Hello,
it took me some time to find apps to enable me to share a shell in a browser.
Me and friend managing some simple VPSs that shall be managed from a central management server to simplify workflow.
There are cases that we still need a shell and allowing us to share this session would be extremely helpful.
In addition, when I'm at work, SSH is blocked so it quite challenging to manage them.
So is tmate the tool to get around this?
The architecture is close to this one:
thank you for answering my humble question which answer might be obvious but due to my endless searching I cannot see the woods for the trees.
Stefan
--
You received this message because you are subscribed to the Google Groups "tmate.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tmate-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tmate-io/58ed180f-113e-496d-9418-67dc5bc0b52e%40googlegroups.com.
Hi Nico,
thx for the quick reply, didn't expect that :)
1) Register an API key on tmate.io (no information needed aside from an email).
that would mean I use your server as relaying service, wouldn't it? I could setup my own server on the management server, could I?
Provided that your company doesn't block websockets
Any test server around I could try to connect to? That would
exclude config errors on the machine, which run the tmate service.
Stefan
Hi Nico,
thx for the quick reply, didn't expect that :)
that would mean I use your server as relaying service, wouldn't it? I could setup my own server on the management server, could I?1) Register an API key on tmate.io (no information needed aside from an email).
Provided that your company doesn't block websocketsAny test server around I could try to connect to? That would exclude config errors on the machine, which run the tmate service.
Yes, and Yes.
that would mean I use your server as relaying service, wouldn't it? I could setup my own server on the management server, could I?
1) Register an API key on tmate.io (no information needed aside from an email).
Yes, and Yes. To host your own servers, follow the section "Development environment", and move to production. It's pretty involved though.
so I follow "Host your own tmate servers" with help given in https://groups.google.com/forum/#!topic/tmate-io/C5vhLKk1GcM.
If I want to reduce time spending on updating the container I follow "Development environment" and https://docs.tilt.dev/docker_compose.html
Provided that your company doesn't block websockets
Any test server around I could try to connect to? That would exclude config errors on the machine, which run the tmate service.
Just install and run "tmate -F" on your local machine. You'll get a random session URL.
I do have some problems to understand the architecture, in particulate as I'm afraid that expression are mixed, so I try it to explain it in my own words, from scratch.
Linux runs through the startup process means:
my sources:
Now let us continue with tmate
I'm in my console as root and install tmate as shwon on https://tmate.io/.
I can now start tmate by either
In case 1, the client is started (not a server as said by "tmate -F...starts the server side of tmate") this creates an SSH connection to the mate server what is either either tmate.io or you own tmate/tmate-ssh-server and, if required tmate Webhooks.
This is the standard procedure as shown in many tutorials:
That triggers that there is a pseudoterminal (pty) started on the client computer, the remote machine we want to control. This pty acts a pty slave, which provides an interface that behaves exactly like a classical terminal. The tmate client attach a process to the pty , what is in most cases a shell. The input to the program attached at the pty master end, what is on the tmate server . Anything that is written on the master end is provided to the process on the slave end as though it was input typed on a terminal, so the program on the client computer is driven by a program that is attached to the master.
I'm repeating more or less what is written on pty(7): pseudoterminal interfaces - Linux man page.
In case 2 the tmate client is started as foreground process. "Foreground processes refer to applications you are running that you are currently interacting with, and which applies equally to graphical user interfaces as it does to the command line" taken from Getting Started With Linux - Foreground vs Background Processes - blog.100tb.com.
I don't see any advantage of this as streams are running between the pty and shell and from the to the system and back are involved. As soon as I run a shell stdin, stdout stderr are involved anyway. It might be helpful if you run another shell, what is not initiated by tmate and want to stream the remote input to local shall. Is that what you are saying?
It is quite challenging to understand the architecture. I read "Technical Details" and the paper "tmate: A scalable UNIX terminal sharing/management tool". The process above is quite simplified but it is more or less the route isn't although you run certain process in isolated non-privileged namespaces and using UNIX-sockets for on inter-computer-communication to increase security.
The only diagram I found is the one on Tmate - Securely Share SSH Terminal Session with Linux Users. May you copy that and create a diagram on draw.io what allows to store the diagram files on GitHub.
The folks of Mosh made a nice slide showing their concept, see Mosh: An Interactive Remote Shell for Mobile Clients - YouTube
Back again to security. It is said that tmate server container needs to run with --cap-add=SYS_ADMIN
what is for security reasons, but still don't like it:
Unfortunately docker-stack does not support cap-add
what could me allow to bring up and down using portainer.
Does is it apply for the client as well?
So I wonder how can I activate tmate on demand without shell access?
Any safer possibility using docker?
What I can think of is to use a Treafik revers proxy what reacts to docker label. May protainer see the tmater container when start it manually, so I can dis-/connected from the web changing the label of the container using portainer.
Talking about docker container, are you aware of the other docker images:
any advance using them?
Last but not least, as you mentioned TILT. Any advice when running on swarms, as TILT works only with compose and is not supported by portainer.
There is some useful read on docs.docker :https://docs.docker.com/engine/swarm/swarm-tutorial/rolling-update/ but haven't tested it yet following the examples in https://docs.tilt.dev/docker_compose.html.
Portainer is yet able to do so: https://github.com/portainer/portainer/issues/3197
Sorry for all these question but the more I read and searched the more question marks arose.
Stefan
I wouldn't recommend them. The officials ones are fine.
Thanks,
Nico
--
You received this message because you are subscribed to the Google Groups "tmate.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tmate-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tmate-io/73a8f8fb-9f86-45f7-a3c0-4f5ad341c576%40googlegroups.com.
I had a bit of trouble parsing your email, but I think I found your questions:
I still do not understand why the tmux client/server architecture is not compatible across an IP network as ssh to IP works as well.Because it sends file descriptors though a UNIX socket. That's not possible via IP sockets.
So I wonder how can I activate tmate on demand without shell access?Yes, run it as a system daemon, like with systemd
Once you close the shell, the tmate daemon would die
Back again to security. It is said that tmate server container needs to run with
--cap-add=SYS_ADMIN
what is for security reasons, but still don't like it:
...
Any safer possibility using docker?
Sure: docker run -it tmate/tmate tmate
but that would now allow
Note that you need to add the SYS_ADMIN capability to the container. This is needed to create nested containers (namespaces) to secure sessions.
I can now start tmate by either
- tmate
- tmate -F
I had a bit of trouble parsing your email, but I think I found your questions:> I still do not understand why the tmux client/server architecture is not compatible across an IP network as ssh to IP works as well.Because it sends file descriptors though a UNIX socket. That's not possible via IP sockets.> [cap_sys_admin] Does is it apply for the client as well?No> So I wonder how can I activate tmate on demand without shell access?Yes, run it as a system daemon, like with systemd> Any safer possibility using docker?Sure: docker run -it tmate/tmate tmate> [docker containers] any advice using them?I wouldn't recommend them. The officials ones are fine.
Thanks,
Nico
On Mon, Feb 17, 2020 at 12:38 PM <stefan....@gmail.com> wrote:
Hi,--
I found some explanation in http://viennot.com/tmate.pdf what is mentioned in the Article on tmate, whereby the architecture diagram is not available anymore.
Unfortunately, this explanation is not available any more.Stefan
Am Dienstag, 11. Februar 2020 12:22:09 UTC+1 schrieb stefan....@gmail.com:Hi Nico,
was it too much I asked for or too noob-wise?
Shall I rephrase or do you need some time to compile an appropriated answer?Thank youStefan
You received this message because you are subscribed to the Google Groups "tmate.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tmat...@googlegroups.com.