Can't SSH into naked container with my own CI/CD .img

[JB-CHAUVIN]

Hello,

I configured an image using the following command :

docker run -it --device /dev/kvm -p 50922:10022 -v /tmp/.X11-unix:/tmp/.X11-unix -e "DISPLAY=${DISPLAY:-:0.0}" -e RAM=12 -e GENERATE_UNIQUE=true -e MASTER_PLIST_URL=https://raw.githubusercontent.com/sickcodes/osx-serial-generator/master/config-custom.plist sickcodes/docker-osx:big-sur

What I've done :

• Xcode installation
• SSH server enabled
• Auto login

Then, I saved the HDD :

docker cp XXX:/home/arch/OSX-KVM/mac_hdd_ng.img . 

But when I start it naked, I can't SSH into it...

docker run -it --device /dev/kvm -p 50922:10022 -v "${PWD}/mac_hdd_ng.img:/image" -v /tmp/.X11-unix:/tmp/.X11-unix -e RAM=12 -e "NOPICKER=true" -e GENERATE_UNIQUE=true -e MASTER_PLIST_URL=https://raw.githubusercontent.com/sickcodes/osx-serial-generator/master/config-custom.plist sickcodes/docker-osx:naked

Error is :
ssh mobile@localhost -p 50922
kex_exchange_identification: Connection closed by remote host

Any ideas why ?
Please find Docker's log when I run naked container, and some info about my system.

### cleaning up ...
libguestfs: trace: close
libguestfs: closing guestfs handle 0x55f97b7a1d90 (state 2)
libguestfs: trace: internal_autosync
guestfsd: => umount_all (0x2f) took 0.03 secs
guestfsd: <= internal_autosync (0x11a) request length 40 bytes
umount-all: /proc/mounts: fsname=/dev/root dir=/ type=ext2 opts=rw,noatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/proc dir=/proc type=proc opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=/sys dir=/sys type=sysfs opts=rw,relatime freq=0 passno=0
umount-all: /proc/mounts: fsname=tmpfs dir=/run type=tmpfs opts=rw,nosuid,relatime,size=147976k,mode=755,inode64 freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev dir=/dev type=devtmpfs opts=rw,relatime,size=364212k,nr_inodes=91053,mode=755,inode64 freq=0 passno=0
umount-all: /proc/mounts: fsname=/dev/pts dir=/dev/pts type=devpts opts=rw,relatime,mode=600,ptmxmode=000 freq=0 passno=0
umount-all: /proc/mounts: fsname=shmfs dir=/dev/shm type=tmpfs opts=rw,relatime,inode64 freq=0 passno=0
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: udevadm --debug settle -E /dev/sdb
No filesystem is currently mounted on /sys/fs/cgroup.
Failed to determine unit we run in, ignoring: No data available
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: udevadm --debug settle -E /dev/sda
No filesystem is currently mounted on /sys/fs/cgroup.
Failed to determine unit we run in, ignoring: No data available
fsync /dev/sda
libguestfs: trace: internal_autosync = 0
libguestfs: sending SIGTERM to process 1242
libguestfs: qemu maxrss 219720K
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsZFAYga
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsJxUSWU
DEVICE_MODEL,SERIAL,BOARD_SERIAL,UUID,MAC_ADDRESS,WIDTH,HEIGHT
"iMacPro1,1","C02YLHYGHX87","C02916501QXJG361F","0D506953-5637-4DE9-8FE9-22A316C96DE7","88:66:5A:BE:A7:4D","1920","1080"
DEVICE_MODEL	SERIAL	BOARD_SERIAL	UUID	MAC_ADDRESS	WIDTH	HEIGHT
iMacPro1,1	C02YLHYGHX87	C02916501QXJG361F	0D506953-5637-4DE9-8FE9-22A316C96DE7	88:66:5A:BE:A7:4D	1920	1080

ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
nohup: appending output to 'nohup.out'
++ id -u
++ id -g
+ sudo chown 1000:1000 /dev/kvm
++ id -u
++ id -g
+ sudo chown -R 1000:1000 /dev/snd
+ [[ 12 = max ]]
+ [[ 12 = half ]]
++ id -u
++ id -g
+ sudo chown -R 1000:1000 /dev/snd
+ exec qemu-system-x86_64 -m 12000 -cpu Penryn,vendor=GenuineIntel,+invtsc,vmware-cpuid-freq=on,+pcid,+ssse3,+sse4.2,+popcnt,+avx,+aes,+xsave,+xsaveopt,check -machine q35,accel=kvm:tcg -smp 4,cores=4 -usb -device usb-kbd -device usb-tablet -device 'isa-applesmc,osk=ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc' -drive if=pflash,format=raw,readonly,file=/home/arch/OSX-KVM/OVMF_CODE.fd -drive if=pflash,format=raw,file=/home/arch/OSX-KVM/OVMF_VARS-1024x768.fd -smbios type=2 -audiodev alsa,id=hda -device ich9-intel-hda -device hda-duplex,audiodev=hda -device ich9-ahci,id=sata -drive id=OpenCoreBoot,if=none,snapshot=on,format=qcow2,file=/home/arch/OSX-KVM/OpenCore-Catalina/OpenCore-nopicker.qcow2 -device ide-hd,bus=sata.2,drive=OpenCoreBoot -drive id=MacHDD,if=none,file=/image,format=qcow2 -device ide-hd,bus=sata.4,drive=MacHDD -netdev user,id=net0,hostfwd=tcp::10022-:22,hostfwd=tcp::5900-:5900, -device vmxnet3,netdev=net0,id=net0,mac=52:54:00:09:49:17 -monitor stdio -vga vmware
QEMU 5.2.0 monitor - type 'help' for more information
(qemu) ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5233:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize DAC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5233:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize DAC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
audio: Failed to create voice `dac'
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5233:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize ADC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5233:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2660:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize ADC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
audio: Failed to create voice `adc'

OS related issued, please help us identify the issue by posting the output of this :

1
NAME="Ubuntu"
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Sys. de fichiers Taille Utilisé Dispo Uti% Monté sur
/dev/nvme0n1p3     168G    125G   34G  79% /
QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.15)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers
libvirtd (libvirt) 6.0.0
              total       utilisé      libre     partagé tamp/cache   disponible
Mem:           15Gi       1,1Gi       265Mi       120Mi        13Gi        13Gi
Partition d'échange:       2,0Gi       540Mi       1,5Gi
8
16
crw-rw----+ 1 root kvm 10, 232 mai    6 17:51 /dev/kvm
total 8,0K
drwxrwxrwt  2 root root 4,0K mai    6 17:51 .
drwxrwxrwt 19 root root 4,0K mai    6 17:51 ..
srwxrwxrwx  1 jb   jb      0 mai    5 12:27 X0
srwxrwxr-x  1 gdm  gdm     0 mai    5 12:27 X1024
srwxrwxr-x  1 gdm  gdm     0 mai    5 12:27 X1025
srwxrwxrwx  1 jb   jb      0 mai    6 17:51 X99
root        1497  0.2  0.2 1833448 41052 ?       Ssl  mai05   5:10 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
jb         23144  0.0  0.0  17692  2708 pts/1    S+   18:04   0:00 grep --color=auto dockerd
d0f94d8c9ca1   sickcodes/docker-osx:naked   "/bin/bash -c 'sudo …"   13 minutes ago   Up 13 minutes   0.0.0.0:50922->10022/tcp, :::50922->10022/tcp   xenodochial_curie
kvm:x:108:
docker:x:998:jb
libvirt:x:134:jb
libvirt-qemu:x:64055:libvirt-qemu
libvirt-dnsmasq:x:135:

[sickcodes]

I also had this problem yesterday, but it was my VPN. Do you have a VPN on?

[sickcodes]

Also double check your username ssh mobile@localhost -p 50922 and/or -i sshkey_rsa

[JB-CHAUVIN]

Hello @sickcodes , thanks for the reply.

No I am not using VPN on my docker computer.

So weird, port SSH is running, but I can't logging at all into the naked one (SSH is working fine on big sur image with display).

[ficofer]

I have followed your steps @JB-CHAUVIN and I am having a similar issue although I am mapping the ports 1:1 from the VM to the container this works when I run the sickcodes/docker-osx:big-sur image when I created it.

But when I run with the img I copied from docker cp to use sickcodes/docker-osx:naked it seems no port are open neither the VNC one or the SSH one.

To be honest I am not sure how to debug it further from here. Your screenshots above are the same thing I see in my system, the port open and docker listening. on those port for both ssh and vnc.

Can it be that the container is getting stuck in the disk picker and never booting ?

[sickcodes]

Hello @sickcodes , thanks for the reply.

No I am not using VPN on my docker computer.

So weird, port SSH is running, but I can't logging at all into the naked one (SSH is working fine on big sur image with display).

