Console Shell
General features
The Equinox OSGi console is based on Apache Felix Gogo shell. The console provides:
- support for the ssh protocol (in addition to the telnet connectivity)
- JAAS-based user authentication
- improved tab completion
The default authentication is password-based, but key-based authentication is also supported.
Installation and configuration of the console
Running without SSH
- Place the necessary bundles in a folder. The bundles are:
- org.apache.felix.gogo.command_<version>.jar
- org.apache.felix.gogo.runtime_<version>.jar
- org.apache.felix.gogo.shell_<version>.jar
- org.eclipse.equinox.console_<version>.jar
- org.eclipse.osgi.jar
- Create a configuration subfolder and a config.ini file in it.
- Add the following entries in the config.ini file:
osgi.bundles=org.apache.felix.gogo.runtime,\
org.apache.felix.gogo.command,\
org.apache.felix.gogo.shell,\
org.eclipse.equinox.console
osgi.console=<port>
- Start the Equinox framework with the following command line:
java -jar org.eclipse.osgi.jar
The property osgi.console
specifies the port on which the console should listen for telnet connections. Instead of specifying this property,
you can start the framework with the -console <port>
option. If you do not specify the port in either of these ways, the console will
not listen for telnet connections.
If you start with the option -console
and do not specify the port, you will be able to interact with the console through the standard input.
Running with SSH
If you want to access the console through SSH, you need more bundles and configurations.
- Place the necessary bundles in a folder. The bundles are:
- org.apache.felix.gogo.command_<version>.jar
- org.apache.felix.gogo.runtime_<version>.jar
- org.apache.felix.gogo.shell_<version>.jar
- org.eclipse.equinox.console_<version>.jar
- org.eclipse.equinox.console.ssh_<version>.jar
- org.eclipse.equinox.console.jaas.fragment_<version>.jar
- org.eclipse.osgi.jar
- org.apache.mina.core_<version>.jar
- org.apache.sshd.core_<version>.jar
- slf4j-api
- some slf4j-api implementation
- Create a configuration subfolder and a config.ini file in it.
- Add the following entries in the config.ini file:
osgi.bundles=org.apache.felix.gogo.runtime,\
org.apache.felix.gogo.command,\
org.apache.felix.gogo.shell,\
org.eclipse.equinox.console,\
slf4j-api,\
<slf4j-api_impl>,\
org.apache.mina.core,\
org.apache.sshd.core,\
org.eclipse.equinox.console.ssh@start,\
org.eclipse.equinox.console.jaas.fragment
osgi.console.ssh=<port>
osgi.console.ssh.useDefaultSecureStorage=true
- Create a file with name org.eclipse.equinox.console.authentication.config in the configuration subfolder.
- Add the following entry to org.eclipse.equinox.console.authentication.config file:
equinox_console {
org.eclipse.equinox.console.jaas.SecureStorageLoginModule REQUIRED;
};
- Create logging configuration file. This depends on the particular implementation of slf4j-api, which you have chosen.
- Start the Equinox framework with the following command line:
java -Djava.util.logging.config.file=configuration/logging.properties \
-Dssh.server.keystore=configuration/hostkey.ser \
-Dorg.eclipse.equinox.console.jaas.file=configuration/store \
-Djava.security.auth.login.config=configuration/org.eclipse.equinox.console.authentication.config \
-jar org.eclipse.osgi.jar
Notes:
- For both properties, specifying the telnet and ssh ports, you can also specify the host:
osgi.console=<host>:<port>
osgi.console.ssh=<host>:<port>
where <host> is either localhost or 127.0.0.1, so that the console listens for telnet connections only from the localhost.
You can use both telnet and ssh. For this you have to specify both properties.
- The version of slf4j-api must be in the range [1.5,2]
- The property
osgi.console.ssh.useDefaultSecureStorage
is necessary only if ssh is used and the default login mechanism is used (i. e., a custom login module is not provided)
- The configuration file org.eclipse.equinox.console.authentication.config may have a different name, but its name must be given as a value of the property
-Djava.security.auth.login.config
accordingly.
- The bundles org.eclipse.equinox.console_<version>.jar, org.eclipse.equinox.console.ssh_<version>.jar and org.eclipse.equinox.console.jaas.fragment_<version>.jar,
as well as the three Gogo bundles are available in Equinox SDK, which can be downloaded from the Equinox download page
- You can download the bundles org.apache.mina.core_<version>.jar and org.apache.sshd.core_<version>.jar Eclipse Orbit repository.
