search

wodby / php

Generic PHP docker container images
MIT License
155 stars 103 forks source link

Enabling SSH on Local Build #61

Closed ChexWarrior closed 5 years ago

ChexWarrior commented 5 years ago

Hey guys,

I have been working on a script that needs to ssh into our staging and production Wodby instances. To properly test this script I have been attempting to create a local build that I can ssh into from my host machine. I have followed the instructions given in this repo's README for enabling SSH, however even after updating this image's command to be ssh and mounting a public key I am still unable to ssh into the container (it times out).

When I check the ~/home/.wodby/.ssh/environment file on the local build I notice it is lacking a lot of the options included in that same file on the staging and production environments so I assume that is the reason ssh doesn't work. Can you help me get this working on my local environment?

The local build I am using is docker4wordpress, I've modified the docker-compose.yml like so to enable SSH (see the ssh service):

version: "3"

services:
  mariadb:
    image: wodby/mariadb:$MARIADB_TAG
    container_name: "${PROJECT_NAME}_mariadb"
    stop_grace_period: 30s
    environment:
      MYSQL_ROOT_PASSWORD: $DB_ROOT_PASSWORD
      MYSQL_DATABASE: $DB_NAME
      MYSQL_USER: $DB_USER
      MYSQL_PASSWORD: $DB_PASSWORD
#    volumes:
#      - ./mariadb-init:/docker-entrypoint-initdb.d # Place init .sql file(s) here.
#      - /path/to/mariadb/data/on/host:/var/lib/mysql # I want to manage volumes manually.

  php:
    image: wodby/wordpress-php:$PHP_TAG
    container_name: "${PROJECT_NAME}_php"
    environment:
      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailhog:1025
      DB_HOST: $DB_HOST
      DB_USER: $DB_USER
      DB_PASSWORD: $DB_PASSWORD
      DB_NAME: $DB_NAME
## Read instructions at https://wodby.com/stacks/wordpress/docs/local/xdebug/
#      PHP_XDEBUG: 1
#      PHP_XDEBUG_DEFAULT_ENABLE: 1
#      PHP_XDEBUG_REMOTE_CONNECT_BACK: 0
#      PHP_IDE_CONFIG: serverName=my-ide
#      PHP_XDEBUG_REMOTE_HOST: 172.17.0.1 # Linux
#      PHP_XDEBUG_REMOTE_HOST: 10.254.254.254 # macOS
#      PHP_XDEBUG_REMOTE_HOST: 10.0.75.1 # Windows
    volumes:
      - ./html:/var/www/html
## For macOS users (https://wodby.com/stacks/wordpress/docs/local/docker-for-mac/)
#      - ./:/var/www/html:cached # User-guided caching
#      - docker-sync:/var/www/html # Docker-sync
## For XHProf and Xdebug profiler traces
#      - files:/mnt/files
  ssh:
    image: wodby-ssh:latest
    container_name: "${PROJECT_NAME}_ssh"
    ports:
      - "9090:22"
    environment:
      PHP_SENDMAIL_PATH: /usr/sbin/sendmail -t -i -S mailhog:1025
      DB_HOST: $DB_HOST
      DB_USER: $DB_USER
      DB_PASSWORD: $DB_PASSWORD
      DB_NAME: $DB_NAME
## Read instructions at https://wodby.com/stacks/wordpress/docs/local/xdebug/
#      PHP_XDEBUG: 1
#      PHP_XDEBUG_DEFAULT_ENABLE: 1
#      PHP_XDEBUG_REMOTE_CONNECT_BACK: 0
#      PHP_IDE_CONFIG: serverName=my-ide
#      PHP_XDEBUG_REMOTE_HOST: 172.17.0.1 # Linux
#      PHP_XDEBUG_REMOTE_HOST: 10.254.254.254 # macOS
#      PHP_XDEBUG_REMOTE_HOST: 10.0.75.1 # Windows
    volumes:
      - ./html:/var/www/html
      - /Users/${whoami}/.ssh/id_rsa.pub:/home/wodby/.ssh/authorized_keys

