From 721e5f53ab6426fa797aa58a4eedbfbecb23d897 Mon Sep 17 00:00:00 2001 From: dobli Date: Sun, 22 Mar 2020 00:43:17 +0100 Subject: [PATCH 1/2] Added mod for ssh tunneling --- .travis.yml | 10 +++--- Dockerfile.complex | 21 ------------ README.md | 40 +++++++++++++++++------ root/etc/cont-init.d/99-ssh-tunnel-config | 6 ++++ root/etc/cont-init.d/99-vpn-config | 27 --------------- root/etc/services.d/sshvpn/run | 3 -- 6 files changed, 41 insertions(+), 66 deletions(-) delete mode 100644 Dockerfile.complex create mode 100644 root/etc/cont-init.d/99-ssh-tunnel-config delete mode 100644 root/etc/cont-init.d/99-vpn-config delete mode 100644 root/etc/services.d/sshvpn/run diff --git a/.travis.yml b/.travis.yml index e6e5b1fb..0b8af927 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,16 +4,16 @@ language: shell branches: only: - - - #replace variables, omit brackets + - openssh-server-ssh-tunnel services: - docker env: global: - - DOCKERHUB="linuxserver/mods" #don't modify - - BASEIMAGE="baseimagename" #replace - - MODNAME="modname" #replace + - DOCKERHUB="linuxserver/mods" + - BASEIMAGE="openssh-server" + - MODNAME="ssh-tunnel" jobs: include: @@ -32,4 +32,4 @@ jobs: - echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin # Push all of the tags - docker push ${DOCKERHUB}:${BASEIMAGE}-${MODNAME}-${TRAVIS_COMMIT} - - docker push ${DOCKERHUB}:${BASEIMAGE}-${MODNAME} \ No newline at end of file + - docker push ${DOCKERHUB}:${BASEIMAGE}-${MODNAME} diff --git a/Dockerfile.complex b/Dockerfile.complex deleted file mode 100644 index 4463d838..00000000 --- a/Dockerfile.complex +++ /dev/null @@ -1,21 +0,0 @@ -## Buildstage ## -FROM lsiobase/alpine:3.9 as buildstage - -RUN \ - echo "**** install packages ****" && \ - apk add --no-cache \ - curl && \ - echo "**** grab rclone ****" && \ - mkdir -p /root-layer && \ - curl -o \ - /root-layer/rclone.deb -L \ - "https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb" - -# copy local files -COPY root/ /root-layer/ - -## Single layer deployed image ## -FROM scratch - -# Add files from buildstage -COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index 867a00c1..ebcf1cf7 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,35 @@ # Docker mod for openssh-server -This mod adds rsync to openssh-server, to be installed/updated during container start. +This mod adds ssh tunnelling to openssh-server, by enabling tcp forwarding during container start. -In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync` +In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-ssh-tunnel` -# Mod creation instructions +Note: `GatewayPorts` is set to `clientspecified`, this moves the responsibility to define the gateway host of the port to the client that opens the tunnel, e.g. `*:8080` to forward 8080 to all connection, default is localhost only. +In addition it is still necessary to expose the same port on the container level, using either the `--expose` (only to other containers) or the `--port` (expose on host level/internet) run options (or the counterparts in docker-compose). -* Ask the team to create a new branch named `-`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch. -* Fork the repo, checkout the template branch. -* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done. -* Inspect the `root` folder contents. Edit, add and remove as necessary. -* Edit this readme with pertinent info, delete thse instructions. -* Finally edit the `travis.yml`. Customize the build branch,and the vars for `BASEIMAGE` and `MODNAME` -* Submit PR against the branch created by the team \ No newline at end of file +Example: + +When creating the container with the following setup: +``` +version: '2' +services: + ssh-tunnel: + image: linuxserver/openssh-server + environment: + - PUBLIC_KEY_FILE=/config/id_rsa.pub + - TCP_FORWARDING=true + - DOCKER_MODS=linuxserver/mods:openssh-server-ssh-tunnel + volumes: + - ./id_rsa.pub:/config/id_rsa.pub + expose: + - 30000 + ports: + - 2222:2222 +``` + +It's possible to expose the clients port 8080 through the containers port 30000 like this: +``` +ssh -R *:30000:localhost:8080 example.com -p 2222 +``` + +Port 30000 will then only be available to other containers (e.g. a web server acting as a reverse proxy), when using `ports` instead of `expose` the port would be accessible from the host (and the network it resides in, e.g. the internet). The client command can be automated using autossh. diff --git a/root/etc/cont-init.d/99-ssh-tunnel-config b/root/etc/cont-init.d/99-ssh-tunnel-config new file mode 100644 index 00000000..3d415136 --- /dev/null +++ b/root/etc/cont-init.d/99-ssh-tunnel-config @@ -0,0 +1,6 @@ +#!