Docker as SSH proxy with existing ssh key - docker

I am trying to migrate a SSH proxy (with VPN) server to docker as container.
Existing proxy command which works:
ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q awx-user#ssh.local"'
My Dockerfile:
FROM ubuntu:latest
RUN apt-get update -y
RUN apt-get install -y nano \
iputils-ping \
telnet \
net-tools \
iptables \
iproute2 \
ssh \
sudo \
openssh-server
RUN mkdir /var/run/sshd
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's#session\s*required\s*pam_loginuid.so#session optional pam_loginuid.so#g' -i /etc/pam.d/sshd
RUN \
groupadd -g 999 awx && useradd -u 999 -g awx -G sudo -m -s /bin/bash awx-user && \
sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g' && \
echo "awx-user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
echo "Customized the sudoers file for passwordless access to the awx-user user!" && \
echo "awx-user user:"; su - awx-user -c id
RUN mkdir -p /home/awx-user/.ssh
COPY awx_id_rsa /home/awx-user/.ssh/id_rsa
RUN echo "IdentityFile /home/awx-user/.ssh/id_rsa" >> /etc/ssh/ssh_config
RUN apt-get clean
USER awx-user
RUN sudo chown awx-user:awx /home/awx-user/.ssh
RUN sudo chown awx-user:awx /home/awx-user/.ssh/id_rsa
RUN sudo chmod 700 /home/awx-user/.ssh
RUN sudo chmod 600 /home/awx-user/.ssh/id_rsa
RUN ssh-keyscan awx2.tmnet.dk > /home/awx-user/.ssh/known_hosts
RUN mkdir /home/awx-user/motionpro
RUN mkdir /home/awx-user/motionpro/app
COPY MotionPro_Linux_Ubuntu_x64_v1.2.5.sh /home/awx-user/motionpro/MotionPro_Linux_Ubuntu_x64_v1.2.5.sh
RUN sudo chmod +x /home/awx-user/motionpro/MotionPro_Linux_Ubuntu_x64_v1.2.5.sh
RUN printf '%s\n' '#!/bin/bash' 'exit 0' | sudo tee -a /etc/rc.local
RUN sudo chmod +x /etc/rc.local
WORKDIR /home/awx-user
EXPOSE 22
Docker run:
docker run --user awx-user --hostname motionpro --name motionpro --privileged --network awxcompose901_default -p 2201:22 --device /dev/net/tun --cap-add NET_ADMIN --sysctl net.ipv6.conf.all.disable_ipv6=0 -t -d motionpro /bin/bash -c "sudo ./motionpro/MotionPro_Linux_Ubuntu_x64_v1.2.5.sh --target /home/awx-user/motionpro/app > /dev/null && sudo /usr/sbin/sshd -D && bash"
Changing proxy command to:
ansible_ssh_common_args: '-o ProxyCommand="ssh -p 2201 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q awx-user#awx.local"'
However I am unable to connect. I've taken a bunch of stuff from other dockerfiles but don't know how to solve anymore. Anybody got a suggestion?

This was solved by adding the public key and correct configuration in sshd_config

Related

Error while setting up a remote ssh host on a docker container

I'm trying to setup a remote ssh host on a docker container to perform jenkins jobs from another container. MY Dockerfile looks like this:
FROM Centos
RUN yum -y install openssh-server && \
yum install -y passwd
RUN useradd remote_user && \
echo remote_user:1234 | chpasswd && \
mkdir /home/remote_user/.ssh && \
chmod 700 /home/remote_user/.ssh
COPY remote-key.pub /home/remote_user/.ssh/authorized-keys
RUN chown remote_user:remote_user -R /home/remote_user/.ssh && \
chmod 600 /home/remote_user/.ssh/authorized-keys
RUN /usr/sbin/sshd-keygen -A
EXPOSE 22
RUN r -rf /run/nologin
CMD /usr/sbin/sshd -D
I run into this following error:
/bin/sh: /usr/sbin/sshd-keygen: No such file or directory
The command '/bin/sh -c /usr/sbin/sshd-keygen -A' returned a non-zero code: 127
Can you please help me correct this issue?

