mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-25 14:55:40 +03:00
Update docker ssh passthrough docs (#13732)
* update docker ssh passthrough docs * remove mailto:git part in SSH forwarding call Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
parent
7ac8a770e1
commit
c3893a8bd1
1 changed files with 42 additions and 63 deletions
|
@ -291,7 +291,8 @@ files; for named volumes, this is done through another container or by direct ac
|
|||
:exclamation::exclamation: **Make sure you have volumed data to somewhere outside Docker container** :exclamation::exclamation:
|
||||
|
||||
To upgrade your installation to the latest release:
|
||||
```
|
||||
|
||||
```bash
|
||||
# Edit `docker-compose.yml` to update the version, if you have one specified
|
||||
# Pull new images
|
||||
docker-compose pull
|
||||
|
@ -301,88 +302,66 @@ docker-compose up -d
|
|||
|
||||
# SSH Container Passthrough
|
||||
|
||||
Since SSH is running inside the container, you'll have to pass SSH from the host to the
|
||||
container if you wish to use SSH support. If you wish to do this without running the container
|
||||
SSH on a non-standard port (or move your host port to a non-standard port), you can forward
|
||||
SSH connections destined for the container with a little extra setup.
|
||||
Since SSH is running inside the container, SSH needs to be passed through from the host to the container if SSH support is desired. One option would be to run the container SSH on a non-standard port (or moving the host port to a non-standard port). Another option which might be more straightforward is to forward SSH connections from the host to the container. This setup is explained in the following.
|
||||
|
||||
This guide assumes that you have created a user on the host called `git` which shares the same
|
||||
UID/GID as the container values `USER_UID`/`USER_GID`. You should also create the directory
|
||||
`/var/lib/gitea` on the host, owned by the `git` user and mounted in the container, e.g.
|
||||
This guide assumes that you have created a user on the host called `git` which shares the same `UID`/ `GID` as the container values `USER_UID`/ `USER_GID`. These values can be set as environment variables in the `docker-compose.yml`:
|
||||
|
||||
```
|
||||
version: "3"
|
||||
|
||||
services:
|
||||
server:
|
||||
image: gitea/gitea:{{< version >}}
|
||||
container_name: gitea
|
||||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
restart: always
|
||||
networks:
|
||||
- gitea
|
||||
volumes:
|
||||
- /var/lib/gitea:/data
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
ports:
|
||||
- "3000:3000"
|
||||
- "127.0.0.1:2222:22"
|
||||
```bash
|
||||
environment:
|
||||
- USER_UID=1000
|
||||
- USER_GID=1000
|
||||
```
|
||||
|
||||
You can see that we're also exposing the container SSH port to port 2222 on the host, and binding this
|
||||
to 127.0.0.1 to prevent it being accessible external to the host machine itself.
|
||||
Next mount `/home/git/.ssh` of the host into the container. Otherwise the SSH authentication cannot work inside the container.
|
||||
|
||||
On the **host**, you should create the file `/app/gitea/gitea` with the following contents and
|
||||
make it executable (`chmod +x /app/gitea/gitea`):
|
||||
|
||||
```
|
||||
#!/bin/sh
|
||||
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
|
||||
```bash
|
||||
volumes:
|
||||
- /home/git/.ssh/:/data/git/.ssh
|
||||
```
|
||||
|
||||
Your `git` user needs to have an SSH key generated:
|
||||
Now a SSH key pair needs to be created on the host. This key pair will be used to authenticate the `git` user on the host to the container.
|
||||
|
||||
```
|
||||
```bash
|
||||
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"
|
||||
```
|
||||
|
||||
Now, proceed with one of the points given below:
|
||||
In the next step a file named `/app/gitea/gitea` (with executable permissions) needs to be created on the host. This file will issue the SSH forwarding from the host to the container. Add the following contents to `/app/gitea/gitea`:
|
||||
|
||||
- symlink the container `.ssh/authorized_keys` file to your git user `.ssh/authorized_keys`.
|
||||
This can be done on the host as the `/var/lib/gitea` directory is mounted inside the container under `/data`:
|
||||
|
||||
```
|
||||
ln -s /var/lib/gitea/git/.ssh/authorized_keys /home/git/.ssh/authorized_keys
|
||||
```bash
|
||||
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
|
||||
```
|
||||
|
||||
Then echo the `git` user SSH key into the authorized_keys file so the host can talk to the container over SSH:
|
||||
To make the forwarding work, the SSH port of the container (22) needs to be mapped to the host port 2222 in `docker-compose.yml` . Since this port does not need to be exposed to the outside world, it can be mapped to the `localhost` of the host machine:
|
||||
|
||||
```
|
||||
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /var/lib/gitea/git/.ssh/authorized_keys
|
||||
```bash
|
||||
ports:
|
||||
# [...]
|
||||
- "127.0.0.1:2222:22"
|
||||
```
|
||||
|
||||
Lastly, Gitea makes `authorized_keys` backups by default. This could be a problem
|
||||
as the symbolic link made to `authorized_keys` previously could end up pointing
|
||||
to an old backup. To resolve this, please put the following into your Gitea
|
||||
config:
|
||||
In addition, `/home/git/.ssh/authorized_keys` on the host needs to be modified. It needs to act in the same way as `authorized_keys` within the Gitea container. Therefore add
|
||||
|
||||
```
|
||||
[ssh]
|
||||
SSH_AUTHORIZED_KEYS_BACKUP=false
|
||||
```bash
|
||||
command="/app/gitea/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <YOUR_SSH_PUBKEY>
|
||||
```
|
||||
|
||||
- mount your `.ssh` directory directly into the container i.e. add the
|
||||
following to the `volumes` section of your Docker container config:
|
||||
and replace `<YOUR_SSH_PUBKEY>` with a valid SSH public key of yours.
|
||||
|
||||
```
|
||||
- /home/git/.ssh/:/data/git/.ssh/
|
||||
```
|
||||
In addition the public key of the `git` user on the host needs to be added to `/home/git/.ssh/authorized_keys` so authentication against the container can succeed: `echo "$(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys`.
|
||||
|
||||
Now you should be able to use Git over SSH to your container without disrupting SSH access to the host.
|
||||
Here is a detailed explanation what is happening when a SSH request is made:
|
||||
|
||||
Please note: SSH container passthrough will work only if using opensshd in container, and will not work if
|
||||
`AuthorizedKeysCommand` is used in combination with setting `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable
|
||||
authorized files key generation.
|
||||
1. A SSH request is made against the host using the `git` user, e.g. `git clone git@domain:user/repo.git`.
|
||||
2. In `/home/git/.ssh/authorized_keys` , the command executes the `/app/gitea/gitea` script.
|
||||
3. `/app/gitea/gitea` forwards the SSH request to port 2222 which is mapped to the SSH port (22) of the container.
|
||||
4. Due to the existence of the public key of the `git` user in `/home/git/.ssh/authorized_keys` the authentication host → container succeeds and the SSH request get forwarded to Gitea running in the docker container.
|
||||
|
||||
If a new SSH key is added in the Gitea web interface, it will be appended to `.ssh/authorized_keys` in the same way as the already existing key.
|
||||
|
||||
**Notes**
|
||||
|
||||
SSH container passthrough will work only if
|
||||
|
||||
- `opensshd` is used in the container
|
||||
- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
|
||||
- `LOCAL_ROOT_URL` is not changed
|
||||
|
|
Loading…
Reference in a new issue