Cystem is a secure, reusable way to create and manage persistent Debian chroot environments with SSH and web terminal access. It uses modern software design patterns to provide a robust, maintainable, and secure system.
- Design Patterns: Builder, Factory, Strategy, Singleton, Observer
- Security Hardening: SSH key authentication, firewall rules, resource limits
- Configuration Profiles: minimal, standard, secure, development configurations
- Event Logging: Comprehensive audit trail with multiple loggers
- CLI Interface: Intuitive command-line interface
-
Builder Pattern (
lib/builder.h/cpp)- Constructs chroot environments step by step
- Supports incremental configuration
- Enables rollback on failures
-
Factory Pattern (
lib/factory.h/cpp)- Creates predefined configuration profiles
- Easy to extend with new profiles
- Standardizes secure baselines
-
Singleton Pattern (
lib/config.h/cpp)- Global configuration state management
- Thread-safe implementation
- Configuration persistence
-
Strategy Pattern (
lib/strategy.h/cpp)- Pluggable authentication methods
- SSH key, password, MFA strategies
- Easy to add new authentication methods
-
Observer Pattern (
lib/observer.h/cpp)- Event logging and monitoring
- Multiple log destinations
- Audit trail capabilities
.
├── CMakeLists.txt # Build configuration
├── README.md # Documentation
├── .gitignore # Git ignore rules
├── include/
│ ├── builder.h # Builder pattern header
│ ├── cli.h # CLI interface header
│ ├── config.h # Singleton config header
│ ├── factory.h # Factory pattern header
│ ├── observer.h # Observer pattern header
│ ├── strategy.h # Strategy pattern header
│ └── utils.h # Utility functions header
├── lib/
│ ├── builder.cpp # Builder implementation
│ ├── cli.cpp # CLI implementation
│ ├── config.cpp # Singleton implementation
│ ├── factory.cpp # Factory implementation
│ ├── observer.cpp # Observer implementation
│ ├── strategy.cpp # Strategy implementation
│ └── utils.cpp # Utility implementation
├── scripts/
│ ├── install.sh # Installation script
│ └── uninstall.sh # Uninstallation script
└── src/
└── main.cpp # Entry point
4 directories, 20 files total
- CMake 3.14+
- C++ compiler (GCC 10+ or Clang 12+)
- debootstrap
- sudo or root access
# Clone the repository
cd cystem-chroot_master
# Create build directory
mkdir build && cd build
# Configure CMake
cmake .. -DCMAKE_BUILD_TYPE=Release
# Build
make -j$(nproc)
# Install
sudo make install# Make script executable
chmod +x scripts/install.sh
# Run as root
sudo ./scripts/install.sh# Custom installation prefix
sudo ./scripts/install.sh --prefix=/opt
# Debug build
sudo ./scripts/install.sh --build-type=Debug# Show help
cystem help
# List available profiles
cystem profile list
# Build a new instance
cystem build myinstance --profile standard
# Start services
cystem start myinstance --ssh --web
# Check status
cystem status myinstance
# Stop services
cystem stop myinstance
# List all instances
cystem list
# Delete an instance
cystem delete myinstanceCreate a new chroot environment.
cystem build <instance_name> [OPTIONS]
Options:
-p, --profile <name> Configuration profile (default: standard)
-k, --ssh-key <key> SSH public key for authentication
-m, --packages <pkgs> Additional packages to install
-f, --force Force rebuild if instance exists
Examples:
cystem build myinstance
cystem build myinstance --profile secure
cystem build myinstance --ssh-key "$(cat ~/.ssh/id_rsa.pub)"Start services in the chroot environment.
cystem start <instance_name> [OPTIONS]
Options:
-s, --ssh Start SSH server (default: true)
-w, --web Start web terminal
-p, --port <port> Custom SSH port (default: 2222)
Examples:
cystem start myinstance
cystem start myinstance --ssh --web
cystem start myinstance --port 2223Stop all services and unmount filesystems.
cystem stop <instance_name>
Examples:
cystem stop myinstanceShow status of the chroot environment.
cystem status [instance_name]
Examples:
cystem status
cystem status myinstanceList all available instances and profiles.
