Add docs on passing SSH through to container (#5019)
* Add docs on passing SSH through to container Wasn't clear how to pass SSH connections through the container, found a few blog posts which described roughly the same procedure I've documented here. Credit should really go to: * https://blog.sakuragawa.moe/gitea-in-docker-container-and-sharing-ssh-with-host/ * http://www.ateijelo.com/blog/2016/07/09/share-port-22-between-docker-gogs-ssh-and-local-system Signed-off-by: Dane Elwell <dane.elwell@ukfast.co.uk> * Add note to resolve @lafriks feedback
This commit is contained in:
parent
6311e4ce6a
commit
cbc14df16a
1 changed files with 64 additions and 0 deletions
|
@ -280,3 +280,67 @@ docker-compose pull
|
|||
# Start a new container, automatically removes old one
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
# SSH Container Passthrough
|
||||
|
||||
Since SSH is running inside the container, you'll have to pass SSH from the host to the
|
||||
container if you wish to use SSH support. If you wish to do this without running the container
|
||||
SSH on a non-standard port (or move your host port to a non-standard port) you can forward
|
||||
SSH connections destined for the container with a little extra setup.
|
||||
|
||||
This guide assumes that you have created a user on the host called `git` which shares the same
|
||||
UID/GID as the container values `USER_UID`/`USER_GID`. You should also create the directory
|
||||
`/var/lib/gitea` on the host, owned by the `git` user and mounted in the container, e.g.
|
||||
|
||||
```
|
||||
services:
|
||||
server:
|
||||
image: gitea/gitea:latest
|
||||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
restart: always
|
||||
networks:
|
||||
- gitea
|
||||
volumes:
|
||||
- /var/lib/gitea:/data
|
||||
ports:
|
||||
- "3000:3000"
|
||||
- "127.0.0.1:2222:22"
|
||||
```
|
||||
|
||||
You can see that we're also exposing the container SSH port to port 2222 on the host, and binding this
|
||||
to 127.0.0.1 to prevent it being accessible external to the host machine itself.
|
||||
|
||||
On the **host**, you should create the file `/app/gitea/gitea` with the following contents and
|
||||
make it executable (`chmod +x /app/gitea/gitea`):
|
||||
|
||||
```
|
||||
#!/bin/sh
|
||||
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
|
||||
```
|
||||
|
||||
Your `git` user needs to have an SSH key generated:
|
||||
|
||||
```
|
||||
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"
|
||||
```
|
||||
|
||||
Still on the host, symlink the container `.ssh/authorized_keys` file to your git user `.ssh/authorized_keys`.
|
||||
This can be done on the host as the `/var/lib/gitea` directory is mounted inside the container under `/data`:
|
||||
|
||||
```
|
||||
ln -s /var/lib/gitea/git/.ssh/authorized_keys /home/git/.ssh/authorized_keys
|
||||
```
|
||||
|
||||
Then echo the `git` user SSH key into the authorized_keys file so the host can talk to the container over SSH:
|
||||
|
||||
```
|
||||
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /var/lib/gitea/git/.ssh/authorized_keys
|
||||
```
|
||||
|
||||
Now you should be able to use Git over SSH to your container without disrupting SSH access to the host.
|
||||
|
||||
Please note: SSH container passthrough will work only if using opensshd in container, and will not work if
|
||||
`AuthorizedKeysCommand` is used in combination with setting `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable
|
||||
authorized files key generation.
|
||||
|
|
Reference in a new issue