUTHORIZED_KEYS="${SSH_AUTHORIZED_KEYS:-}"
+SSH_AUTOSTART_REAPER="${SSH_AUTOSTART_REAPER:-false}"
 SSH_AUTOSTART_SSHD="${SSH_AUTOSTART_SSHD:-true}"
 SSH_AUTOSTART_SSHD_BOOTSTRAP="${SSH_AUTOSTART_SSHD_BOOTSTRAP:-true}"
 SSH_AUTOSTART_SUPERVISOR_STDOUT="${SSH_AUTOSTART_SUPERVISOR_STDOUT:-false}"
 SSH_CHROOT_DIRECTORY="${SSH_CHROOT_DIRECTORY:-%h}"
 SSH_INHERIT_ENVIRONMENT="${SSH_INHERIT_ENVIRONMENT:-false}"
 SSH_PASSWORD_AUTHENTICATION="${SSH_PASSWORD_AUTHENTICATION:-false}"
+SSH_REAPER_TIMEOUT="${SSH_REAPER_TIMEOUT:-3600}"
 SSH_SUDO="${SSH_SUDO:-ALL=(ALL) ALL}"
 SSH_TIMEZONE="${SSH_TIMEZONE:-UTC}"
 SSH_USER="${SSH_USER:-app-admin}"

Diff for: src/opt/scmi/service-unit.sh

@@ -7,12 +7,14 @@ readonly SERVICE_UNIT_ENVIRONMENT_KEYS="
  DOCKER_IMAGE_TAG
  DOCKER_PORT_MAP_TCP_22
  SSH_AUTHORIZED_KEYS
+ SSH_AUTOSTART_REAPER
  SSH_AUTOSTART_SSHD
  SSH_AUTOSTART_SSHD_BOOTSTRAP
  SSH_AUTOSTART_SUPERVISOR_STDOUT
  SSH_CHROOT_DIRECTORY
  SSH_INHERIT_ENVIRONMENT
  SSH_PASSWORD_AUTHENTICATION
+ SSH_REAPER_TIMEOUT
  SSH_SUDO
  SSH_TIMEZONE
  SSH_USER

Diff for: src/usr/sbin/reaper

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+
+set -e
+
+function __get_ssh_reaper_timeout ()
+{
+	local -r default_value="${1:-3600}"
+
+	local value="${SSH_REAPER_TIMEOUT}"
+
+	if ! __is_valid_ssh_reaper_timeout "${value}"
+	then
+		value="${default_value}"
+	fi
+
+	printf -- '%s' "${value}"
+}
+
+function __is_valid_positive_integer ()
+{
+	local -r positive_integer='^[0-9]+$'
+	local -r value="${1}"
+
+	if [[ ${value} =~ ${positive_integer} ]]
+	then
+		return 0
+	fi
+
+	return 1
+}
+
+function __is_valid_ssh_reaper_timeout ()
+{
+	__is_valid_positive_integer "${@}"
+}
+
+function __reap ()
+{
+	kill -"${signal:-TERM}" "${pid:-1}"
+}
+
+function main ()
+{
+	local -r warning_timeout="30"
+
+	local pid="1"
+	local signal="TERM"
+	local timeout="$(
+		__get_ssh_reaper_timeout
+	)"
+	local verbose="false"
+
+	while [[ "${#}" -gt 0 ]]
+	do
+		case "${1}" in
+			-p)
+				pid="${2}"
+				shift 2 || break
+				;;
+			--pid)
+				pid="${1#*=}"
+				shift 1
+				;;
+			-s)
+				signal="${2}"
+				shift 2 || break
+				;;
+			--signal)
+				signal="${1#*=}"
+				shift 1
+				;;
+			-v|--verbose)
+				verbose="true"
+				shift 1
+				;;
+		esac
+	done
+
+	if (( timeout > 0 ))
+	then
+		trap __reap \
+			EXIT INT TERM
+
+		if (( timeout > warning_timeout ))
+		then
+			(( timeout -= warning_timeout ))
+		else
+			warning_timeout="0"
+		fi
+
+		if coproc read -t "${timeout}"
+		then
+			wait "${!}" || :
+
+			if (( warning_timeout > 0 ))
+			then
+				wall "Session expired - exiting in ${warning_timeout} seconds."
+
+				if coproc read -t "${warning_timeout}"
+				then
+					wait "${!}" || :
+				fi
+			else
+				wall "Session expired."
+			fi
+		fi
+
+		if [[ ${verbose} == true ]]
+		then
+			printf -- \
+				'INFO: %s expiring session.\n' \
+				"${0##*/}"
+		fi
+	fi
+
+	exit 0
+}
+
+main "${@}"