connect via ssh to jhipster docker container on CentOS 7

问题

I have installed docker (version 0.11.1-dev, build 02d20af/0.11.1); seems to the latest available in any case for CentOS 7 (yum update docker says there are no updates).

As per installation instructions on jhipster site I've pulled the current image and run:

sudo docker run -v ~/jhipster:/jhipster -p 8080:8080 -p 9000:9000 -p 4022:22 -t --name jhipster jdubois/jhipster-docker

The image is running OK. However I fail to connect via ssh. If I run ssh with verbose option:

ssh -vv -p 4022 jhipster@localhost

I get:

OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 4022.
debug1: Connection established.
debug1: identity file /home/normunds/.ssh/id_rsa type 1
debug1: identity file /home/normunds/.ssh/id_rsa-cert type -1
debug1: identity file /home/normunds/.ssh/id_dsa type -1
debug1: identity file /home/normunds/.ssh/id_dsa-cert type -1
debug1: identity file /home/normunds/.ssh/id_ecdsa type -1
debug1: identity file /home/normunds/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: match: OpenSSH_6.6p1 Ubuntu-2ubuntu1 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Connection closed by ::1

In case I try to reach another Ubuntu host I receive the same sequence (apart from host, port and OpenSSH version), but instead of the last line with "Connection closed" it has:

debug1: SSH2_MSG_KEXINIT received

and eventually it connects successfully.

I have tried to connect to via localhost:4022, ip-of-container:22; from local or remote hosts with the same results.

So the problems seems to be in container or docker (or eventually ubuntu settings within docker). However docker top jhipster shows me sshd is running and - yes, the trace evidently shows that I reach the ssh server.

Any ideas?

Edited I ran docker image, so that it enters command line, then ran sshd in debug mode:

sudo docker run -v ~/projects:/jhipster -p 8080:8080 -p 9000:9000 -p 4022:22 -t -i --name jhipster jdubois/jhipster-docker /bin/bash

/usr/sbin/sshd -d

in order to debug further. On connection attempt sshd fails with:

chroot("/var/run/sshd"): Operation not permitted [preauth]

回答1:

1) ssh access

CentOS 7 It looks that the problem is that CentOS 7 repository has only an old Docker version; both CentOS 6 and Ubuntu use version 1.1.2. The issue on CentOS 7 can be bypassed by running the image with command line option (as in edited section of OP) then running:

sed 's/UsePrivilegeSeparation yes/UsePrivilegeSeparation no/' -i /etc/ssh/sshd_config

/usr/sbin/sshd

CentOS 6 When testing in CentOS 6 running Docker 1.1.2, I did not have the same problem (ssh connection got further, hence I assume the error on CentOS 7 was caused by the Docker version), however ssh disconnected as soon as connected with an error on client side pam session not opened and on container side PAM: pam_open_session(): Cannot make/remove an entry for the specified session.

Here it looks it is related to [FIXED] ubuntu 14.04 container with ssh login issues #5663 . Even if it is marked as "fixed". In any case one of the solutions mentioned in the thread that I tried was enough to fix my ssh connectivity issue:

sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/*

It seems, it would also be enough to run:

sed 's/UsePAM yes/UsePAM no/' -i /etc/ssh/sshd_config

instead, but I did not try this option.

Conclusion: ssh connectivity on CentOS can be fixed by running the image with a command line

sudo docker run -v ~/projects:/jhipster -p 8080:8080 -p 9000:9000 -p 4022:22 -t -i --name jhipster jdubois/jhipster-docker /bin/bash

then different "fixes" for CentOS 6/CentOS 7 as discussed above, then

/usr/sbin/sshd

2) At this point we might ask: "why ssh at all"? Once we arrive on command line all we need to do is:

su jhipster
cd /jhipster
yo jhipster

right? Nearly so, but here we have another problem. Again different on both CentOS versions. And it is present also if we connect via ssh.

On CentOS 7 that is using the old Docker version we need to modify selinux context of host directory (in our case ~/jhipster):

chcon -Rt svirt_sandbox_file_t ~/jhipster

On CentOS 6 this is not necessary (and svirt_sandbox_file_t does not exist as an option), however the shared folder inside the container is unavailable for the user jhipster. We first, as the root, need to run: