jdeathe / centos-ssh Goto Github PK

...
sshd stdout | Could not load host key: /etc/ssh/ssh_host_rsa_key
sshd stdout | Could not load host key: /etc/ssh/ssh_host_dsa_key
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
sshd_bootstrap stdout | Initialise SSH...

Issue occurs because Supervisord does not wait for completion of one process before starting another with a lower priority.

Will resolve issue raised here too: #3

Supervisord 3.2.0 was released 2015-11-30.
http://supervisord.org/changes.html#id1

Can remove the requirement for Python PIP if we install using easy_install that is available from the core CentOS repositories with the python-setuptools package.

easy_install 'supervisor == 3.2.0' 'supervisor-stdout == 0.1.1'

The helper functions implemented for configuration variable validation should be split out into functions that validate an input value and return true / false and getter functions to return a value with a default, safe, value.

Docker helper functions have been created that use global scope variables instead of local scope variables.

Not causing any bugs currently but should be fixed as general maintenance/improvement.

• https://github.com/jdeathe/centos-ssh/blob/1.3.0/build.sh#L15
• https://github.com/jdeathe/centos-ssh/blob/1.3.0/build.sh#L16
• https://github.com/jdeathe/centos-ssh/blob/1.3.0/run.sh#L12
• https://github.com/jdeathe/centos-ssh/blob/1.3.0/run.sh#L23
• https://github.com/jdeathe/centos-ssh/blob/1.3.0/run.sh#L34

Environment variables used to set the user settings will override the configuration volume in a new installation when using the new default values in the ssh-bootstrap.conf configuration file. This is achieved by assigning the variables in ssh-bootstrap.conf the value of the environment variable, (if set), or allowing an alternative value if not. In the following example the SSH_USER will be set to "custom-user" if the SSH_USER environment variable is not set or an empty string but if the user runs the container with an SSH_USER environment variable set it will override the value.

SSH_USER="${SSH_USER:-custom-user}"

Existing installations that use custom values in the ssh-bootstrap.conf saved on a configuration "data" volume will not allow override by the environment variables. Also users can hard code a value in the ssh-bootstrap.conf to prevent the value being replaced by that set using the environment variable.

Example Warnings shown from MacOSX host

docker exec -it ssh.pool-1.1.1 bash
bash: warning: setlocale: LC_CTYPE: cannot change locale (en_US.UTF-8): No such file or directory
bash: warning: setlocale: LC_COLLATE: cannot change locale (en_US.UTF-8): No such file or directory
bash: warning: setlocale: LC_MESSAGES: cannot change locale (en_US.UTF-8): No such file or directory
bash: warning: setlocale: LC_NUMERIC: cannot change locale (en_US.UTF-8): No such file or directory
bash: warning: setlocale: LC_TIME: cannot change locale (en_US.UTF-8): No such file or directory

It is not necessary to create a directory for content that is added via the ADD command since it will automatically generate any directories that are required in the path.

https://github.com/jdeathe/centos-ssh/blob/1.3.0/Dockerfile#L77

ssh-bootstrap script should be in /usr/bin/ really as they should be read only.

Ref: https://github.com/jdeathe/centos-ssh/blob/1.2.0/README.md#sshauthorized_keys

Need to update the destination path in the scp example to include the ssh directory.

ie: change:
/etc/services-config/ssh.pool-1/authorized_keys

to:
/etc/services-config/ssh.pool-1/ssh/authorized_keys

Can use docker port instead of the method provided:
docker port [OPTIONS] CONTAINER [PRIVATE_PORT[/PROTO]]

SSH, by default, sets up a new environment. It could be useful to have the environment variables set by Docker when using linked containers for example.

Would need to make sure not to change HOME and PATH.

SSHD has options for setting up user specific environment variables so might be better to use this method than adding the values into /etc/environment

I thought using volume_name:container_path syntax would keep the files in place within the container however this was incorrect; you still need to ensure the files are copied to the docker_host path.

Seems that using a volume without a host path is the most robust technique.

This might be working as intended, or maybe not :)

As per the Docker docs:
These Environment variables are only set for the first process in the container. Similarly, some daemons (such as sshd) will scrub them when spawning shells for connection.

Am I, or am I not, supposed to be able to see environment variables when connecting with ssh? Are there any workarounds? Or is the intention that all containers expose additional ports and that they communicate via the Docker host over them?

https://github.com/jdeathe/centos-ssh/blob/master/run.sh#L47

It would make things more consistent if the port mapping could be defined in the run.conf. 2020:22 is used in some places so would be a good default instead of having "-p :22" in some places and "-p 2020:22" in others.

• https://github.com/jdeathe/centos-ssh/blob/1.4.1/run.sh#L92
• https://github.com/jdeathe/centos-ssh/blob/1.4.1/run.sh#L103

https://github.com/jdeathe/centos-ssh/blob/1.4.2/build.sh#L23

...
    docker images | awk -v FS='[ ]+' \
        -v pattern="^${NAME_PARTS[0]}[ ]+${NAME_PARTS[1]} " \
        '$0 ~ pattern { print $0; }'
...

https://hub.docker.com/_/centos/

• https://github.com/jdeathe/centos-ssh/blob/1.3.0/run.sh#L59
• https://github.com/jdeathe/centos-ssh/blob/1.3.0/run.sh#L69

Ref: 2115ac3

In line with how all other configuration data is stored the Supervisord configuration has been moved in to a directory named "supervisor". The README instructions for creating a data volume should be updated to include this change. https://github.com/jdeathe/centos-ssh/blob/1.2.0/README.md#optional-configuration-data-volume

Ref: #24

• Remove commented out code.
• Use heredoc syntax for multiline output instead of several echo commands.
• get_option function should be using a local variable for value not a global scope variable.