Start docker container under non-root user

my dockerfile
FROM openjdk:11-jdk
RUN apt-get update \
&& apt-get install --no-install-recommends -y git openssh-server \
&& rm -rf /var/lib/apt/lists/*
RUN groupadd --gid 3000 jenkins \
&& useradd --uid 3000 --gid jenkins --shell /bin/bash --create-home jenkins
RUN mkdir -p /var/run/sshd
EXPOSE 22
ENTRYPOINT /usr/sbin/sshd -D && bash
docker build --tag sample .
i tried to start it with jenkins user
docker run -u 3000:3000 sample
which returns
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
i've read all similar questions on stackoverflow and nothing works in my case.
was tried
RUN yes 'y' | ssh-keygen -b 1024 -t rsa -f /etc/ssh/all_needed_keys -N ''
also doesn't work
RUN /usr/bin/ssh-keygen -A

docker run claims a command needs admin access

bash-3.2$ docker run -it -e DISPLAY=$IP:0 -v /tmp/.X11-unix:/tmp/.X11-unix -v `pwd`:`pwd` josh:latest
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
bash: /home/ros/catkin_ws/devel/setup.bash: No such file or directory
And my dockerfile is:
FROM ros:kinetic-robot-xenial
MAINTAINER Joshua Schraven
RUN apt-get update && apt-get install --assume-yes \
vim-nox \
sudo \
python-pip \
ros-kinetic-desktop-full \
ros-kinetic-turtlebot3 \
ros-kinetic-turtlebot3-bringup \
ros-kinetic-turtlebot3-description \
ros-kinetic-turtlebot3-fake \
ros-kinetic-turtlebot3-gazebo \
ros-kinetic-turtlebot3-msgs \
ros-kinetic-turtlebot3-navigation \
ros-kinetic-turtlebot3-simulations \
ros-kinetic-turtlebot3-slam \
ros-kinetic-turtlebot3-teleop
# create non-root user
ENV USERNAME ros
RUN adduser --ingroup sudo --disabled-password --gecos "" --shell /bin/bash --home /home/$USERNAME $USERNAME
RUN bash -c "echo ros:ros | chpasswd"
ENV HOME /home/$USERNAME
USER $USERNAME
# create catkin_ws
RUN mkdir /home/$USERNAME/catkin_ws
WORKDIR /home/$USERNAME/catkin_ws
# add catkin env
RUN echo 'source /opt/ros/kinetic/setup.bash' >> /home/$USERNAME/.bashrc
RUN echo 'source /home/$USERNAME/catkin_ws/devel/setup.bash' >> /home/$USERNAME/.bashrc
I don't know what command is causing the problem, nor how I would trouble shoot that myself.