/usr/bin/with-contenv bash + +# allow tcp forwarding within openssh settings +sed -i '/^AllowTcpForwarding/c\AllowTcpForwarding yes' /etc/ssh/sshd_config +sed -i '/^GatewayPorts/c\GatewayPorts clientspecified' /etc/ssh/sshd_config +echo "TcpForwarding is enabled" diff --git a/root/etc/cont-init.d/99-vpn-config b/root/etc/cont-init.d/99-vpn-config deleted file mode 100644 index a5f91276..00000000 --- a/root/etc/cont-init.d/99-vpn-config +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/with-contenv bash - -# Determine if setup is needed -if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \ -[ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - iptables \ - openssh-client \ - python3 \ - python3-pip - pip3 install sshuttle -fi -if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \ -[ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - iptables \ - openssh \ - py3-pip \ - python3 - pip3 install sshuttle -fi - -chown -R root:root /root -chmod -R 600 /root/.ssh diff --git a/root/etc/services.d/sshvpn/run b/root/etc/services.d/sshvpn/run deleted file mode 100644 index 7d49e796..00000000 --- a/root/etc/services.d/sshvpn/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16 From 73f038d78facc542a853504e4005aa6745680f5d Mon Sep 17 00:00:00 2001 From: aptalca Date: Mon, 23 Mar 2020 13:03:14 -0400 Subject: [PATCH 2/2] readme update --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ebcf1cf7..5474e8b8 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ This mod adds ssh tunnelling to openssh-server, by enabling tcp forwarding durin In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-ssh-tunnel` +If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-ssh-tunnel|linuxserver/mods:openssh-server-mod2` + Note: `GatewayPorts` is set to `clientspecified`, this moves the responsibility to define the gateway host of the port to the client that opens the tunnel, e.g. `*:8080` to forward 8080 to all connection, default is localhost only. In addition it is still necessary to expose the same port on the container level, using either the `--expose` (only to other containers) or the `--port` (expose on host level/internet) run options (or the counterparts in docker-compose). @@ -13,23 +15,21 @@ When creating the container with the following setup: ``` version: '2' services: - ssh-tunnel: + openssh-server: image: linuxserver/openssh-server environment: - - PUBLIC_KEY_FILE=/config/id_rsa.pub - - TCP_FORWARDING=true - DOCKER_MODS=linuxserver/mods:openssh-server-ssh-tunnel volumes: - - ./id_rsa.pub:/config/id_rsa.pub + - /path/to/appdata/config:/config expose: - 30000 ports: - 2222:2222 ``` -It's possible to expose the clients port 8080 through the containers port 30000 like this: +It's possible to expose the client's port 8080 through the container's port 30000 like this: ``` ssh -R *:30000:localhost:8080 example.com -p 2222 ``` -Port 30000 will then only be available to other containers (e.g. a web server acting as a reverse proxy), when using `ports` instead of `expose` the port would be accessible from the host (and the network it resides in, e.g. the internet). The client command can be automated using autossh. +Port 30000 will then only be available to other containers (e.g. a web server acting as a reverse proxy). When using `ports` instead of `expose` the port would be accessible from the host (and the network it resides in, e.g. the internet). The client command can be automated using autossh.