compute servers: add an additional ssh server in the compute container on port 2222 (or make the host one be on port 2222)

[williamstein]

I tried making a compute server then ssh'ing to user@[ip] and that didn't work, due to some docker group error. This was easy to fix by editing /etc/group and adding user to the docker group:

root@prod-5083:/etc/ssh# tail /etc/group
fwupd-refresh:x:990:
polkitd:x:989:
admin:x:110:
netdev:x:111:wstein
_chrony:x:112:
ubuntu:x:1000:wstein
google-sudoers:x:1001:wstein
wstein:x:1002:
docker:x:999:user
user:x:2001:

Next tried VS Code's remote ssh extension https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh and it does not work. It involves running ssh -v -T -D 50010 -o ConnectTimeout=15 user@35.212.240.37 (presumably) and this doesn't work because of how ssh works into the container:

root@prod-5083:/etc/ssh# tail sshd_config
Subsystem   sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server
Match User user
   ForceCommand [[ -z "${SSH_ORIGINAL_COMMAND}" ]] && docker exec -w /home/user -it compute bash || docker exec -w /home/user -i compute ${SSH_ORIGINAL_COMMAND}

At this point (months later after implementing this), I think I should rewrite the ssh for compute servers as follows:

• instead run an ssh server on port 22 inside the compute container
• make the host ssh server be on port 2222, so to connect as root on the host you have to ssh to port 2222.
• open port 2222 to the external world.

Then vs code remote ssh should work, and probably a lot of other subtle things that just can't be supported via forcecommand.

[williamstein]

WORKAROUND: Setup ssh keys as explained at https://doc.cocalc.com/account/ssh.html, then start your compute server. If the ip address is 35.212.240.37, then you can ssh to root on the compute server via:

ssh root@35.212.240.37

After you ssh in, change the ssh server configuration to NOT forward user into the compute server as follows, then restart the ssh server:

sed -i 's/^Match User user$/Match User xxx/' /etc/ssh/sshd_config
service ssh restart

Now when you ssh to the compute server, you are signed in as "user" and have full access to your filesystem, but you don't have the special software environment. For vscode that is probably fine, since you just need to access to the filesystem.

Now just follow the directions at https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh:

1. Install the remote ssh extension
2. Hit F1
3. Put in ssh user@35.212.240.37 -A and connect
4. It will install vscode on the compute server and work:

[williamstein]

I tried making a compute server then ssh'ing to user@[ip] and that didn't work, due to some docker group error.

This is now fixed via commit 827c0697eff58bf2963d9357965ee7dc80102c15

[williamstein]

Another way to support odd users of ssh in the compute container, but still ensuring that standard ssh to root works, would be to run a second ssh server only in the compute container on port 2222, via supervisord.