babbarc/workspaces
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
workspaces/ssh_router.sh
Pallav Vasa 156b47aded feat: use locally built image for starting a pod
2025-05-16 23:35:00 +00:00

188 lines
5.4 KiB
Bash
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
PERSON="$1"
WORKSPACE="$SSH_ORIGINAL_COMMAND"
IMAGE="localhost/analytics-backend-workspace:latest"
DEV_USER="devuser"
XDG_RUNTIME_DIR="/run/user/$(id -u)"
LOG_FILE="/tmp/.ssh-router-${PERSON}.log"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" >>"$LOG_FILE"
}
if [[ ! -t 0 ]]; then
log "❌ No TTY allocated — refusing to run tmux without an interactive terminal"
echo "Error: No TTY. Use 'ssh -t'" >&2
exit 1
fi
# log "🧩 IMAGE = '$IMAGE'"
# log "🧩 WORKSPACE = '$WORKSPACE'"
# log "🧩 PERSON = '$PERSON'"
# Fallbacks
if [[ -z "${WORKSPACE:-}" ]]; then
WORKSPACE="$PERSON"
log " Defaulted WORKSPACE to $WORKSPACE"
fi
TMUX_SESSION="$WORKSPACE|analytics-backend"
# Start podman socket service if it's not running
if [[ ! -S "$XDG_RUNTIME_DIR/podman/podman.sock" ]]; then
log "🔄 Starting Podman socket service for user $USER"
systemctl --user start podman.socket || {
log "❌ Failed to start podman.socket via systemd"
exit 1
}
# Wait briefly for socket to appear
sleep 1
fi
if [[ ! -S "$XDG_RUNTIME_DIR/podman/podman.sock" ]]; then
log "❌ Podman socket still missing after startup attempt"
exit 1
fi
# Check if image exists locally
if ! podman image exists "$IMAGE"; then
log "📦 Image $IMAGE not found locally. Pulling from registry..."
# Attempt to pull the image from the local registry (insecure HTTP)
if ! podman pull --tls-verify=false "$IMAGE"; then
log "❌ Failed to pull image from $IMAGE"
exit 1
fi
log "✅ Successfully pulled $IMAGE"
fi
case "$SSH_ORIGINAL_COMMAND" in
*scp* | *sftp* | *rsync* | *tar*)
log "❌ File transfers are disabled"
exit 1
;;
esac
# Function to start the container if not running
start_container_if_needed() {
if ! podman container exists "$WORKSPACE"; then
log "🚀 Creating container $WORKSPACE..."
podman run -dit \
--userns=keep-id \
--name "$WORKSPACE" \
--user "$DEV_USER" \
--hostname "$WORKSPACE" \
--label auto-cleanup=true \
-v "${XDG_RUNTIME_DIR}"/podman/podman.sock:/run/podman/podman.sock \
-v /home/infilytics/data/"$WORKSPACE":/app \
-v /home/infilytics/secrets/"$WORKSPACE"/gitconfig:/home/"$DEV_USER"/.gitconfig:ro \
-v /home/infilytics/secrets/"$WORKSPACE"/id_ed25519:/home/"$DEV_USER"/.ssh/id_ed25519:ro \
-v /home/infilytics/secrets/"$WORKSPACE"/id_ed25519.pub:/home/"$DEV_USER"/.ssh/id_ed25519.pub:ro \
--entrypoint "/home/$DEV_USER/start.sh" \
"$IMAGE" "${TMUX_SESSION}"
elif ! podman inspect -f '{{.State.Running}}' "$WORKSPACE" | grep -q true; then
log "⚡ Starting existing container $WORKSPACE..."
podman start "$WORKSPACE" >/dev/null 2>&1
fi
sleep 1
}
# After devuser exits...
check_devuser_attached() {
# Get list of clients
client_users=$(podman exec "$WORKSPACE" tmux list-clients -t "$TMUX_SESSION" -F "#{client_user}" 2>/dev/null)
if echo "$client_users" | grep -q "$DEV_USER"; then
log "💡 devuser still attached — container stays running"
return 0
else
log "🏃 $PERSON has logged out — stopping container"
podman stop "$WORKSPACE" >/dev/null 2>&1
return 1
fi
}
get_access_mode() {
local yaml_file="access.yml"
local workspace="$1"
local person="$2"
if [[ ! "$workspace" =~ ^[a-zA-Z0-9._-]+$ ]]; then
log "❌ Invalid container name: $WORKSPACE"
exit 1
fi
# Special case: user accessing their own workspace
if [[ "$workspace" == "$person" ]]; then
echo "access=rw"
return 0
fi
# Check rw
if yq '.["'"$person"'"].rw // []' "$yaml_file" | grep -q "\b$workspace\b"; then
echo "access=rw"
return 0
fi
# Check ro
if yq '.["'"$person"'"].ro // []' "$yaml_file" | grep -q "\b$workspace\b"; then
echo "access=ro"
return 0
fi
# No access → exit with error
log "$person has no access to $workspace" >&2
exit 1
}
# === Main ===
read -r access_line < <(get_access_mode "$WORKSPACE" "$PERSON") || exit 1
MODE="${access_line#access=}"
case "$MODE" in
rw)
start_container_if_needed
# Run tmux session inside the container
if ! podman exec -it --user "$DEV_USER" "$WORKSPACE" tmux has-session -t "$TMUX_SESSION" >/dev/null 2>&1; then
if ! podman exec -it -e EDITOR=nvim --user "$DEV_USER" "$WORKSPACE" tmux new-session -d -s "$TMUX_SESSION" >/dev/null 2>&1; then
log "❌ Could not create new tmux session. Please contact admin or try again later."
exit 1
fi
fi
log "$PERSON is working on $WORKSPACE's workspace"
if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" tmux attach -t "$TMUX_SESSION"; then
log "❌ Could not attach to tmux session. Please contact admin or try again later."
exit 1
fi
log "$PERSON finished working on $WORKSPACE's worksapce"
check_devuser_attached
exit 0
;;
ro)
if (podman container exists "$WORKSPACE" && podman inspect -f '{{.State.Running}}' "$WORKSPACE" | grep -q true) >/dev/null 2>&1; then
log "📜 $PERSON is viewing $WORKSPACE's workspace"
if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" tmux attach -r -t "$TMUX_SESSION"; then
log "❌ Could not attach to tmux session. Please contact admin or try again later."
exit 1
fi
log "🏃 $PERSON stopped viewing $WORKSPACE's workspace"
exit 0
else
log "❌ Workspace for $WORKSPACE does not exist."
exit 1
fi
;;
*)
log "❌ Invalid access mode: $MODE"
exit 1
;;
esac
Reference in New Issue View Git Blame Copy Permalink