docker-centos-sshd-systemd

Docker image for CentOS including SSHD and SystemD.

Specifications

OS

• SSHD
• systemd

Users

• username=root, password=root
• username=user, password=user
  • passwordless sudo user
  • owns SSH key

SSHD

• root login is not permitted
• password authentification is not permitted
• user authentification is passwordless via SSH key
  • ssh public key ./secret/ssh/sshkey.pub is imported into container

SSH-key

• passphrase is unset
• owned by user

Usage - from dockerhub

Quick run

# pull
docker pull europ/docker-centos-sshd-systemd

# run
docker run --tty --detach --privileged --publish 22:22 --label="xyz" -v /sys/fs/cgroup:/sys/fs/cgroup:ro europ/docker-centos-sshd-systemd

# add your custom ssh key
docker cp /path/to/your/sshkey.PUBLIC <CONTAINER_ID>:/home/user/.ssh/authorized_keys

# test
ssh -i /path/to/your/sshkey.PRIVATE user@<CONTAINER_IP> '[ "`ps --no-headers -p 1 -o comm`" == "systemd" ]'

Customization

• it is important to add CMD ["/usr/sbin/init"] command as the last one

FROM europ/docker-centos-sshd-systemd

# EXAMPLE
RUN yum -y install httpd
RUN systemctl enable httpd.service
EXPOSE 80

# it is important to include the below command as the last one
CMD ["/usr/sbin/init"]

Usage - from scratch

Build

docker build --rm --tag=abc --label="xyz" .

Run

• note the important --privileged parameter
• add additional --publish <number>:<number> if needed

docker run --tty --detach --privileged --publish 22:22 --label="xyz" -v /sys/fs/cgroup:/sys/fs/cgroup:ro abc

Work

# get container ID
CONTAINER_ID=$(docker ps --quiet --all --filter "status=running" --filter "label=xyz")


# get container IP
CONTAINER_IP=$(docker inspect ${CONTAINER_ID} | grep -E '^\s*"IPAddress": ".*$' | grep -ohE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | head -1)


# connect to the running container
ssh -i ./secret/ssh/sshkey user@${CONTAINER_IP}

Stop

docker stop `docker ps --quiet --all --filter "status=running" --filter "label=xyz"`

FAQ

Warning: Remote host identification has changed

• warning output:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:xxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxx/xxxxxxxxx.
Please contact your system administrator.
Add correct host key in /home/${USER}/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/${USER}/.ssh/known_hosts:2
  remove with:
  ssh-keygen -f "/home/${USER}/.ssh/known_hosts" -R "172.17.0.2"
ECDSA host key for 172.17.0.2 has changed and you have requested strict checking.
Host key verification failed.

• solution:

ssh-keygen -f "/home/${USER}/.ssh/known_hosts" -R "<THE IP FROM WARNING OUTPUT>"

How to change the placeholding SSH keys?

• method: one docker command
  1. copy the ssh public key to container via docker cp /path/to/your/sshkey.pub <CONTAINER_ID>:/home/user/.ssh/authorized_keys
• method: new image build
  1. clone this repository
  2. change the ssh key files in ./secret/ssh/sshkey
  3. build it (follow the usage instruction from Build section)

Further Reading

Container problem relater to systemd:

• https://serverfault.com/questions/824975/failed-to-get-d-bus-connection-operation-not-permitted

CentOS7 container including only systemd:

• https://hub.docker.com/r/centos/systemd

How to run systemd in a container:

• https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/

Dockerize an SSH service:

• https://docs.docker.com/engine/examples/running_ssh_service/

Contribution

Feel free to open an issue or a change request in this repository in case of a bug, problem, request for enhancement, feature idea, suggestion, etc.