Trying to deploy to an online environment and SSHing in - SSH is removed because of hardening.

[kdevan]

I'm able to deploy this to an online environment just fine but then am not able to SSH in. Removing some of the /root folders (rm -rf /tmp/* /root/.??* /root/cache /var/cache/apk/*) as well as some of the hardening (removing sshd but maybe some other things there too) seem to be the culprits.

I'm trying to deploy this to Fly.io along with Tailscale for security but this requires SSH access. Is there any chance this could be made available so that SSH is working? If not that's alright, thankfully since this is open source I can fork and experiment on my end.

[sseide]

Hello,

No, the SSH deamon will not be part of the default image, it just opens up to much risks for most of the users.

But in your case you do not need to fork it. Just create a new Dockerfile for you with:

FROM ghcr.io/joeferner/redis-commander
RUN apk update && apk upgrade && apk add openssh-server

Afterwards add extra packages that you need too or run additional commands as needed.

Rebuilding this image you get all updates of current redis Commander automatically without merging stuff ...

Hope this helps

[kdevan]

Yes, thank you so much for the tip. This makes it so much easier!

[kdevan]

Just in case anyone else is trying to do the same, here is the Dockerfile that worked for me. It may be a bit excessive, I just copied back everything that the harden script removes.

# syntax=docker/dockerfile:1-labs

FROM ghcr.io/joeferner/redis-commander:latest

USER root

COPY --from=alpine:3.17 /tmp /tmp
COPY --from=alpine:3.17 /sbin /sbin
COPY --from=alpine:3.17 /usr/sbin /usr/sbin
COPY --from=alpine:3.17 /etc/group /etc/group
COPY --from=alpine:3.17 /etc/passwd /etc/passwd
COPY --from=alpine:3.17 /etc/init.d /etc/init.d
COPY --from=alpine:3.17 /etc/conf.d /etc/conf.d
COPY --from=alpine:3.17 /etc/modprobe.d /etc/modprobe.d
COPY --from=alpine:3.17 /etc/modules /etc/modules
COPY --from=alpine:3.17 /root /root

RUN apk update \ 
  && apk upgrade \ 
  && apk add --update --no-cache openssh-server

USER 10000

[sseide]

Just a short not without going deeper into it.:

• /tmp (temporary) is cleared on every reboot, there is nothing persistet / nothing to copy from
• /etc/modprobe.d and /etc/modules - a docker image does not boot its own kernel, its reusing the container host one. Nothing needed from these directories
• /root not needed too, in regard to SSH server there will be stored the users own ssh key (nothing in original alpine image) and authorized_keys to log into as root users are there also not available in existing image

And all binary files needed by ssh-server itself are installed due to the apk add command (at least '/etc/init.d' not be needed. suspect booth sbin-dirs also not, but not 100% sure here)

Best regards, Stefan

[kdevan]

I tested that out and it works without those!

On Fly.io it actually uses the Dockerfile to build the server but the server itself runs as a VM with sysctl and all. Nonetheless, this did not need modprobe or modules to work. The last step I needed is for the server to listen on ipv6 which is another Fly nuance. You already have an environment variable that works for that.

Just mentioning this for anyone who this might help, thank you for the extra details, I've learned a bit here :) This is awesome in combination with Tailscale.

# syntax=docker/dockerfile:1-labs

FROM ghcr.io/joeferner/redis-commander:latest

ENV ADDRESS=::

USER root

COPY --from=alpine:3.17 /etc/group /etc/group
COPY --from=alpine:3.17 /etc/passwd /etc/passwd
COPY --from=alpine:3.17 /etc/conf.d /etc/conf.d

RUN apk update \ 
  && apk upgrade \ 
  && apk add --update --no-cache openssh-server \
  && apk add --update --no-cache curl

USER 10000