Wednesday, November 10, 2021

Enable WEBSSH for RedHat based Custom Docker image

In App Service platform, the WEBSSH feature is backed by openssh-server. For Azure App Service built-in docker images, the platform by default has OpenSSH server configured. But for custom docker image, you will have to setup the OpenSSH server by yourself.

 

We used to notice the following RedHat issue that may cause your custom docker container failed to install openssh-server.
Not Finding openssh-server-8.0p1-3.el8.x86_64.rpm in REDHAT ubi 8 docker image - Red Hat Customer Portal
At that time, you only have two options: either you register the RedHat system running within the container and attach it to a RedHat subscription, or you can download the openssh-server package and manually install it inside your docker container.

 

The good news is that RedHat openssh-server package now became available in both authenticated (registry.redhat.io) and unauthenticated (registry.access.redhat.com) registries.
That means we can simply now use "yum install" command to install openssh-server in an unregistered docker container.

 

According to 1750907 – UBI7 - Request for openssh-server package in UBI7 image (redhat.com), since 2021 Oct,
openssh-server is now included in RedHat ubi7 and ubi8 repositories.
For more details about RedHat UBI images, repositories and packages, please refer to:
Universal Base Images (UBI): Images, repositories, packages, and source code - Red Hat Customer Portal


The following article shows a demonstration of how to enable WebSSH for your customer docker image which is build based on Redhat UBI docker image.

 

1.  Modify your Dockerfile to install OpenSSH server and set root user password.

Hanli_Ren_0-1636536320130.png

Notes:

  • We can use registry.access.redhat.com/ubi8/ubi or registry.access.redhat.com/ubi7/ubi as the base docker image
  • Both openssh-server and openssh-clients packages require to be installed
  • Need to set root user password to "Docker!"
  • Other than your web application listening port (e.g. 80), we also need to open port 2222 for WEBSSH access
  • Need to set our customized sshd_config
  • Create ENTRYPOINT script, since we need to bring up OpenSSH server before booting up your application

2. Create sshd_config file in the same folder as your Dockerfile

 

# This is ssh server systemwide configuration file.
#
# /etc/sshd_config

Port                    2222
ListenAddress           0.0.0.0
LoginGraceTime          180
X11Forwarding           yes
Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-sha1-96
StrictModes             yes
SyslogFacility          DAEMON
PasswordAuthentication  yes
PermitEmptyPasswords    no
PermitRootLogin         yes
Subsystem sftp internal-sftp

 

 

3. Create init.sh file in the same folder as your Dockerfile

In the following example:

  • Modify the /etc/profile file to get environment variables to show up in SSH session
  • Start the /usr/sbin/sshd before booting up my Nginx server.

 

#!/usr/bin/bash

# Get environment variables to show up in SSH session
eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)

# starting sshd process
/usr/sbin/sshd

# starting Nginx
nginx -g 'daemon off;'

 

 

4. Build your custom docker image

Hanli_Ren_0-1636537293210.png

docker build -t <docker registry account>/<image name>:<tag> .

For example:

Hanli_Ren_1-1636537444358.png

 

5. Test the OpenSSH feature in your local machine.

Find your new created docker image id

docker images

Hanli_Ren_2-1636537502793.png


Start the docker container use the new created docker image

docker run -d -p 80:80 <docker image id>

 

Get the docker container ID

docker ps

Hanli_Ren_3-1636537572722.png

 

Get into the docker container, then test ssh access

docker exec -it <container id> /bin/bash
ssh root@localhost -p 2222

Hanli_Ren_4-1636537617970.png

 

6. Push your new docker image to Docker Hub/Azure Container Registry

docker push <docker registry account>/<image name>:<tag>

 

7. Setup your Azure App Service "Registry settings"

Hanli_Ren_5-1636537682111.png

 

8. After the App Service being restarted, you should be able to use the WEBSSH feature now.

Go to https://<app-service-bane>.scm.azurewebsites.net/webssh/host

Hanli_Ren_6-1636537740705.png

 

 

Posted at https://sl.advdat.com/3C4QB04