Can you docker pull the latest images? I can see QEMU 5.2 in the screenshot, the new images are using QEMU 6:

+ exec qemu-system-x86_64 -m 3000 -cpu Penryn,vendor=GenuineIntel,+invtsc,vmware-cpuid-freq=on,+pcid,+ssse3,+sse4.2,+popcnt,+avx,+aes,+xsave,+xsaveopt,check, -machine q35,accel=kvm:tcg -smp 4,cores=4 -usb -device usb-kbd -device usb-tablet -device 'isa-applesmc,osk=ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc' -drive if=pflash,format=raw,readonly,file=/home/arch/OSX-KVM/OVMF_CODE.fd -drive if=pflash,format=raw,file=/home/arch/OSX-KVM/OVMF_VARS-1024x768.fd -smbios type=2 -audiodev alsa,id=hda -device ich9-intel-hda -device hda-duplex,audiodev=hda -device ich9-ahci,id=sata -drive id=OpenCoreBoot,if=none,snapshot=on,format=qcow2,file=/home/arch/OSX-KVM/OpenCore-Catalina/OpenCore.qcow2 -device ide-hd,bus=sata.2,drive=OpenCoreBoot -device ide-hd,bus=sata.3,drive=InstallMedia -drive id=InstallMedia,if=none,file=/home/arch/OSX-KVM/BaseSystem.img,format=qcow2 -drive id=MacHDD,if=none,file=/home/arch/OSX-KVM/mac_hdd_ng.img,format=qcow2 -device ide-hd,bus=sata.4,drive=MacHDD -netdev user,id=net0,hostfwd=tcp::10022-:22,hostfwd=tcp::5900-:5900, -device vmxnet3,netdev=net0,id=net0,mac=52:54:00:09:49:17 -monitor stdio -vga vmware -display none -vnc 0.0.0.0:99
qemu-system-x86_64: -drive if=pflash,format=raw,readonly,file=/home/arch/OSX-KVM/OVMF_CODE.fd: warning: short-form boolean option 'readonly' deprecated
Please use readonly=on instead
QEMU 6.0.0 monitor - type 'help' for more information

[ficofer]

Trying with latest image:

+ sudo chown -R 1000:1000 /dev/snd
+ exec qemu-system-x86_64 -m 12000 -cpu Penryn,vendor=GenuineIntel,+invtsc,vmware-cpuid-freq=on,+pcid,+ssse3,+sse4.2,+popcnt,+avx,+aes,+xsave,+xsaveopt,check, -machine q35,accel=kvm:tcg -smp 4,cores=4 -usb -device usb-kbd -device usb-tablet -device 'isa-applesmc,osk=ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc' -drive if=pflash,format=raw,readonly,file=/home/arch/OSX-KVM/OVMF_CODE.fd -drive if=pflash,format=raw,file=/home/arch/OSX-KVM/OVMF_VARS-1024x768.fd -smbios type=2 -audiodev alsa,id=hda -device ich9-intel-hda -device hda-duplex,audiodev=hda -device ich9-ahci,id=sata -drive id=OpenCoreBoot,if=none,snapshot=on,format=qcow2,file=/home/arch/OSX-KVM/OpenCore-Catalina/OpenCore-nopicker.qcow2 -device ide-hd,bus=sata.2,drive=OpenCoreBoot -drive id=MacHDD,if=none,file=/image,format=qcow2 -device ide-hd,bus=sata.4,drive=MacHDD -netdev user,id=net0,hostfwd=tcp::10022-:22,hostfwd=tcp::5900-:5900, -device vmxnet3,netdev=net0,id=net0,mac=52:54:00:09:49:17 -monitor stdio -vga vmware
qemu-system-x86_64: -drive if=pflash,format=raw,readonly,file=/home/arch/OSX-KVM/OVMF_CODE.fd: warning: short-form boolean option 'readonly' deprecated
Please use readonly=on instead
QEMU 6.0.0 monitor - type 'help' for more information
(qemu) ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4745:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings

I see in the VM ports are mapped to docker

macos-nested-vm:~$ sudo netstat -atunp | grep -i docker
tcp6       0      0 :::5999                 :::*                    LISTEN      21804/docker-proxy
tcp6       0      0 :::50922                :::*                    LISTEN      21790/docker-proxy
macos-nested-vm:~$

➜  ~ telnet 104.188.12.11 5999
Trying 104.197.12.11...
telnet: connect to address 104.188.12.11: Connection refused
telnet: Unable to connect to remote host
➜  ~ telnet 104.188.12.11 50922
Trying 104.188.12.11...
Connected to 11.12.197.104.bc.googleusercontent.com.
Escape character is '^]'.
^C

It seems 5999 is not open on the host machine, but 50922 on the other hand is open and proxied to the container, this might be because naked image only accept and open port 50922 in its docker file (no vnc) but still is not accesible after it started.

