Guide on reusing docker host SSH server#737
Guide on reusing docker host SSH server#737IlyaSemenov wants to merge 9 commits intosameersbn:masterfrom
Conversation
|
I'd prefer documenting this procedure in a supporting document and linking to it from the main README. |
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
2 times, most recently
from
5779e95 to
da75f55
Compare
|
@sameersbn I did as you asked, please check the updated PR. |
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
3 times, most recently
from
dbc085d to
901bf3c
Compare
|
Any update on this? |
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
2 times, most recently
from
b41faae to
165a261
Compare
|
@apertureless I rebased the PR against 8.10.4 |
|
Sorry I completely missed tracking this PR. Will review and merge soon. Thanks. |
|
I will throw my 2 cents in before we start to merge this. I think it's not a good idea to introduce
I think it's a separate problem of |
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
from
165a261 to
1fefadb
Compare
|
This is surely a hack, but for now it gets its job done. Revealing the list of public keys is not much of a vulnerability in most circumstances. In a sense, this is not much different from revealing In the end, yes, it would suffice to provide a way for Redmine to use repositories with non-default UID/GID, although that would be hacky as well. To support arbitrary GID, one would end up with something like: # In Redmine or other container that needs to access Gitlab data directory
group=$(getent group $GID | cut -d: -f1)
if [ -z "$group" ]; then
group=group_$gid
groupadd -g $gid $group
fi
usermod -aG $group www-dataNot very elegant at best, and in theory prone to vulnerabilities as well (if GID matches with some non-secure service inside the container). |
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
2 times, most recently
from
8f5e2e9 to
9e5c9d8
Compare
|
Anyway, I removed PLEASE NOTE: keeping |
IlyaSemenov
changed the title
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
from
9e5c9d8 to
a81b75a
Compare
IlyaSemenov
force-pushed
the
docker-host-ssh
branch
from
eef29fb to
73eda19
Compare
Is it? Your public SSH key is already public on GitHub: https://github.com/IlyaSemenov.keys |
|
@ostueker yep, it is because every user on the system could write in it |
|
@lenovouser world-readable is not world-writeable |
docs/docker_host_ssh.md
Outdated
| Reuse docker host SSH daemon | ||
| ============================ | ||
|
|
||
| It is possible to use the SSH daemon that runs on the docker host instead of using a separate SSH port for Gitlab. |
3) In any case, I've updated the incron script to use group-readable |
|
ATTENTION Seems like the incrond script that I've included suffers from the dead loop and raises thousands of zombies, please don't use it directly. Edit: resolved by the commit below. |
|
great guide and work @IlyaSemenov _o_ |
|
I think this method of forwarding the git ssh access allows for a full container host compromise from inside the gitlab container! My current workaround for this is to chain two ssh connections. The git user on the container host uses the authorized_keys file from gitlab, but also has its own key-pair that is used to forward the connection to the gitlab container's ssh. The container then uses a suitable sshd_config to force use of a handcrafted authorized_keys file that allows the host git user to connect. In case there's interest in my solution, I can write a detailed tutorial for it. |
|
I'd be interested in such a tutorial of how to chain the two ssh servers. Do you have it automated so that when I use the git user, it transparently connects to the docker container? |
|
@MichaelEischer I agree that you bring valid security concern, and that the double SSH trick will avoid it. What I'm thinking however is that perhaps it's easier to remove the host |
|
sudo is in fact able to handle wildcard arguments. This might look like the following This will allow the example user to run commands like |
|
I updated the document correspondingly. Thanks for bringing this matter up, @MichaelEischer. |
|
@IlyaSemenov Thanks for the update. Btw, the recent gitlab security vulnerability (https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/) should be enough to allow an attacker to insert arbitrary authorized_key commands. With the git user belonging to the docker group this could then be used for a root privilege escalation on the host. |
docs/docker_host_ssh.md
Outdated
|
|
||
| ## Advanced: Use default UID/GID in the container | ||
|
|
||
| if you rely on the default `uid` and `git`, for example if you link GitLab to [sameersbn/redmine](https://github.com/sameersbn/docker-redmine) container, you can run the container without UID/GID mapping and use [incron](http://inotify.aiken.cz/?section=incron&page=about&lang=en) to keep `.ssh/authorized_keys` accessible by host `git` user: |
There was a problem hiding this comment.