Target for Removal in Release: 1.11

When creating a container with a bind-mounted volume– docker run -v /host/path:/container/path – docker was automatically creating the /host/path if it didn’t already exist.

This auto-creation of the host path is deprecated and docker will error out if the path does not exist.

To aid in making a tag reproducible the package versions being installed should be specified in the Dockerfile. Adding the version-lock package will make it easier for security updates to be applied without changing the version of packages installed as part of the Dockerfile.

The feature to allow parameters to be passed as the cmd for docker run via the run.sh helper script has made the run command more complicated than necessary. The entrypoint should only be included if necessary to keep the command running as defined in the Dockerfile and introduce less change from 1.4.1.

https://github.com/jdeathe/centos-ssh/blob/master/run.sh#L91
https://github.com/jdeathe/centos-ssh/blob/master/run.sh#L92

Add a feature to the run.sh helper script to allow it to to run commands instead of the default entrypoint and command. This is helpful when debugging a container that is not already running or fails to run using the default entrypoint + command.

The HOME directory for the SSH_USER is not set to the value of SSH_USER_HOME_DIR; instead it is set to "/home/${SSH_USER}"

Should not disable PAM authentication to allow for more options in how to secure access.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Pluggable_Authentication_Modules.html

Ref: 2115ac3

In line with how all other configuration data is stored the SSH configuration has been moved in to a directory named "ssh". The README instructions for creating a data volume should be updated to include this change. https://github.com/jdeathe/centos-ssh/blob/1.2.0/README.md#optional-configuration-data-volume

This will allow for more package options in images created from this source but would also require more care in installation of packages to ensure they are sourced from the correct repository.

https://wiki.centos.org/TipsAndTricks/YumAndRPM

Check for additional configuration files in /etc/supervisord.d/

...
[include]
files=/etc/supervisord.d/*.conf

Ref: From https://github.com/jdeathe/centos-ssh#custom-configuration

Changes made to resolve #72 mean that later sections of the README content are now outdated. The example demonstrating how to copy authorized_keys to the docker host is using an incorrect path and should be replaced with an example of docker cp method.

There is a typo on the variable name in the show_docker_image function:

• https://github.com/jdeathe/centos-ssh/blob/1.3.0/build.sh#L19

DOCKER_NAME instead of NAME

Introduced with: 72cae89#diff-1b0c2b516b83393edb7200ad5ff12181

https://wiki.centos.org/AdditionalResources/Repositories

You can install EPEL by running yum install epel-release. The epel-release package is included in the CentOS Extras repository that is enabled by default.

By default to run any sudo commands the SSH_USER must enter the password. This might be undesirable for some use cases so would be nice to have the option change this when running the container and/or via configuration.

https://github.com/jdeathe/centos-ssh/blob/1.4.0/Dockerfile#L72

Would need to updated the following from the bootstrap script:

%wheel    ALL=(ALL)    ALL

To

%wheel    ALL=(ALL)    NOPASSWD: ALL

Latest versions of the base packages for CentOS 6.6 are:

• vim-minimal-7.4.629-5.el6
• sudo-1.8.6p3-20.el6_7
• openssh-5.3p1-112.el6_7
• openssh-server-5.3p1-112.el6_7
• openssh-clients-5.3p1-112.el6_7
• python-pip-7.1.0-1.el6
• yum-plugin-versionlock-1.1.30-30.el6

Updated this to a BUG since full (uncached) builds now fail with the following yum error when specifying the existing packages:

No package sudo-1.8.6p3-15.el6 available.
No package openssh-5.3p1-104.el6_6.1 available.
No package openssh-server-5.3p1-104.el6_6.1 available.
No package openssh-clients-5.3p1-104.el6_6.1 available.
No package python-pip-1.3.1-4.el6 available.

Ref: #59

Dockerfile changes to include ENV SSH_AUTHORIZED_KEYS "" was missed from the changes done in issue/59

#60

• Double square braces.
• ${VARIABLE} instead of $VARIABLE
• -z instead of ==""
• -n instead of !=""

It's possible to ADD multiple files to the same destination directory in 1 step instead of doing each file at a time.

Ref: https://github.com/jdeathe/centos-ssh/blob/1.4.0/Dockerfile#L78

Create a docker-compose.yml file to define the example container + data volume

Currently the user is added with the default shell of /bin/bash but would be good if there was the option to use an alternative such as /bin/sh

Should be able to configure some basic settings via environment variables instead of having to use a configuration volume.

Allow the values of SSH_USER, SSH_PASSWORD and SSH_USER_HOME_DIR to be set and override any settings defined in the configuration volume.

Setting the root password in this way doesn't seem necessary at this point.

The default SSH public key is currently set to the Vagrant insecure public key by default and requires the user to manually replace it after the container is running or use a configuration volume and replace the public key entries there. It should be possible to add a custom public key on running the container by setting an configuration environment variable.

CentOS 7 adds support for additional OpenSSH key types and enables rsa, ecdsa and ed25519 by default but disables dsa in CentOS 6 rsa and dsa are generated by default.

I'm interested in using this docker image, but it's unclear what license it's offered under. I see that Docker recommends that you have a license in the repo: http://docs.docker.com/docker-hub/official_repos/#license

Use case would be to allow an SFTP user write access to specific directories from a application's data container by using the --volumes-from parameter to pull in a data container's volumes.