Closed TiantingShi closed 2 years ago
rhatdan
commented
3 years ago Podman does NOT open firewall ports on the host automatically, we consider this a security issue, and require the administrator to open the ports before exposing a container to the internet.
Open port 2201 and the connection should work. Reopen if I am mistaken.
mheon
commented
3 years ago Is this a connection from the host to a container on the same system?
TiantingShi
commented
3 years ago Podman does NOT open firewall ports on the host automatically, we consider this a security issue, and require the administrator to open the ports before exposing a container to the internet.
Open port 2201 and the connection should work. Reopen if I am mistaken.
Hi rhatdan , i checked my iptables rules
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N CNI-ADMIN
-N CNI-FORWARD
-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN
-A CNI-FORWARD -d 10.88.0.5/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A CNI-FORWARD -s 10.88.0.5/32 -j ACCEPT
-A CNI-FORWARD -d 10.88.0.9/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A CNI-FORWARD -s 10.88.0.9/32 -j ACCEPT
-A CNI-FORWARD -d 10.88.0.10/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A CNI-FORWARD -s 10.88.0.10/32 -j ACCEPTThe above is the iptables rules on my host
i don't know what your mean that open the ports before exposing a container to the internet
could you describe this problem in detail?
TiantingShi
commented
3 years ago Is this a connection from the host to a container on the same system?
Hi mheon , i checked this problem on my host and other server
the ssh service always crashes but i did not encounter such problems in the process of using docker
mheon
commented
3 years ago Crashes? As in exits with an error? If so can you provide said error?
TiantingShi
commented
3 years ago Yes , it exits with a error !! it said Exit status 255
when i use
# ssh root@192.168.3.90 -p 2201 -vto connect the podman container
the debug info says
debug1: Next authentication method: password
root@192.168.3.90's password:
debug1: Authentication succeeded (password).
Authenticated to 192.168.3.90 ([192.168.3.90]:2201).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.3.90 closed.
Transferred: sent 2320, received 2484 bytes, in 0.1 seconds
Bytes per second: sent 43834.9, received 46933.5
debug1: Exit status 255i also used telnet to test the 2201 port
# telnet 192.168.3.90 2201
Trying 192.168.3.90...
Connected to 192.168.3.90.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-6i really want to know why i use the same image and run sshd in docker to connect, but not in podman
Below is the debugging information I used to connect to the same image running in docker using ssh
# ssh root@192.168.3.203 -p 2201 -v
OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.3.203 [192.168.3.203] port 2201.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-6
debug1: match: OpenSSH_8.4p1 Debian-6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.3.203:2201 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Ykoo8xn09tpG1Hk6ZQ9JJKE5r3m8wBddFoDNqe7XE7Q
debug1: Host '[192.168.3.203]:2201' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:ZY08LGVjqOkSvXjSjOA8gVgpVNPtn/017ixVDDDuY50
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:ZY08LGVjqOkSvXjSjOA8gVgpVNPtn/017ixVDDDuY50
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Next authentication method: password
root@192.168.3.203's password:
debug1: Authentication succeeded (password).
Authenticated to 192.168.3.203 ([192.168.3.203]:2201).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Linux 75e3b329f8e7 5.4.0-84-generic #94-Ubuntu SMP Thu Aug 26 20:27:37 UTC 2021 x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Sep 16 13:58:49 2021 from 192.168.3.90
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(root💀75e3b329f8e7)-[~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
75e3b329f8e7 kalilinux/kali-rolling:amd64 "bash" About an hour ago Up About an hour 0.0.0.0:2201->22/tcp, :::2201->22/tcp kali# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
72363bed497a docker.io/kalilinux/kali-rolling:amd64 bash 2 hours ago Up 2 hours ago 0.0.0.0:2201->22/tcp kali
I meant sshd in the container - does that exit with an error? We need logs from inside the container to debug further.
TiantingShi
commented
3 years ago I did not see any log information about ssh in the /var/log/ directory How do I view the ssh log inside the container?
TiantingShi
commented
3 years ago Since I started the /usr/sbin/sshd manually, what I can see in the podman container is that the process has been running and I don’t see any error messages internal . Only when I use ssh to connect to the podman container, I see the debugging information. it exit with a code 255
TiantingShi
commented
3 years ago I have tested Three official images (docker.io/library/centos:7,docker.io/kalilinux/kali-rolling:amd64,docker.io/library/ubuntu:focal), after mapping port 22 and installing and opening the ssh service, the connection fails and the debug info says exit with code 255
# podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
72363bed497a docker.io/kalilinux/kali-rolling:amd64 bash 2 hours ago Up 2 hours ago 0.0.0.0:2201->22/tcp kali
efa79702ce14 docker.io/library/centos:7 bash 29 minutes ago Up 9 minutes ago 0.0.0.0:2202->22/tcp centos
975a3d809418 docker.io/library/ubuntu:focal bash 4 minutes ago Up 4 minutes ago 0.0.0.0:2203->22/tcp ubuntu# ssh root@192.168.3.90 -p 2201
root@192.168.3.90's password:
Connection to 192.168.3.90 closed.
# ssh root@192.168.3.90 -p 2202
root@192.168.3.90's password:
client_loop: send disconnect: Broken pipe
# ssh root@192.168.3.90 -p 2203
root@192.168.3.90's password:
Connection to 192.168.3.90 closed.this three images that running in docker can connect into the container via ssh but not in podman...
i have been troubled by this problem for several days and i have no idea what caused the problem..