Reset a docker image to initial state

I'm new to docker and recently I tried to use setup openstreetmap-tileserver. I tried a manual installation by cloning the project and run docker build -t SampleMap and docker run -v openstreetmap-data:/var/lib/postgresql/10/main SampleMap import and then run the proper command to run the container. I got three images using docker image ls:
ubuntu
none
SampleMap
Everything worked fined. Next, I tried to erase the DB and do the whole process for a new map (a different .osm.pbf file). I removed the image SampleMap (with docker image rm) and tried to do the whole process again but the problem is all the DB tables still exist. It seems that all the changes are written into the Ubuntu image rather than the SampleMap. I'm asking generally is there any way that I can reset the whole Ubuntu image to its initial state? It seems that all the changes are permanent in the Ubuntu image.
Here is the Dockerfile:
FROM ubuntu:18.04
# Based on
# https://switch2osm.org/manually-building-a-tile-server-18-04-lts/
# Set up environment
ENV TZ=UTC
ENV AUTOVACUUM=on
ENV UPDATES=disabled
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
# Install dependencies
RUN echo "deb [ allow-insecure=yes ] http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main" >> /etc/apt/sources.list.d/pgdg.list \
&& apt-get update \
&& apt-get install -y apt-transport-https ca-certificates \
&& apt-get install -y --no-install-recommends --allow-unauthenticated \
apache2 \
apache2-dev \
autoconf \
build-essential \
bzip2 \
cmake \
fonts-noto-cjk \
fonts-noto-hinted \
fonts-noto-unhinted \
clang \
gdal-bin \
git-core \
libagg-dev \
libboost-all-dev \
libbz2-dev \
libcairo-dev \
libcairomm-1.0-dev \
libexpat1-dev \
libfreetype6-dev \
libgdal-dev \
libgeos++-dev \
libgeos-dev \
libgeotiff-epsg \
libicu-dev \
liblua5.3-dev \
libmapnik-dev \
libpq-dev \
libproj-dev \
libprotobuf-c0-dev \
libtiff5-dev \
libtool \
libxml2-dev \
lua5.3 \
make \
mapnik-utils \
nodejs \
npm \
postgis \
postgresql-10 \
postgresql-10-postgis-2.5 \
postgresql-10-postgis-2.5-scripts \
postgresql-contrib-10 \
protobuf-c-compiler \
python-mapnik \
sudo \
tar \
ttf-unifont \
unzip \
wget \
zlib1g-dev \
osmosis \
osmium-tool \
cron \
python3-psycopg2 python3-shapely python3-lxml \
&& apt-get clean autoclean \
&& apt-get autoremove --yes \
&& rm -rf /var/lib/{apt,dpkg,cache,log}/
# Set up renderer user
RUN adduser --disabled-password --gecos "" renderer
USER renderer
# Install latest osm2pgsql
RUN mkdir /home/renderer/src
WORKDIR /home/renderer/src
RUN git clone https://github.com/openstreetmap/osm2pgsql.git
WORKDIR /home/renderer/src/osm2pgsql
RUN mkdir build
WORKDIR /home/renderer/src/osm2pgsql/build
RUN cmake .. \
&& make -j $(nproc)
USER root
RUN make install
USER renderer
# Install and test Mapnik
RUN python -c 'import mapnik'
# Install mod_tile and renderd
WORKDIR /home/renderer/src