  nginx:
    image: wodby/nginx:$NGINX_TAG
    container_name: "${PROJECT_NAME}_nginx"
    depends_on:
      - php
    environment:
      NGINX_STATIC_OPEN_FILE_CACHE: "off"
      NGINX_ERROR_LOG_LEVEL: debug
      NGINX_BACKEND_HOST: php
      NGINX_VHOST_PRESET: wordpress
      #NGINX_SERVER_ROOT: /var/www/html/subdir
    volumes:
      - ./html:/var/www/html
# Options for macOS users (https://wodby.com/stacks/wordpress/docs/local/docker-for-mac/)
#      - ./:/var/www/html:cached # User-guided caching
#      - docker-sync:/var/www/html # Docker-sync
    labels:
      - 'traefik.backend=${PROJECT_NAME}_nginx'
      - 'traefik.port=80'
      - 'traefik.frontend.rule=Host:${PROJECT_BASE_URL}'

  # mailhog:
  #   image: mailhog/mailhog
  #   container_name: "${PROJECT_NAME}_mailhog"
  #   labels:
  #     - 'traefik.backend=${PROJECT_NAME}_mailhog'
  #     - 'traefik.port=8025'
  #     - 'traefik.frontend.rule=Host:mailhog.${PROJECT_BASE_URL}'

#  postgres:
#    image: wodby/postgres:$POSTGRES_TAG
#    container_name: "${PROJECT_NAME}_postgres"
#    stop_grace_period: 30s
#    environment:
#      POSTGRES_PASSWORD: $DB_PASSWORD
#      POSTGRES_DB: $DB_NAME
#      POSTGRES_USER: $DB_USER
#    volumes:
#      - ./postgres-init:/docker-entrypoint-initdb.d # Place init file(s) here.
#      - /path/to/postgres/data/on/host:/var/lib/postgresql/data # I want to manage volumes manually.

#  apache:
#    image: wodby/apache:$APACHE_TAG
#    container_name: "${PROJECT_NAME}_apache"
#    depends_on:
#      - php
#    environment:
#      APACHE_LOG_LEVEL: debug
#      APACHE_BACKEND_HOST: php
#      APACHE_VHOST_PRESET: php
#    volumes:
#      - ./:/var/www/html
## For macOS users (https://wodby.com/stacks/wordpress/docs/local/docker-for-mac/)
##      - ./:/var/www/html:cached # User-guided caching
##      - docker-sync:/var/www/html # Docker-sync
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_apache'
#      - 'traefik.port=80'
#      - 'traefik.frontend.rule=Host:${PROJECT_BASE_URL}'

#  varnish:
#    image: wodby/varnish:$VARNISH_TAG
#    container_name: "${PROJECT_NAME}_varnish"
#    depends_on:
#      - nginx
#    environment:
#      VARNISH_SECRET: secret
#      VARNISH_BACKEND_HOST: nginx
#      VARNISH_BACKEND_PORT: 80
#      VARNISH_PURGE_KEY: key
#      VARNISH_CONFIG_PRESET: wordpress
#      VARNISH_PURGE_EXTERNAL_REQUEST_HEADER: X-Real-IP
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_varnish'
#      - 'traefik.port=6081'
#      - 'traefik.frontend.rule=Host:varnish.${PROJECT_BASE_URL}'

#  redis:
#    container_name: "${PROJECT_NAME}_redis"
#    image: wodby/redis:$REDIS_TAG

#  adminer:
#    container_name: "${PROJECT_NAME}_adminer"
#    image: wodby/adminer:$ADMINER_TAG
#    environment:
## For PostgreSQL:
##      ADMINER_DEFAULT_DB_DRIVER: pgsql
#      ADMINER_DEFAULT_DB_HOST: $DB_HOST
#      ADMINER_DEFAULT_DB_NAME: $DB_NAME
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_adminer'
#      - 'traefik.port=9000'
#      - 'traefik.frontend.rule=Host:adminer.${PROJECT_BASE_URL}'

#  webgrind:
#    image: wodby/webgrind:$WEBGRIND_TAG
#    container_name: "${PROJECT_NAME}_webgrind"
#    environment:
#      WEBGRIND_PROFILER_DIR: /mnt/files/xdebug/profiler
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_webgrind'
#      - 'traefik.port=8080'
#      - 'traefik.frontend.rule=Host:webgrind.${PROJECT_BASE_URL}'
#    volumes:
#      - files:/mnt/files

