docker: SSH access directly into container

Question

Up to now we use several linux users:

• system_foo@server
• system_bar@server
• ...

We want to put the system users into docker container.

• linux user system_foo --> container system_foo

The changes inside the servers are not problem, but remote systems use these users to send us data.

We need to make ssh system_foo@server work. The remote systems can't be changed.

I would be very easy if there would be just one system per linux operating system (pass port 22 to the container). But there are several.

How can we change from the old scheme to docker containers and keep the service ssh system_foo@server available without changes at the remote site?

Please leave a comment if you don't understand the question. Thank you.

Answer 1

Let's remember however that having ssh support in a container is typically an anti-pattern (unless it's your container only 'concern' but then what would be the point of being able to ssh in. Refer to http://techblog.constantcontact.com/devops/a-tale-of-three-docker-anti-patterns/ for information about that anti-pattern

Answer 2

nsenter could work for you. First ssh to the host and then nsenter to the container.

PID=$(docker inspect --format {{.State.Pid}} <container_name_or_ID>)`
nsenter --target $PID --mount --uts --ipc --net --pid

source http://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/

Answer 3

Judging by the comments, you might be looking for a solution like dockersh. dockersh is used as a login shell, and lets you place every user that logins to your instance into an isolated container.

This probably won't let you use sftp though.

Note that dockersh includes security warnings in their README, which you'll certainly want to review:

WARNING: Whilst this project tries to make users inside containers have lowered privileges and drops capabilities to limit users ability to escalate their privilege level, it is not certain to be completely secure. Notably when Docker adds user namespace support, this can be used to further lock down privileges.

Answer 4

Some months ago, I helped my like this. It's not nice, but works. But pub-key auth needs to be used.

Script which gets called via command in .ssh/authorized_keys

#!/usr/bin/python
import os
import sys
import subprocess
cmd=['ssh', 'user@localhost:2222']
if not 'SSH_ORIGINAL_COMMAND' in os.environ:
    cmd.extend(sys.argv[1:])
else:
    cmd.append(os.environ['SSH_ORIGINAL_COMMAND'])
sys.exit(subprocess.call(cmd))

file system_foo@server: .ssh/authorized_keys

command="/home/modwork/bin/ssh-wrapper.py" ssh-rsa AAAAB3NzaC1yc2EAAAAB...

If the remote system does ssh system_foo@server the SSH-Daemon at server executes the comand given in .ssh/authorized_keys. This command does a ssh to a different ssh-daemon.

In the docker container, there needs to run ssh-daemon which listens on port 2222.