- You can download slf4j-api and an slf4j implementation from here.
- For logging you can use instead org.slf4j.api from Eclipse Orbit repository. In this case you should take from this repository the logback slf4j implementation. It consists of
three bundles - ch.qos.logback.classic, ch.qos.logback.core and ch.qos.logback.slf4j.
- All configuration files, excluding config.ini, may be placed in a folder, different from the configuration subfolder. In this case the VM properties must be changed respectively to point to the correct folder.
JAAS Authentication
The Equinox console uses JAAS authentication when the SSH is used. The default JAAS login module, implemented in the console, uses custom store file,
where it stores users and passwords. The passwords are one-way encrypted. The console also provides shell commands for administering users:
- add user
- delete user
- list users
- reset user password
- change user password
- add user roles
- remove user roles
There is a default user equinox with password equinox, which is dynamically created when the ssh starts if no other user exists
in the user store. Upon first login, the console prompts the user to create a new user, and automatically deletes the default user. The password
must be at least 8 symbols long. The username may contain alphanumerical characters, plus underscore and dot.
Currently only authentication is implemented in the console. All authenticated users have similar rights. Implementing authorization may
be a future enhancement. That is why roles are introduced, although they are not currently used.
If the default JAAS login module is be used, then the property osgi.console.ssh.useDefaultSecureStorage
must be set to
true
. The file, where the users are stored, is specified through the property org.eclipse.equinox.console.jaas.file
Using Custom JAAS Authentication Login Module
Custom JAAS authentication login modules could be used with the ssh instead of the default one. If a custom login module is used,
then the property osgi.console.ssh.useDefaultSecureStorage
must not be set at all. The custom module must be specified
in the file org.eclipse.equinox.console.authentication.config
instead of the default entry there, or in a different file.
If a different file is used, then its name must be specified as the value of the property -Djava.security.auth.login.config
instead of org.eclipse.equinox.console.authentication.config
.
Also, it will be necessary to create a fragment to sshd-core bundle, with which to import the package of the custom login module. This is necessary
for the sshd to be able to load the module class.
Key-based Authentication
Instead of using JAAS authentication, the console can use key-based user authentication with ssh. It is possible to provide a file containing a list
of keys that are allowed to connect to the SSH console. The file will be read every time a connection is made so that it can be modified dynamically
at runtime. The file is specified with the property ssh.server.authorized_keys
. If you use key-based authentication you do not need
to specify the JAAS-related properties java.security.auth.login.config
and
osgi.console.ssh.useDefaultSecureStorage
.
The console supports also custom public keys authentication. If no specific authorized_keys file is configured (via system property) the OSGi service
registry will be searched for available authenticators. To enable this feature you have to set the property
ssh.custom.publickeys.auth
to true
.
Configuring of telnet and ssh host and port through Configuration Admin service
The console provides the option to configure the telnet and ssh host and port through Configuration Admin instead of
through the properties osgi.console=<host>:<port>
and osgi.console.ssh=<host>:<port>
.
This could be helpful in more complex scenarios, for example when you want to run different instances of the console in different subsystems of the
framework. In this case if the port is configured through a system property, it is one and the same for all console instances and only one
will be able to bind to the socket.
If this feature is used, then you should:
- set the property
osgi.console.useConfigAdmin
to true
- install and start, along with the console bundles, the org.eclipse.equinox.cm bundle and its dependencies
- write a bundle to provide the configuration with the telnet and ssh properties
The configuration PID for the telnet configuration is osgi.console.telnet
and for the ssh configuration is osgi.console.ssh
.
Both configurations have the following properties:
All must have values of type String.
The enabled
property determines if telnet/ssh is to be started at all. If the value is true
, telnet/ssh is started.
If the value is false
, or the property enabled
is absent, the telnet/ssh is not started.
Using Commands
The Gogo shell, on which the Equinox console is based, supports different type of commands from these currently supported in Equinox. Currently in Equinox,
commands are provided by a class implementing the CommandProvider
interface. The Equinox console provides an adapter from this type of commands
to the new type of commands, used in Gogo. They commands are arbitrary classes, registered as services, with two special properties:
osgi.command.scope
- specifies the scope of the command
osgi.command.function
- specifies the commands provided by this service; this is a list of the names of public methods in the service class, which must be available for execution as commands
The commands in the Equinox console use the notion of command scope. The scope can be used, for example,
to differentiate between commands with one and the same name, but provided by different providers. Then they should have different scopes.
