Secure Access to Remote Containers & Hosts
Trust-Tunnel is a powerful tool designed to create secure tunnels into remote containers and physical hosts. It enables users to:
- Seamless Access: Access remote resources without managing SSH passwords
- Permission Control: Manage access permissions via a custom permission system
- Sandbox Execution: Execute commands in isolated sandbox environments to prevent security risks
- Multi-Runtime Support: Support both Docker and Containerd runtimes
Trust-Tunnel consists of three main components:
| Component | Description |
|---|---|
| Trust-Tunnel Agent | Runs on each node and facilitates secure connections |
| Trust-Tunnel Client | CLI tool used by end-users to connect to the agent |
| Auth Server | Manages user permissions for accessing remote resources (optional) |
- π TLS/NTLS Support: Secure communication with standard TLS or Chinese national cryptography (SM2/SM3/SM4)
- π³ Multi-Container Runtime: Support Docker and Containerd
- π¦ Sidecar Mode: Execute commands in sandbox containers with resource limits
- π Pluggable Authentication: Extensible authentication interface
- π Prometheus Metrics: Built-in monitoring support
- π Audit Logging: Complete operation audit trail
- Linux
- Docker or Containerd
- Go 1.21+
# Build all images and client binary
make images && make trust-tunnel-clientcd e2e && go test -v .Install with Helm:
helm install trust-tunnel-agent ./charts/trust-tunnel-agentThe Agent will be deployed as a DaemonSet, running one instance per node.
Build and run the Agent binary directly:
make trust-tunnel-agent
./out/trust-tunnel-agent --config config/config.toml| Flag | Description |
|---|---|
-o, --host |
Target host IP address |
-it |
Interactive TTY mode |
--type |
Connection type: phys or container |
--cid |
Container ID (required when type is container) |
-d, --disable-clean-mode |
Disable sandbox mode |
-c, --cpus |
CPU limit for sandbox (e.g., 0.5) |
-m, --memory |
Memory limit in MB for sandbox (e.g., 512) |
Execute a command:
./out/trust-tunnel-client -o $HOST_IP sh -c "pwd"Interactive login:
./out/trust-tunnel-client -it -o $HOST_IP sh -c "/bin/bash"Execute a command:
./out/trust-tunnel-client -o $HOST_IP --type container --cid $CONTAINER_ID sh -c "pwd"Interactive login:
./out/trust-tunnel-client -it -o $HOST_IP --type container --cid $CONTAINER_ID sh -c "/bin/bash"./out/trust-tunnel-client -o $HOST_IP --cpus 0.5 --memory 512 sh -c "ls /"The Agent is configured via a TOML file. See config/config.toml for a complete example.
# Server configuration
host = "0.0.0.0"
port = "5006"
# Session configuration
[session_config]
phys_tunnel = "nsenter" # Physical host tunnel method: nsenter or sshd
# Container runtime configuration
[container_config]
endpoint = "unix:///var/run-mount/docker.sock"
container_runtime = "docker" # docker or containerd
# Sidecar configuration
[sidecar_config]
image = "trust-tunnel-sidecar:latest"
limit = 150 # Maximum sidecar containers per nodeCommands are executed in an isolated environment:
- Container: Creates a Sidecar container sharing the target container's namespaces
- Physical Host: Uses
nsenterto enter host namespaces
Commands are executed directly:
- Container: Uses
docker execdirectly - Physical Host: Uses SSH connection
- Sandbox Isolation: Sidecar containers provide command execution isolation
- Resource Limits: CPU and memory constraints prevent resource abuse
- Permission Verification: Pluggable authentication system
- Audit Trail: All operations are logged for auditing
- Encrypted Communication: TLS or NTLS (Chinese national cryptography)
We welcome contributions! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.