ssh access broken in 0.9.16?

[ForbiddenEra]

EDIT: This is notabug / no issue. REASON: ssh disabled by default as of 0.9.16 & changelog does state this - I just didn't see the entry in the changelog.

Maybe I'm missing something, but, I tried building an image with 0.9.16 with the same Dockerfile I used for 0.9.15 and, it doesn't appear to be working correctly - I cannot ssh.

Expected, 0.9.15:

core@core1 ~ $ docker build -t shaped/ubu1:base0.9.15 ubu0 
Sending build context to Docker daemon 3.584 kB
Sending build context to Docker daemon 
Step 0 : FROM phusion/baseimage:0.9.15
Pulling repository phusion/baseimage
cf39b476aeec: Download complete 
511136ea3c5a: Download complete 
b18d0a2076a1: Download complete 
67b66f26d423: Download complete 
25c4824a5268: Download complete 
8b1c48305638: Download complete 
c900195dcbf3: Download complete 
6b4e8a7373fe: Download complete 
c27763e1f3e5: Download complete 
9d9561782335: Download complete 
bad562ead0dc: Download complete 
d5199f68b2fe: Download complete 
64463062ff22: Download complete 
Status: Downloaded newer image for phusion/baseimage:0.9.15
 ---> cf39b476aeec
Step 1 : ENV HOME /root
 ---> Running in 7ad441eb8912
 ---> 8b67e48db941
Removing intermediate container 7ad441eb8912
Step 2 : ADD key.pub /tmp/key.pub
 ---> b29cf83a34a3
Removing intermediate container 77f3068540aa
Step 3 : RUN cat /tmp/key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/key.pub
 ---> Running in c2995fa00ca9
 ---> cbeee8b07a25
Removing intermediate container c2995fa00ca9
Step 4 : CMD /sbin/my_init
 ---> Running in 09ca2986e2a6
 ---> 6f00ad433e31
Removing intermediate container 09ca2986e2a6
Step 5 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 ---> Running in 486359d708a4
 ---> 7d5cd5911d87
Removing intermediate container 486359d708a4
Successfully built 7d5cd5911d87
core@core1 ~ $ docker run -h apache5 --name="apache5" -p 80:80 shaped/ubu1
Unable to find image 'shaped/ubu1' locally
Pulling repository shaped/ubu1
2015/02/02 02:10:18 Error: image shaped/ubu1 not found
core@core1 ~ $ docker run -h apache5 --name="apache5" -p 80:80 shaped/ubu1:base0.9.15
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
No SSH host key available. Generating one...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
Creating SSH2 ED25519 key; this may take some time ...
invoke-rc.d: policy-rc.d denied execution of restart.
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 98

And, I can SSH into it, just fine:

core@core1 ~ $ docker inspect apache5
...
        "IPAddress": "172.17.0.14",
...
core@core1 ~ $ ssh root@172.17.0.14
The authenticity of host '172.17.0.14 (172.17.0.14)' can't be established.
ED25519 key fingerprint is 01:23:1b:16:b0:3c:89:e4:6f:19:bc:72:40:54:23:4f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.14' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/core/.ssh/id_rsa': 
root@apache5:~# 

Now, let's try the same thing with 0.9.16:

core@core1 ~ $ docker build -t shaped/ubu1:base0.9.16 ubu0
Sending build context to Docker daemon 3.584 kB
Sending build context to Docker daemon 
Step 0 : FROM phusion/baseimage:0.9.16
 ---> 5a14c1498ff4
Step 1 : ENV HOME /root
 ---> Using cache
 ---> 757ab1cdee1a
Step 2 : ADD key.pub /tmp/key.pub
 ---> Using cache
 ---> 8ef2eb169fe5
Step 3 : RUN cat /tmp/key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/key.pub
 ---> Running in 36271f5d03fd
 ---> 7488c4e18a75
Removing intermediate container 36271f5d03fd
Step 4 : CMD /sbin/my_init
 ---> Running in 0ee5eb1d4385
 ---> bb6a80c2f2ba
Removing intermediate container 0ee5eb1d4385
Step 5 : RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 ---> Running in 8b05599001e0
 ---> 0bfc0820a3f3
Removing intermediate container 8b05599001e0
Successfully built 0bfc0820a3f3
core@core1 ~ $ docker run -h apache6 --name="apache6" -p 80:80 shaped/ubu1:base0.9.16
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/rc.local...
*** Booting runit daemon...
*** Runit started as PID 13
Feb  2 02:21:34 apache6 syslog-ng[18]: syslog-ng starting up; version='3.5.3'

