-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
128 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
/buildx-metadata.txt | ||
/buildx-image-id.txt | ||
|
||
/ssh-client-keys/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,14 @@ | ||
# docker-portmap-server-rootless | ||
🐳 Docker image with an OpenSSH server that can be used for remote port forwarding only (rootless version) | ||
|
||
This is a :whale: **Docker image** containing an **OpenSSH server** that can be used for **remote port forwarding** only. This image is almost equivalent to [dmotte/docker-portmap-server](https://github.com/dmotte/docker-portmap-server) but it runs as a **non-root user**. | ||
|
||
TODO | ||
|
||
Inspired by https://www.golinuxcloud.com/run-sshd-as-non-root-user-without-sudo/ | ||
|
||
TODO add link to this rootless project inside the rootful one | ||
|
||
```bash | ||
docker volume create myvol | ||
docker run --rm -v myvol:/v docker.io/library/busybox chown 100:101 /v | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Tested with docker.io/library/alpine:3.19.1 | ||
FROM docker.io/library/alpine:latest | ||
|
||
RUN apk add --no-cache openssh-server | ||
|
||
EXPOSE 2222 | ||
|
||
COPY --chown=root:root --chmod=755 startup.sh / | ||
|
||
RUN addgroup -S portmap && adduser -S portmap -G portmap && \ | ||
install -d -oportmap -gportmap -m700 /ssh-host-keys /ssh-client-keys \ | ||
/home/portmap/sshd /home/portmap/.ssh | ||
|
||
USER portmap | ||
|
||
COPY --chown=portmap:portmap --chmod=644 sshd_config /home/portmap/sshd/ | ||
|
||
ENTRYPOINT ["/startup.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
Port 2222 | ||
|
||
HostKey /home/portmap/sshd/ssh_host_rsa_key | ||
HostKey /home/portmap/sshd/ssh_host_ecdsa_key | ||
HostKey /home/portmap/sshd/ssh_host_ed25519_key | ||
|
||
LogLevel VERBOSE | ||
|
||
PubkeyAuthentication yes | ||
AuthorizedKeysFile .ssh/authorized_keys | ||
PasswordAuthentication no | ||
|
||
# Disable all the services except remote TCP port forwarding | ||
AllowAgentForwarding no | ||
AllowTcpForwarding remote | ||
GatewayPorts yes | ||
X11Forwarding no | ||
PermitTunnel no | ||
PermitListen none | ||
PermitOpen none | ||
PermitTTY no | ||
ForceCommand echo "This SSH server can only be used for remote port forwarding" | ||
|
||
# Don't look up the remote host name. This usually results in faster connection | ||
# times | ||
UseDNS no | ||
|
||
PidFile /home/portmap/sshd/sshd.pid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#!/bin/sh | ||
|
||
set -ex | ||
|
||
################################################################################ | ||
|
||
# Create the temporary directory for host keys generation | ||
mkdir -p ~/sshd/etc/ssh | ||
|
||
# Get host keys from the volume | ||
install -m600 -t ~/sshd/etc/ssh /ssh-host-keys/ssh_host_*_key 2>/dev/null || : | ||
install -m644 -t ~/sshd/etc/ssh /ssh-host-keys/ssh_host_*_key.pub 2>/dev/null || : | ||
|
||
# Generate the missing host keys | ||
ssh-keygen -Af ~/sshd | ||
|
||
# Move the host keys out of the temporary directory | ||
mv ~/sshd/etc/ssh/* ~/sshd | ||
rm -r ~/sshd/etc | ||
|
||
# Copy the (previously missing) generated host keys to the volume | ||
cp -n ~/sshd/ssh_host_*_key /ssh-host-keys/ 2>/dev/null || : | ||
cp -n ~/sshd/ssh_host_*_key.pub /ssh-host-keys/ 2>/dev/null || : | ||
|
||
################################################################################ | ||
|
||
if [ -z "$(find /ssh-client-keys -mindepth 1 -maxdepth 1 -type f -name \*.pub)" ]; then | ||
# If ssh-keygen fails, the /ssh-client-keys directory is probably mounted | ||
# in read-only mode | ||
ssh-keygen -t ed25519 -C portmap -N '' \ | ||
-f /ssh-client-keys/ssh_client_key || : | ||
fi | ||
|
||
# shellcheck disable=SC3001 | ||
install -oportmap -gportmap -m600 \ | ||
<(cat /ssh-client-keys/*.pub 2>/dev/null || :) ~/.ssh/authorized_keys | ||
|
||
################################################################################ | ||
|
||
# Start the OpenSSH Server with "exec" to ensure it receives all the stop | ||
# signals correctly | ||
exec /usr/sbin/sshd -Def ~/sshd/sshd_config -oPermitListen="$*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
version: "3" | ||
|
||
services: | ||
portmap-server-rootless: | ||
image: docker.io/dmotte/portmap-server-rootless:latest | ||
build: build | ||
restart: always | ||
network_mode: bridge | ||
ports: | ||
- "2222:2222" | ||
- "8001:8001" | ||
- "8002:8002" | ||
- "8003:8003" | ||
volumes: | ||
- /etc/timezone:/etc/timezone:ro | ||
- /etc/localtime:/etc/localtime:ro | ||
- ssh-host-keys:/ssh-host-keys | ||
- ./ssh-client-keys:/ssh-client-keys | ||
command: 8001 8002 8003 | ||
|
||
volumes: | ||
ssh-host-keys: {} |