#  pma:
#    image: phpmyadmin/phpmyadmin
#    container_name: "${PROJECT_NAME}_pma"
#    environment:
#      PMA_HOST: $DB_HOST
#      PMA_USER: $DB_USER
#      PMA_PASSWORD: $DB_PASSWORD
#      PHP_UPLOAD_MAX_FILESIZE: 1G
#      PHP_MAX_INPUT_VARS: 1G
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_pma'
#      - 'traefik.port=80'
#      - 'traefik.frontend.rule=Host:pma.${PROJECT_BASE_URL}'

#  athenapdf:
#    image: arachnysdocker/athenapdf-service:$ATHENAPDF_TAG
#    container_name: "${PROJECT_NAME}_athenapdf"
#    environment:
#      WEAVER_AUTH_KEY: weaver-auth-key
#      WEAVER_ATHENA_CMD: "athenapdf -S"
#      WEAVER_MAX_WORKERS: 10
#      WEAVER_MAX_CONVERSION_QUEUE: 50
#      WEAVER_WORKER_TIMEOUT: 90
#      WEAVER_CONVERSION_FALLBACK: "false"

#  blackfire:
#    image: blackfire/blackfire
#    container_name: "${PROJECT_NAME}_blackfire"
#    environment:
#      BLACKFIRE_SERVER_ID: XXXXX
#      BLACKFIRE_SERVER_TOKEN: YYYYY

#  solr:
#    image: wodby/solr:$SOLR_TAG
#    container_name: "${PROJECT_NAME}_solr"
#    environment:
#      SOLR_HEAP: 1024m
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_solr'
#      - 'traefik.port=8983'
#      - 'traefik.frontend.rule=Host:solr.${PROJECT_BASE_URL}'

#  elasticsearch:
#    image: wodby/elasticsearch:$ELASTICSEARCH_TAG
#    environment:
#      ES_JAVA_OPTS: "-Xms500m -Xmx500m"
#    ulimits:
#      memlock:
#        soft: -1
#        hard: -1

#  kibana:
#    image: wodby/kibana:$KIBANA_TAG
#    depends_on:
#      - elasticsearch
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_kibana'
#      - 'traefik.port=5601'
#      - 'traefik.frontend.rule=Host:kibana.php.docker.localhost'

#  node:
#    image: wodby/node:$NODE_TAG
#    container_name: "${PROJECT_NAME}_node"
#    working_dir: /app
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_node'
#      - 'traefik.port=3000'
#      - 'traefik.frontend.rule=Host:front.${PROJECT_BASE_URL}'
#    expose:
#      - "3000"
#    volumes:
#      - ./path/to/your/single-page-app:/app
#    command: sh -c 'npm install && npm run start'

#  memcached:
#    container_name: "${PROJECT_NAME}_memcached"
#    image: wodby/memcached:$MEMCACHED_TAG

#  opensmtpd:
#    container_name: "${PROJECT_NAME}_opensmtpd"
#    image: wodby/opensmtpd:$OPENSMTPD_TAG

#  rsyslog:
#    container_name: "${PROJECT_NAME}_rsyslog"
#    image: wodby/rsyslog:$RSYSLOG_TAG

#  xhprof:
#    image: wodby/xhprof:$XHPROF_TAG
#    restart: always
#    volumes:
#      - files:/mnt/files
#    labels:
#      - 'traefik.backend=${PROJECT_NAME}_xhprof'
#      - 'traefik.port=8080'
#      - 'traefik.frontend.rule=Host:xhprof.${PROJECT_BASE_URL}'

  # portainer:
  #   image: portainer/portainer
  #   container_name: "${PROJECT_NAME}_portainer"
  #   command: --no-auth -H unix:///var/run/docker.sock
  #   volumes:
  #     - /var/run/docker.sock:/var/run/docker.sock
  #   labels:
  #     - 'traefik.backend=${PROJECT_NAME}_portainer'
  #     - 'traefik.port=9000'
  #     - 'traefik.frontend.rule=Host:portainer.${PROJECT_BASE_URL}'

  traefik:
    image: traefik
    container_name: "${PROJECT_NAME}_traefik"
    command: -c /dev/null --web --docker --logLevel=INFO
    ports:
      - '8000:80'
#      - '8080:8080' # Dashboard
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

#volumes:
## Docker-sync for macOS users
#  docker-sync:
#    external: true
## For Xdebug profiler
#  files:

The wodby-ssh image was created by modifying the CMD line of the wodby-php Dockerfile like so:

CMD [ "sudo", "/usr/sbin/sshd", "-De" ]

Note: I had a previous discussion with @PavelPrischepa over Intercom earlier and he asked me to create this issue.

pprishchepa commented 5 years ago

Which $PHP_TAG do you use?