RUN git clone -b switch2osm https://github.com/SomeoneElseOSM/mod_tile.git
WORKDIR /home/renderer/src/mod_tile
RUN ./autogen.sh \
&& ./configure \
&& make -j $(nproc)
USER root
RUN make -j $(nproc) install \
&& make -j $(nproc) install-mod_tile \
&& ldconfig
USER renderer
# Configure stylesheet
WORKDIR /home/renderer/src
RUN git clone https://github.com/gravitystorm/openstreetmap-carto.git
WORKDIR /home/renderer/src/openstreetmap-carto
USER root
RUN npm install -g carto
USER renderer
RUN carto project.mml > mapnik.xml
# Load shapefiles
WORKDIR /home/renderer/src/openstreetmap-carto
RUN scripts/get-shapefiles.py
# Configure renderd
USER root
RUN sed -i 's/renderaccount/renderer/g' /usr/local/etc/renderd.conf \
&& sed -i 's/hot/tile/g' /usr/local/etc/renderd.conf
USER renderer
# Configure Apache
USER root
RUN mkdir /var/lib/mod_tile \
&& chown renderer /var/lib/mod_tile \
&& mkdir /var/run/renderd \
&& chown renderer /var/run/renderd
RUN echo "LoadModule tile_module /usr/lib/apache2/modules/mod_tile.so" >> /etc/apache2/conf-available/mod_tile.conf \
&& a2enconf mod_tile
COPY apache.conf /etc/apache2/sites-available/000-default.conf
COPY leaflet-demo.html /var/www/html/index.html
RUN ln -sf /proc/1/fd/1 /var/log/apache2/access.log \
&& ln -sf /proc/1/fd/2 /var/log/apache2/error.log
# Configure PosgtreSQL
COPY postgresql.custom.conf.tmpl /etc/postgresql/10/main/
RUN chown -R postgres:postgres /var/lib/postgresql \
&& chown postgres:postgres /etc/postgresql/10/main/postgresql.custom.conf.tmpl \
&& echo "\ninclude 'postgresql.custom.conf'" >> /etc/postgresql/10/main/postgresql.conf
# copy update scripts
COPY openstreetmap-tiles-update-expire /usr/bin/
RUN chmod +x /usr/bin/openstreetmap-tiles-update-expire \
&& mkdir /var/log/tiles \
&& chmod a+rw /var/log/tiles \
&& ln -s /home/renderer/src/mod_tile/osmosis-db_replag /usr/bin/osmosis-db_replag \
&& echo "* * * * * renderer openstreetmap-tiles-update-expire\n" >> /etc/crontab
# install trim_osc.py helper script
USER renderer
RUN cd ~/src \
&& git clone https://github.com/zverik/regional \
&& cd regional \
&& git checkout 612fe3e040d8bb70d2ab3b133f3b2cfc6c940520 \
&& chmod u+x ~/src/regional/trim_osc.py
# Start running
USER root
COPY run.sh /
COPY indexes.sql /
ENTRYPOINT ["/run.sh"]
CMD []
EXPOSE 80 5432
And here is my run.sh file:
#!/bin/bash
set -x
function CreatePostgressqlConfig()
{
cp /etc/postgresql/10/main/postgresql.custom.conf.tmpl /etc/postgresql/10/main/postgresql.custom.conf
sudo -u postgres echo "autovacuum = $AUTOVACUUM" >> /etc/postgresql/10/main/postgresql.custom.conf
cat /etc/postgresql/10/main/postgresql.custom.conf
}
if [ "$#" -ne 1 ]; then
ls /home/renderer
echo "usage: <import|run>"
echo "commands:"
echo " import: Set up the database and import /data.osm.pbf"
echo " run: Runs Apache and renderd to serve tiles at /tile/{z}/{x}/{y}.png"
echo "environment variables:"