Can it be that the mac we installed is not listening in 10022 ? is listening in 22 as defaulted ?

Happy to help debug this further if something is needed to troubleshoot.

Edit: I also notice that the image I have created even though it has autologin enable it does not auto login.

[ficofer]

I have try booting up again the machine with the big-sur docker image, changing the port for ssh from 22 to 10022 in /etc/services and copy this new image to my local filesystem to try to start naked docker image with the new created img from that and still same results

OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/fernando/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug2: resolve_canonicalize: hostname 104.184.12.11 is address
debug2: ssh_connect_direct
debug1: Connecting to 104.184.12.11 [104.184.12.11] port 50922.
debug1: Connection established.
debug1: identity file /Users/fernando/.ssh/id_rsa type 0
debug1: identity file /Users/fernando/.ssh/id_rsa-cert type -1
debug1: identity file /Users/fernando/.ssh/id_dsa type -1
debug1: identity file /Users/fernando/.ssh/id_dsa-cert type -1
debug1: identity file /Users/fernando/.ssh/id_ecdsa type -1
debug1: identity file /Users/fernando/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/fernando/.ssh/id_ed25519 type -1
debug1: identity file /Users/fernando/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/fernando/.ssh/id_xmss type -1
debug1: identity file /Users/fernando/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
kex_exchange_identification: read: Connection reset by peer

EDIT:

Another test I did was:

docker run -i \
    --device /dev/kvm \
    -p 50922:22 \
    -v "/var/lib/docker/fico/mac_hdd_ng.img:/image" \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -e RAM=12 \
    -e "NOPICKER=true"\
    -e GENERATE_UNIQUE=true \
    -e MASTER_PLIST_URL=https://raw.githubusercontent.com/sickcodes/osx-serial-generator/master/config-custom.plist \
    sickcodes/docker-osx:naked

This actually start working and ssh reply to me asking for a password but the password I set up for the user does not work.

[coppercash]

Same problem here.
I have big_user.ssh:50922 big_user.vnc:5900 qemu.vnc:5999 running in my container.
I tried following connections:

• ❌ host > docker:50922
• ✅ docker > big_sur:10022 (docker exec -it container bash; ssh user@localhost -p 10022)
• ✅ remote > docker:5999
• ❌ remote > docker:50922
• ❌ remote > docker:5900

[coppercash]

Found something new.
After added --network=host, I can connect to big_sur:10022 & big_sur:5900 from a remote host now.

BTW, I am using podman version 3.1.2 & QEMU emulator version 6.0.0 .

Given that this problem happens with both podman & docker,
I think they are not responsible.

[ficofer]

@coppercash can you share the complete command you run to accomplished this ?

I have just re tried and I got this ports listening on the docker host machine, but then no route to the container running the OSX

tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN 11489/qemu-system-x
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 11489/qemu-system-x

And same issue I had it seems that something is open in the port but nothing is listening in ssh.

telnet 107.178.223.181 10022
Trying 107.178.223.181...
Connected to 181.223.178.107.bc.googleusercontent.com.
Escape character is '^]'.

I will really appreciate your docker run command for the naked image to see if I am setting some options wrong.

[coppercash]

podman run -i --name mike \
    --device /dev/kvm \
    -e EXTRA="-display none -vnc 0.0.0.0:99,password=on" \
    -v `pwd`/volumes/image:/image \
    -e SMP=30 -e CORES=1 -e RAM=56 \
    -e WIDTH=1600 -e HEIGHT=900 \
    -e NOPICKER=true \
    -e GENERATE_UNIQUE=true \
    -e MASTER_PLIST_URL='https://raw.githubusercontent.com/sickcodes/osx-serial-generator/master/config-nopicker-custom.plist' \
    --network=host \
    docker.io/sickcodes/docker-osx:naked

Here it is, the complete command.
And as I said, instead of docker, I use podman.
But it should make little difference.
podman is a drop-in replacement to docker.

Although, now,
I can ssh to the macOS running inside the container from a remote host,
this is a barely acceptable workaround.
Because after adding --network=host there are two problems:

• it messes up the port mapping on my host
• every time I need to boot the macOS, I have to create a new container. Or it throws a "port already bound" error

Gonna dig deeper when I get some time.