Does anyone met this issue before ?
mheon
commented
3 years ago I have a suspicion that sshd is missing a capability (when I run sshd in a container, I need to --cap-add CAP_AUDIT_WRITE)
TiantingShi
commented
3 years ago YES YES YES!!!!
you really helped me a lot . thank you very much for your answers
when i add the parameter --cap-add CAP_AUDIT_WRITE when running the container, ssh can connect into the podman container, but what I don’t understand is why I don’t need to add this parameter in docker. I can use the command docker run -d -p 2201:22 <XX image> bash and then start the ssh service to connect normally, but podman can’t
TiantingShi
commented
3 years ago mheon , there is another problem. when i use the ubuntu:focal image, I add the parameter --cap-add CAP_AUDIT_WRITE and the ubuntu container automatically exits. When I use podman logs ubuntu to view the log information, there is no output.
mheon
commented
3 years ago Need more details - can you enable verbose logging on the app running in the container?
rhatdan
commented
3 years ago We run our containers with tighter security then Docker does. Running sshd is a rare occurrence so sshd needs to add the capability, we tell people to exec into the container. Run the container privileged and see if the Ubuntu works. If yes then work backwards and see if it is SELinux or seccomp causing the issue.
rhatdan
commented
3 years ago @mheon good catch on the CAP_AUDIT_WRITE, I forgot about that.
TiantingShi
commented
3 years ago hi @mheon i tested ubuntu image again ,I think it was my problem yesterday. When I was running the container, I add the parameter --cap-add CAP_AUDIT_WRITE parameters, and then I could connect to my container through the ssh service.
Thank you very much for your support.
Allow me to ask one more question. Where can I find documentation on the issue of in-container capabilities?
thanks in advance !!
rhatdan
commented
3 years ago No current documentation on this, although I have many talks on what the default capabilities are. And have been raving against this one for some time.
TiantingShi
commented
3 years ago Okay, thanks again for your guys answers, the question can be closed
TiantingShi
commented
2 years ago Hi @mheon , I've met this issue again... this time ,when i use podman run to start a container and I added --cap-add CAP_AUDIT_WRITE to ensure i can use ssh to connect the container , but i could not to connect the container again . did you konw other capabilities i forgot to add ?
Below is when I use podman to start a container's command
podman run -itd --cap-add CAP_AUDIT_WRITE -p 2299:22 docker.io/library/ubuntu:focal bash
and i use ssh to connect the container . it shows
ssh root@192.168.3.90 -p 2299 X11 forwarding request failed on channel 0 Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-66-generic x86_64)
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Connection to 192.168.3.90 closed.
rhatdan
commented
2 years ago Could you try ?
ssh -v root@localhost -p 2299
OpenSSH_8.6p1, OpenSSL 1.1.1l FIPS 24 Aug 2021
debug1: Reading configuration data /home/dwalsh/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/dwalsh/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to localhost [::1] port 2299.
debug1: Connection established.
debug1: identity file /home/dwalsh/.ssh/id_rsa type 0
debug1: identity file /home/dwalsh/.ssh/id_rsa-cert type -1
debug1: identity file /home/dwalsh/.ssh/id_dsa type -1
debug1: identity file /home/dwalsh/.ssh/id_dsa-cert type -1
debug1: identity file /home/dwalsh/.ssh/id_ecdsa type -1
debug1: identity file /home/dwalsh/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/dwalsh/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/dwalsh/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/dwalsh/.ssh/id_ed25519 type -1
debug1: identity file /home/dwalsh/.ssh/id_ed25519-cert type -1
debug1: identity file /home/dwalsh/.ssh/id_ed25519_sk type -1
debug1: identity file /home/dwalsh/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/dwalsh/.ssh/id_xmss type -1
debug1: identity file /home/dwalsh/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
kex_exchange_identification: read: Connection reset by peer
Connection reset by ::1 port 2299Which is what I see.
TiantingShi
commented
2 years ago Hi @rhatdan
ssh -v root@localhost -p 2299
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 2299.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:2299 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:hRMJbmqIAurTufQtd6W0NHZWrWIab5MpOFaQZzQA99Y
debug1: checking without port identifier
The authenticity of host '[localhost]:2299 ([127.0.0.1]:2299)' can't be established.
ECDSA key fingerprint is SHA256:hRMJbmqIAurTufQtd6W0NHZWrWIab5MpOFaQZzQA99Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2299' (ECDSA) to the list of known hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:rD38UpQQTkllRjDvNSjcZ+I2LvBWJ9roF6H3AukpJ4g
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:rD38UpQQTkllRjDvNSjcZ+I2LvBWJ9roF6H3AukpJ4g
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Next authentication method: password
root@localhost's password:
debug1: Authentication succeeded (password).
Authenticated to localhost ([127.0.0.1]:2299).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to localhost closed.
Transferred: sent 2804, received 2520 bytes, in 0.1 seconds
Bytes per second: sent 55859.3, received 50201.7
debug1: Exit status 255
I have no idea why it is crashing. Is there anything in the log files inside of the container?
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Steps to reproduce the issue:
then i exec into the container and open ssh server by manual
the ssh port is listening and port mapping is ok
Describe the results you received:
I couldn't ssh into the podman container except docker
Describe the results you expected:
I want to ssh into the podman container so that I can carry out development work more efficiently
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version: podman version : podman version 3.2.3Output of
podman info --debug:Package info (e.g. output of
rpm -q podmanorapt list podman):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.): VirtualBox