echo " THREADS: defines number of threads used for importing / tile rendering"
echo " UPDATES: consecutive updates (enabled/disabled)"
exit 1
fi
if [ "$1" = "import" ]; then
# Initialize PostgreSQL
CreatePostgressqlConfig
service postgresql start
sudo -u postgres createuser renderer
sudo -u postgres createdb -E UTF8 -O renderer gis
sudo -u postgres psql -d gis -c "CREATE EXTENSION postgis;"
sudo -u postgres psql -d gis -c "CREATE EXTENSION hstore;"
sudo -u postgres psql -d gis -c "ALTER TABLE geometry_columns OWNER TO renderer;"
sudo -u postgres psql -d gis -c "ALTER TABLE spatial_ref_sys OWNER TO renderer;"
# Download Luxembourg as sample if no data is provided
if [ ! -f /data.osm.pbf ]; then
echo "WARNING: No import file at /data.osm.pbf, so importing iran-latest as example..."
wget -nv http://download.geofabrik.de/north-america/canada-latest.osm.pbf -O /data.osm.pbf
# wget -nv http://download.geofabrik.de/europe/luxembourg.poly -O /data.poly
fi
# determine and set osmosis_replication_timestamp (for consecutive updates)
osmium fileinfo /data.osm.pbf > /var/lib/mod_tile/data.osm.pbf.info
osmium fileinfo /data.osm.pbf | grep 'osmosis_replication_timestamp=' | cut -b35-44 > /var/lib/mod_tile/replication_timestamp.txt
REPLICATION_TIMESTAMP=$(cat /var/lib/mod_tile/replication_timestamp.txt)
# initial setup of osmosis workspace (for consecutive updates)
sudo -u renderer openstreetmap-tiles-update-expire $REPLICATION_TIMESTAMP
# copy polygon file if available
if [ -f /data.poly ]; then
sudo -u renderer cp /data.poly /var/lib/mod_tile/data.poly
fi
# Import data
sudo -u renderer osm2pgsql -d gis --create --slim -G --hstore --tag-transform-script /home/renderer/src/openstreetmap-carto/openstreetmap-carto.lua -C 2048 --number-processes ${THREADS:-4} -S /home/renderer/src/openstreetmap-carto/openstreetmap-carto.style /data.osm.pbf
# Create indexes
sudo -u postgres psql -d gis -f indexes.sql
service postgresql stop
exit 0
fi
if [ "$1" = "run" ]; then
# Clean /tmp
rm -rf /tmp/*
# Fix postgres data privileges
chown postgres:postgres /var/lib/postgresql -R
# Initialize PostgreSQL and Apache
CreatePostgressqlConfig
service postgresql start
service apache2 restart
# Configure renderd threads
sed -i -E "s/num_threads=[0-9]+/num_threads=${THREADS:-4}/g" /usr/local/etc/renderd.conf
# start cron job to trigger consecutive updates
if [ "$UPDATES" = "enabled" ]; then
/etc/init.d/cron start
fi
# Run
sudo -u renderer renderd -f -c /usr/local/etc/renderd.conf
service postgresql stop
exit 0
fi
echo "invalid command"
exit 1
When you create a container from your image, you mount a volume, using the -v option:
docker run -v openstreetmap-data:/var/lib/postgresql/10/main SampleMap import
Your persistent data is stored in openstreetmap-data. That file/folder is not in your container (that is created every time), it is mounted from your host's filesystem. That's why it persists