The scope is a prefix of the command name, separated from it with a column. When writing the command in the console, the scope may or may not be specified.
If the scope is not specified, then the command with this name from the default scope is used. If in the default scope there is no command with such name,
all commands are searched.
If there is more than one command with the specified name in different scopes, it is not guaranteed which one will be actually
executed. Therefore, if you know that there are commands with the same name but different scopes, you must explicitly prefix the command name with the
scope to ensure that you will get executed exactly the command you want.
The legacy commands, adapted by the Equinox console, have scope equinox
.
Getting Help for Commands
The default help command in Gogo lists the names of the registered commands, and if it is called with a command name as an argument, it displays help message for the
specified command. The default help command does not provide help for the legacy Equinox commands, which are adapted by the Equinox console. For this reason the
Equinox console provides its own help command, which calls the default help, but could also provide help for the legacy commands.
If no argument is specified the names of all new commands are displayed.
If a command name is specified, the help message for this command is displayed. If the command is legacy and the CommandProvider
, which provides this command,
does not provide separate help for each command (this is a new feature, introduced in Equinox 3.7), then the help messages for all commands in this CommandProvider
are displayed.
The help command supports -scope
argument, which should be used as follows: help -scope <command_scope>
. Thus the help command will display help only for the
commands with the specified scope.
There is also a man
command. It accepts the same arguments as the help command and has the same semantics.
Writing Gogo Commands
Writing Gogo commands is easy. You have to do the following:
- Write your class with all commands you want implemented as public methods. Methods may have arbitrary arguments. Also, unlike Equinox command providers, in RFC 147 there is no interface that the class of the command provider should implement.
- Register the command provider as a service with the two properties, described above.
Something new for Gogo commands are the converters and formatters.
The converter is a class which converts the arguments, passed on the command line, to the actual arguments,
which the command accepts. For example, the command may have one argument of type Bundle
. There may be a converter, which from a long finds the bundle with this id.
Then the command may be called with the ID of the bundle as an argument, the converter will convert it to the corresponding Bundle
object and the command method will
be called with this object as an argument.
The formatter is a class which displays the result, returned by the command method.
For more information on Gogo commands, you can check the Gogo documentation.
Tab Completion
The console provides tab completion. This feature is available only when connecting through telnet or ssh.
Completion is available for:
- command names
- variable names - these must be previously defined in the session; variable names may be passed as command arguments
- file names - passed as command arguments
When the tab
key is typed, all possible candidates for completion for the current word are searched. If there is only one possible completion,
the current word is automatically completed. If there are more than one options, all are displayed in a column. The possible options can be iterated by hitting
tab
multiple times, until the desired completion candidate is reached.
If longest common prefix of all available completion candidates is longer than the current word, then the current word is completed automatically to this prefix, before choosing
the final completion. For example, if we have the following available completions for the word bun
:
- bundles
- bundle
- bundlelevel
the current word is completed automatically to bundle
, and then by hitting tab
you can choose which completion you like, or may type it for yourself.
The console allows custom command completers to be provided. A custom completer should implement the interface org.eclipse.equinox.console.common.Completer
, provided by
the bundle of the Equinox console. It has the single method getCandidates
, which get as a parameter the whole command line and the current cursor position in it, and returns
a map with all completion candidates, and the position in the command line, on which the completion begins. The keys in the map are the candidates, and the values - the start position
for the completion.
Command Line Editing
Both with telnet and ssh command line editing is available in addition to tab completion. The following functions are supported:
- backspace - deletes the character to the left of the cursor
- delete - deletes the character on the cursor position
- home/end - moves the cursor to the beginning/end of the command line
- left/right arrow - moves the cursor one character left/right
- up/down arrow - moves backward/forward one entry in the command history
- pageup/pagedown - moves to the first/last entry of the command history
These functions are supported also when the the console is run standalone with Equinox. In PDE these features are not supported.
Closing Telnet or Ssh Session
Both telnet and ssh sessions are closed with the disconnect command.
Running Non-interactive Shell
In some cases you may wish to run the console without an interactive session. In this case, the console can be connected from telnet and ssh, but is not available
on standard in and out. For this the following property should be specified: -Dgosh.args=--nointeractive