cystem list [OPTIONS]
Options:
--instances Show instances (default: true)
--profiles Show profiles (default: true)
Examples:
cystem list
cystem list --profilesDelete a chroot environment.
cystem delete <instance_name> [OPTIONS]
Options:
-f, --force Skip confirmation
Examples:
cystem delete myinstance
cystem delete myinstance --forceManage configuration profiles.
cystem profile [list|show <name>]
Examples:
cystem profile list
cystem profile show standardShow version information.
cystem versionShow help information.
cystem help
cystem help build| Profile | Description | Use Case |
|---|---|---|
| minimal | Basic chroot with SSH | Simple isolated environments |
| standard | Full-featured with web | General purpose development |
| secure | Hardened security | Production with strict security |
| development | With build tools | Software development |
- SSH Key Authentication (default): Most secure method
- Password Authentication: Available but not recommended
- Multi-Factor Authentication: Combines multiple methods
- Firewall rules (ufw)
- SSH hardening options
- Connection rate limiting
- Memory limits via cgroups
- Process count limits
- File descriptor limits
- sysctl configuration
- PAM limits
- Warning banners
- Vulnerability | Original Issue | Cystem Solution
- Authentication | Weak password-based auth | SSH key-only by default, strategy pattern for flexibility
- Process Management | No init system, manual process starting | Builder pattern with proper service management
- Network Security | Open ports with no firewall | UFW integration with strict rules
- Resource Isolation | Unrestricted CPU/RAM usage | cgroup support with configurable limits
- Mount Management | Race conditions, leftover mounts | RAII-based MountManager with cleanup
- Configuration | Hardcoded values | Flexible configuration with profiles
Located at /etc/cystem/main.conf:
security:
ssh_port: 2222
web_port: 8080
enable_password_auth: false
enable_root_login: false
max_auth_tries: 3
use_ufw: true
cgroup_enabled: true
memory_limit_mb: 512
max_processes: 100
chroot:
architecture: amd64
distribution: stable
user_name: cystemThe SSH configuration is generated automatically with secure defaults:
- Protocol 2 only
- No root login
- No password authentication (by default)
- Key-based authentication required
- ConnectionAliveInterval configured
- StrictModes enabled
Cystem uses the Observer pattern for comprehensive logging:
- File Logger: Logs to
/var/log/cystem/audit.log - Console Logger: Real-time console output
- Syslog Logger: System logging facility
Log levels:
- DEBUG (0-1): Detailed debugging information
- INFO (2-3): General information
- WARNING (4-6): Warnings
- ERROR (7-8): Errors
- CRITICAL (9-10): Critical issues
Ensure you're running with appropriate privileges:
sudo cystem build myinstanceCheck network connectivity and mirror availability:
sudo debootstrap --variant=minbase stable /tmp/test http://deb.debian.org/debianVerify the instance is running:
cystem status myinstanceCheck SSH port and firewall:
sudo ufw statusEnsure no other processes are using the mount points:
sudo umount -f /path/to/chroot/procEnable verbose logging:
cystem build myinstance --verboseCheck logs:
cat /var/log/cystem/audit.logsudo ./scripts/uninstall.sh --force# Remove binaries
sudo rm -f /usr/local/bin/cystem
sudo rm -f /usr/local/lib/libcystem.so
# Remove directories
sudo rm -rf /etc/cystem
sudo rm -rf /var/lib/cystem
sudo rm -rf /var/log/cystem
sudo rm -rf /usr/local/share/cystemcmake .. -DCMAKE_BUILD_TYPE=Debug
makectestCreate a new profile class in src/lib/factory.cpp:
class CustomProfile : public IConfigurationProfile {
public:
std::string getName() const override { return "custom"; }
std::string getDescription() const override { return "Custom profile"; }
// ... implement other methods
};Create a new strategy class in src/lib/strategy.cpp:
class CustomAuthStrategy : public IAuthenticationStrategy {
public:
std::string getName() const override { return "custom"; }
// ... implement other methods
};MIT License - see LICENSE file for details.
This is as/is, use at your own knowledge/risks.
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
For issues and feature requests, please use the GitHub issue tracker.
BlueLotus innovation lab