Docker Entrypoint script cannot get $DB_PORT_3306_TCP_ADDR environment variable

I have the following Dockerfile:
FROM php:5.6-apache
MAINTAINER pc_magas#openmailbox.org
EXPOSE 80
RUN apt-get update && apt-get install -y \
libjpeg-dev \
libfreetype6-dev \
libgeoip-dev \
libpng12-dev \
libldap2-dev \
zip \
mysql-client \
&& rm -rf /var/lib/apt/lists/*
RUN docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr \
&& docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \
&& docker-php-ext-install -j$(nproc) gd mbstring mysql pdo_mysql zip ldap opcache
RUN pecl install APCu geoip
ENV PIWIK_VERSION 3.0.1
RUN curl -fsSL -o piwik.tar.gz \
"https://builds.piwik.org/piwik-${PIWIK_VERSION}.tar.gz" \
&& curl -fsSL -o piwik.tar.gz.asc \
"https://builds.piwik.org/piwik-${PIWIK_VERSION}.tar.gz.asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237 \
&& gpg --batch --verify piwik.tar.gz.asc piwik.tar.gz \
&& rm -r "$GNUPGHOME" piwik.tar.gz.asc \
&& tar -xzf piwik.tar.gz -C /usr/src/ \
&& rm piwik.tar.gz
COPY php.ini /usr/local/etc/php/php.ini
RUN curl -fsSL -o /usr/src/piwik/misc/GeoIPCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /usr/src/piwik/misc/GeoIPCity.dat.gz
COPY docker-entrypoint.sh /entrypoint.sh
# WORKDIR is /var/www/html (inherited via "FROM php")
# "/entrypoint.sh" will populate it at container startup from /usr/src/piwik
VOLUME /var/www/html
ENV PIWIK_DB_HOST ""
ENV PIWIK_DB_PORT ""
ENV PIWIK_DB_USER ""
ENV PIWIK_DB_PASSWORD ""
ENV PIWIK_DB_NAME ""
#Create backup and restore foolders
RUN mkdir /var/backup && \
chmod 665 /var/backup && \
mkdir /var/restore && \
chmod 665 /var/restore
#Export Backup Folder
VOLUME /var/backup
#Export restore foolder
VOLUME /var/restore
COPY backup.php /tmp/backup.php
RUN cp /tmp/backup.php /usr/local/bin/piwik_backup && \
chown root:root /usr/local/bin/piwik_backup && \
chmod 733 /usr/local/bin/piwik_backup && \
rm -rf /tmp/backup
ENTRYPOINT ["/entrypoint.sh"]
CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
That uses the following script as entrypoint:
#!/bin/bash
if [ ! -e piwik.php ]; then
cp -R /usr/src/piwik/* /var/www/html
chown -R www-data:www-data .
fi
: ${PIWIK_DB_HOST:=$DB_PORT_3306_TCP_ADDR}
echo "Mariadb Addr:"$DB_PORT_3306_TCP_ADDR
: ${PIWIK_DB_PORT:=${DB_PORT_3306_TCP_PORT}}
COUNTER=0
echo "Waiting for mysql to start at ${PIWIK_DB_HOST} using port ${PIWIK_DB_PORT}..."
while ! mysqladmin ping -h"$PIWIK_DB_HOST" -P $PIWIK_DB_PORT --silent; do
if [ $COUNTER -gt 10 ] ; then
exit 1
fi
echo "Connecting to ${PIWIK_DB_HOST} Failed"
COUNTER=$[COUNTER+1]
sleep 1
done
echo "Setting up the database connection info"
: ${PIWIK_DB_USER:=${DB_ENV_MYSQL_USER:-root}}
: ${PIWIK_DB_NAME:=${DB_ENV_MYSQL_DATABASE:-'piwik'}}
if [ "$PIWIK_DB_USER" = 'root' ]; then
: ${PIWIK_DB_PASSWORD:=$DB_ENV_MYSQL_ROOT_PASSWORD}
else
: ${PIWIK_DB_PASSWORD:=$DB_ENV_MYSQL_PASSWORD}
fi
if ! mysql -h"$PIWIK_DB_HOST" -P $PIWIK_DB_PORT -u ${PIWIK_DB_USER} -p${PIWIK_DB_PASSWORD} -e ";" ; then
echo "The user does not exist to the mysql server: ${PIWIK_DB_HOST}"
exit 1
fi
php console config:set --section="database" --key="host" --value=${PIWIK_DB_HOST}
php console config:set --section="database" --key="port" --value=${PIWIK_DB_PORT}
php console config:set --section="database" --key="username" --value=${PIWIK_DB_USER}
php console config:set --section="database" --key="password" --value=${PIWIK_DB_PASSWORD}
php console config:set --section="database" --key="tables_prefix" --value="piwik_"
php index.php
exec "$#"
But for some reason The entrypoint script cannot find the enviromental variables provided by mariadb container such as the DB_PORT_3306_TCP_ADDR providing the connection to the mariadb server.
I use the following commands in order to run the images into the containers containers:
docker run --name piwikdb --volume $(pwd)/volumes/db:/var/lib/db \
-e MYSQL_ROOT_PASSWORD=123 -d mariadb
docker run --volume $(pwd)/volumes/piwik:/var/www/data --link piwikdb:mysql \
-p 8081:80 -t ^hash of the fresly build image^
I tried to troubleshoot it, but I cannot figure out why that happens.
This is not how you want to do linking.
The correct, supported, way, is one of the following.
Use docker-compose
If you use docker-compose, you would name your database service (say, db), and then your other containers can be told to connect to db as if it were a hostname.
You can use env_file in docker-compose.yml to specify a file with parameters such as database name, mariadb port, authentication info, and so on. Each container can load the same env_file.
Use a docker network
If you prefer to run containers without using compose, just make sure they are on the same network, like this:
docker network create myapp
docker run --name piwikdb --volume $(pwd)/volumes/db:/var/lib/db \
-e MYSQL_ROOT_PASSWORD=123 -d --network myapp mariadb
docker run --volume $(pwd)/volumes/piwik:/var/www/data \
--network myapp -p 8081:80 -t ^hash of the fresly build image^
If all containers are on the same network, then as with docker-compose, you can just tell your piwik container to use "piwikdb" as the server (i.e. the container name of your other container).

Resources