This line looks strange, because authorized_keys could contain more then 1 key:

/Users/${whoami}/.ssh/id_rsa.pub:/home/wodby/.ssh/authorized_keys

What is the output of ls -la ~/.ssh in the ssh container?

I am still unable to ssh into the container (it times out).

It likely, the issue caused by a network - not by SSH keys.

ChexWarrior commented 5 years ago

Which $PHP_TAG do you use?

7.2-dev-4.10.0

This line looks strange, because authorized_keys could contain more then 1 key

That's okay, it just needs to contain my public key so I can ssh from the host into the container.

What is the output of ls -la ~/.ssh in the ssh container?

wodby@php.container:/var/www/html $ ls -la ~/.ssh
total 20
drwxr-xr-x    1 wodby    wodby         4096 Jan 23 13:17 .
drwxr-sr-x    1 wodby    wodby         4096 Jan 23 13:17 ..
-rw-------    1 wodby    wodby          397 Jul  7  2015 authorized_keys
-rw-r--r--    1 wodby    wodby         1643 Jan 23 13:17 config
-rw-r--r--    1 wodby    wodby         1146 Jan 23 13:17 environment

Contents of the ~/.ssh/config file:

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

Contents of the ~/.ssh/environment file:

CONF_DIR=/var/www/conf
DB_HOST=mariadb
HOSTNAME=bf5f5e14baf8
PHP_DEBUG=
SSHD_PERMIT_USER_ENV=yes
SSHD_HOST_KEYS_DIR=/etc/ssh
PHPIZE_DEPS=autoconf        dpkg-dev dpkg       file        g++         gcc         libc-dev        make        pkgconf         re2c
GPG_KEYS=1729F83938DA44E27BA0F4D3DBDB397470D12172 B1B44D8F021E4E2D6021E995DC9FF8D3EE5AF27F
DB_USER=wordpress
PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user
PHP_ASC_URL=https://secure.php.net/get/php-7.2.13.tar.xz.asc/from/this/mirror
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2
ENV=/home/wodby/.shrc
WP_VER=5.0.3
PHP_DEV=
PHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style
DB_PASSWORD=wordpress
PHP_SENDMAIL_PATH=/usr/sbin/sendmail -t -i -S mailhog:1025
GIT_USER_EMAIL=wodby@example.com
GOTPL_VER=0.1.5
PHP_INI_DIR=/usr/local/etc/php
PHP_URL=https://secure.php.net/get/php-7.2.13.tar.xz/from/this/mirror
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2
GIT_USER_NAME=wodby
APP_NAME=WordPress 4
FILES_DIR=/mnt/files
PHP_VERSION=7.2.13
DB_NAME=wordpress
APP_ROOT=/var/www/html
PHP_MD5=
PHP_SHA256=14b0429abdb46b65c843e5882c9a8c46b31dfbf279c747293b8ab950c2644a4b
LD_PRELOAD=/usr/lib/preloadable_libiconv.so php
_=/bin/printenv

It likely, the issue caused by a network - not by SSH keys.

Can you elaborate on what you mean? I think the authorized_keys is fine, however I suspect that sshd within the container doesn't have the proper settings required for me to ssh in from the host.

csandanov commented 5 years ago

Do you need to SSH from your local container to a remote server? You don't SSHD for this, just mount your private SSH key to php container and set $SSH_DISABLE_STRICT_KEY_CHECKING=1 (to avoid interactive dialogue) as we do in tests

ChexWarrior commented 5 years ago

Do you need to SSH from your local container to a remote server?

No, I want to ssh from my host machine into the local container, I'm testing a PHP script that involves sshing into containers and I'd like to set up some proper tests before running this on any remote servers.