[sickcodes]

@coppercash solved the above issue with Docker-OSX podman in the following comment: #246

[coppercash]

podman run --name mike \
    -d \
    --device /dev/kvm \
    -v `pwd`/volumes/image:/image \
    -e EXTRA="-display none -vnc 0.0.0.0:99,password=on" \
    -e SMP=30 -e CORES=1 -e RAM=56 \
    -e WIDTH=1600 -e HEIGHT=900 \
    -e GENERATE_UNIQUE=true \
    -e MASTER_PLIST_URL='https://raw.githubusercontent.com/sickcodes/osx-serial-generator/master/config-nopicker-custom.plist' \
    -p 65022:10022 \
    -p 65000:5900 \
    -p 65001:5999 \
    docker.io/sickcodes/docker-osx:naked

This is my current command to boot.

$ ssh will@127.0.0.1 -p 65022 -vvvvv
OpenSSH_8.4p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 127.0.0.1 originally 127.0.0.1
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 127.0.0.1 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 127.0.0.1 originally 127.0.0.1
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/var/home/core/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/var/home/core/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 65022.
debug1: Connection established.
debug1: identity file /var/home/core/.ssh/id_rsa type -1
debug1: identity file /var/home/core/.ssh/id_rsa-cert type -1
debug1: identity file /var/home/core/.ssh/id_dsa type -1
debug1: identity file /var/home/core/.ssh/id_dsa-cert type -1
debug1: identity file /var/home/core/.ssh/id_ecdsa type -1
debug1: identity file /var/home/core/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/home/core/.ssh/id_ecdsa_sk type -1
debug1: identity file /var/home/core/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /var/home/core/.ssh/id_ed25519 type 3
debug1: identity file /var/home/core/.ssh/id_ed25519-cert type -1
debug1: identity file /var/home/core/.ssh/id_ed25519_sk type -1
debug1: identity file /var/home/core/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /var/home/core/.ssh/id_xmss type -1
debug1: identity file /var/home/core/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
^C

And, still, ssh just stucks at the last line.
The same goes for vnc.
I think there is still something wrong with the port binding.

[coppercash]

I think I found the cause.
With command ss (docker exec -it docker-osx bash in advance), I got

Netid  State   Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   Process
u_str  ESTAB   0        0                      * 68725                * 0
tcp    ESTAB   0        0              127.0.0.1:10022        127.0.0.1:55012
tcp    ESTAB   0        0             10.0.2.100:48434       10.0.2.100:10022
tcp    ESTAB   0        0              127.0.0.1:55012        127.0.0.1:10022
tcp    ESTAB   21       0             10.0.2.100:10022       10.0.2.100:48434

It seems that qemu only opens port 10022 to local access.
And all accesses from outside the container are blocked.
Confirmed by viewing the sshd log inside big sur, with

1. log config --mode "level:debug" --subsystem com.openssh.sshd
2. log stream --level debug 2>&1 | grep sshd

When I connect from outside the container, nothing appeared in the log.
But when from inside, a lot of related logs.

[coppercash]

It turned out the cause I found was not the real one.
However, now, I got a solution, though I still don't know the cause.

Previously I was using podman, which is slightly different with docker .
The strictly drop-in replacement should be sudo podman ,
which is the command I am currently use (and it works).

I suspect that plain podman lacks of some caps to alter the rules within iptables,
maybe NET_ADMIN or NET_RAW .
Since sudo podman is good enough for me,
I won't spend more time on finding out the real cause.

[JB-CHAUVIN]

Have we found any solution ?

I keep getting the same "wrong password" error.

Port looks running, but I can't log in into the MAC DOCKER via SSH.

PS : I don't have podman on my system.

[coppercash]

Have we found any solution ?

I keep getting the same "wrong password" error.

Port looks running, but I can't log in into the MAC DOCKER via SSH.

PS : I don't have podman on my system.

Have you tried --networt=host ?

[wfeii1980]

I have the same problem?

summary：
Use -- netword=host to configure，Connect 10022 port。
or
podman exec -it a96e861916e6 /bin/bash -c "ssh user@localhost -p 10022"
There are no problems!

Only the mapped 50922 port connection did not respond, I suspect that it is a problem with podman. I don't know whether docker also has this problem.

[bphd]

It turned out the cause I found was not the real one. However, now, I got a solution, though I still don't know the cause.

Previously I was using podman, which is slightly different with docker . The strictly drop-in replacement should be sudo podman , which is the command I am currently use (and it works).

I suspect that plain podman lacks of some caps to alter the rules within iptables, maybe NET_ADMIN or NET_RAW . Since sudo podman is good enough for me, I won't spend more time on finding out the real cause.

PodMan correct security breaches by limiting capacities of the container. Using it with sudo or --privilegied basically make it like docker and fail the purpose. Docker-OSX should fine tune what it needs and configure PodMan to work with it, rather than just exploding all securities and executing as root

[M-Taan]

Hey @ficofer just wondering if you managed to get it working, having the same issue. Thanks!