Closed kdevan closed 1 year ago
Hello,
No, the SSH deamon will not be part of the default image, it just opens up to much risks for most of the users.
But in your case you do not need to fork it. Just create a new Dockerfile for you with:
FROM ghcr.io/joeferner/redis-commander
RUN apk update && apk upgrade && apk add openssh-server
Afterwards add extra packages that you need too or run additional commands as needed.
Rebuilding this image you get all updates of current redis Commander automatically without merging stuff ...
Hope this helps
Yes, thank you so much for the tip. This makes it so much easier!
Just in case anyone else is trying to do the same, here is the Dockerfile that worked for me. It may be a bit excessive, I just copied back everything that the harden script removes.
# syntax=docker/dockerfile:1-labs
FROM ghcr.io/joeferner/redis-commander:latest
USER root
COPY --from=alpine:3.17 /tmp /tmp
COPY --from=alpine:3.17 /sbin /sbin
COPY --from=alpine:3.17 /usr/sbin /usr/sbin
COPY --from=alpine:3.17 /etc/group /etc/group
COPY --from=alpine:3.17 /etc/passwd /etc/passwd
COPY --from=alpine:3.17 /etc/init.d /etc/init.d
COPY --from=alpine:3.17 /etc/conf.d /etc/conf.d
COPY --from=alpine:3.17 /etc/modprobe.d /etc/modprobe.d
COPY --from=alpine:3.17 /etc/modules /etc/modules
COPY --from=alpine:3.17 /root /root
RUN apk update \
&& apk upgrade \
&& apk add --update --no-cache openssh-server
USER 10000
Just a short not without going deeper into it.:
/tmp
(temporary) is cleared on every reboot, there is nothing persistet / nothing to copy from/etc/modprobe.d
and /etc/modules
- a docker image does not boot its own kernel, its reusing the container host one. Nothing needed from these directories/root
not needed too, in regard to SSH server there will be stored the users own ssh key (nothing in original alpine image) and authorized_keys to log into as root users are there also not available in existing imageAnd all binary files needed by ssh-server itself are installed due to the apk add
command (at least '/etc/init.d' not be needed. suspect booth sbin-dirs also not, but not 100% sure here)
Best regards, Stefan
I tested that out and it works without those!
On Fly.io it actually uses the Dockerfile to build the server but the server itself runs as a VM with sysctl
and all. Nonetheless, this did not need modprobe or modules to work. The last step I needed is for the server to listen on ipv6 which is another Fly nuance. You already have an environment variable that works for that.
Just mentioning this for anyone who this might help, thank you for the extra details, I've learned a bit here :) This is awesome in combination with Tailscale.
# syntax=docker/dockerfile:1-labs
FROM ghcr.io/joeferner/redis-commander:latest
ENV ADDRESS=::
USER root
COPY --from=alpine:3.17 /etc/group /etc/group
COPY --from=alpine:3.17 /etc/passwd /etc/passwd
COPY --from=alpine:3.17 /etc/conf.d /etc/conf.d
RUN apk update \
&& apk upgrade \
&& apk add --update --no-cache openssh-server \
&& apk add --update --no-cache curl
USER 10000
I'm able to deploy this to an online environment just fine but then am not able to SSH in. Removing some of the
/root
folders (rm -rf /tmp/* /root/.??* /root/cache /var/cache/apk/*
) as well as some of the hardening (removingsshd
but maybe some other things there too) seem to be the culprits.I'm trying to deploy this to Fly.io along with Tailscale for security but this requires SSH access. Is there any chance this could be made available so that SSH is working? If not that's alright, thankfully since this is open source I can fork and experiment on my end.