docker: SSH access directly into container

Question

Up to now we use several linux users:

• system_foo@server
• system_bar@server
• ...

We want to put the system users into docker container.

• linux user system_foo --> container system_foo

The changes inside the servers are not problem, but remote systems use these users to send us data.

We need to make ssh system_foo@server work. The remote systems can't be changed.

I would be very easy if there would be just one system per linux operating system (pass port 22 to the container). But there are several.

How can we change from the old scheme to docker containers and keep the service ssh system_foo@server available without changes at the remote site?

Please leave a comment if you don't understand the question. Thank you.

Answer 1

但是请记住，在容器中使用ssh支持通常是一种反模式（除非它只是你的容器'关注'，但那么能够ssh的重点是什么。请参阅http://techblog.constantcontact.com / devops / a-tale-of-three-docker-anti-patterns /有关该反模式的信息

Answer 2

nsenter could work for you. First ssh to the host and then nsenter to the container.

PID=$(docker inspect --format {{.State.Pid}} <container_name_or_ID>)`
nsenter --target $PID --mount --uts --ipc --net --pid

source http://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/

Answer 3

Judging by the comments, you might be looking for a solution like dockersh . dockersh is used as a login shell, and lets you place every user that logins to your instance into an isolated container.

This probably won't let you use sftp though.

Note that dockersh includes security warnings in their README, which you'll certainly want to review:

WARNING: Whilst this project tries to make users inside containers have lowered privileges and drops capabilities to limit users ability to escalate their privilege level, it is not certain to be completely secure. Notably when Docker adds user namespace support, this can be used to further lock down privileges.

Answer 4

Some months ago, I helped my like this. It's not nice, but works. But pub-key auth needs to be used.

Script which gets called via command in .ssh/authorized_keys

#!/usr/bin/python
import os
import sys
import subprocess
cmd=['ssh', 'user@localhost:2222']
if not 'SSH_ORIGINAL_COMMAND' in os.environ:
    cmd.extend(sys.argv[1:])
else:
    cmd.append(os.environ['SSH_ORIGINAL_COMMAND'])
sys.exit(subprocess.call(cmd))

file system_foo@server: .ssh/authorized_keys

command="/home/modwork/bin/ssh-wrapper.py" ssh-rsa AAAAB3NzaC1yc2EAAAAB...

If the remote system does ssh system_foo@server the SSH-Daemon at server executes the comand given in .ssh/authorized_keys . This command does a ssh to a different ssh-daemon.

In the docker container, there needs to run ssh-daemon which listens on port 2222.