And, I am unable to SSH..

core@core1 ~ $ docker inspect apache6
...
        "IPAddress": "172.17.0.17",
...
core@core1 ~ $ ssh 172.17.0.17
ssh: connect to host 172.17.0.17 port 22: Connection refused

Notice the SSH keys aren't generated? I noticed, so I tried just opening bash in the image, I see the 00_regen_ssh_host_keys.sh script, which doesn't exec because /etc/service/sshd/down exists:

root@apache6:/etc/my_init.d# cat 00_regen_ssh_host_keys.sh 
#!/bin/bash
set -e
if [[ ! -e /etc/service/sshd/down && ! -e /etc/ssh/ssh_host_rsa_key ]] || [[ "$1" == "-f" ]]; then
    echo "No SSH host key available. Generating one..."
    export LC_ALL=C
    export DEBIAN_FRONTEND=noninteractive
    dpkg-reconfigure openssh-server
fi

WoopWoop? Only thing that has changed is using baseimage:0.9.15 vs baseimage:0.9.16.

[neofung]

Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it:

RUN rm -f /etc/service/sshd/down RUN /etc/my_init.d/00_regen_ssh_host_keys.sh

[ForbiddenEra]

Hi,

Thanks for your fast response!

I thought that was the case - but why doesn't that happen on 0.9.15? Or is this a change for 0.9.16?

Is this documented somewhere?

Seems to me that changes that break things would be saved for the next version branch?

[ForbiddenEra]

Actually - do I HAVE to put

RUN /etc/my_init.d/00_regen_ssh_host_keys.sh

? it seems this is still run by default anyway, you can see that in my above post, I quote:

core@core1 ~ $ docker run -h apache6 --name="apache6" -p 80:80 shaped/ubu1:base0.9.16
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...

[ForbiddenEra]

I can confirm that only

RUN rm -f /etc/service/sshd/down

is required in the Dockerfile as the init script is ran regardless...?

I do see this mentioned in the readme (and says it needs both commands), however, there's nothing regarding this in the changelog..? So, if this is not new behavior, why does 0.9.15 work that way?

Also odd that both you & the readme say we need both but apparently the script is always run.

The script checks for the presence of /etc/service/sshd/down so, why would we need both anyway?

[neofung]

OK, actually you only need to rm /etc/service/sshd/down. you needn't to run 00_regen_ssh_host_keys.sh manually, because the scripts in /etc/my_init.d/ will run automatically. i think the author made a mistake in readme, but i am not sure that.

[FooBarWidget]

@ForbiddenEra Yes this is change in 0.9.16. All changes are documented in the changelog.

Official documentation on enabling SSH: https://github.com/phusion/baseimage-docker#enabling_ssh

Actually - do I HAVE to put RUN /etc/my_init.d/00_regen_ssh_host_keys.sh

If you don't, then every time you start the container you will get a different SSH host key. This may or may not be what you want.

[ForbiddenEra]

My bad -- I see it now in the changelog, but it should have been given it's own bullet point maybe ;-)

Still seems like a 'big' change for a small version increment but - obviously it's not an 'issue' - thanks for pointing out my blindness. ;-)

[ForbiddenEra]

Also - the documentation says you have to exec BOTH commands in your Dockerfile - we've put that to rest - should I open separate issue for the readme issue or - will this comment be enough?

[FooBarWidget]

That's why the versioning is still 0.9. Docker is moving too fast, so Baseimage-docker has to move fast too. Because of the fast pace of change I'm not comfortable with giving any kinds of stability guarantees yet.

The documentation doesn't say you have to execute both. It says you can comment out the regen_ssh_host_keys, if you understand the implications.