I think it's meant to be "if you rely on the default uid and gid" here? (note "gid" instead of "git").
There was a problem hiding this comment.
Also, capital "F" at the beginning of the sentence.
| Now create `gitlab-shell` home directory at the same location as in the container: | ||
|
|
||
| ```bash | ||
| mkdir -p /home/git/gitlab-shell/bin |
There was a problem hiding this comment.
I'm trying to follow this guide, and I'm unsure at this step. Looking inside my omnibus Docker container, I can only find /var/opt/gitlab/gitlab-shell, not /home/git/gitlab-shell. Does this mean I should create /var/opt/gitlab/gitlab-shell/bin (and intermediate directories) on the host?
There was a problem hiding this comment.
The guide is written with this alternate gitlab docker container in mind. That said, the primary different to the omnibus docker container is probably just different paths. The path on the host must match the path to gitlab-shell inside the container, thus using /var/opt/gitlab/gitlab-shell/bin should work.
I'm, however, not sure which uid/gid for the git user is used by the omnibus docker container. As the host machine should ideally use the same uid/gid for its git user, this may cause further problems.
There was a problem hiding this comment.
Right, I finally realized that this guide was not for the official Docker images :) Sorry for the noise.
I noticed it when I realized the USERMAP_UID and USERMAP_GID variables were not being respected.
I'll have to figure out if I can do something similar with the offical images, because this "hack" to be able to use port 22 for git is really neat (thanks!).
There was a problem hiding this comment.
I personally use incron permissions fixer on two different GitLab installs and it works fine. It's far from being elegant for sure, but it gets the job done.
There was a problem hiding this comment.
@IlyaSemenov: Ah, I wasn't asking about permissions though, but about the directory/file paths in the guide, which I couldn't reconcile with what I was seeing locally. But it was just me being confused and thinking this guide was for the official omnibus image.
(The permission problem I solved by matching the git uid/gid on the host with those hard-coded in the official container, instead of chmod:ing, since we don't want to run OpenSSH with StrictModes off.)
There was a problem hiding this comment.
@estan You're mentioning that you solved the permission issue without turning off StrictModes. Could you elaborate this a bit more? Probably in the context of the manual from @IlyaSemenov?
Which commands must be changed to achieve this?
There was a problem hiding this comment.
@reberinformatik Well, we were running the official omnibus Docker image from GitLab (I didn't realize that this guide was about the alternate image when I first posted here).
We solved the problem by simply making sure that the host system has a git/git user/group with the same UID and GID as the one used inside the official omnibus Docker container (I think that's 998 / 998).
Then, where this guide says
Create the shell proxy script at `/home/git/gitlab-shell/bin/gitlab-shell`
we instead created the shell proxy script at /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell, since this is the path where the offical omnibus Docker container expects to find it.
We did not use any of the steps under ## Advanced: Use default UID/GID in the container in this guide. Since we made sure the host system UID/GID for git/git matches that of the Docker container, there was no need to. The authorized_keys file exposed by the container will have the correct permissions in the eyes of the host SSH daemon (even with StrictModes on).
There was a problem hiding this comment.
Note that it can be a little awkward to make sure you have a git/git user/group with UID/GID 998/998, since you may already have some other user/group with that UID/GID. We had that problem, but I went through the trouble of changing the UID/GID for that user to make 998/998 available. I thought it was worth the trouble to get GitLab up and running.
There was a problem hiding this comment.
@estan Thanks for taking the time to explain this. We also use the official omnibus Docker container. First I just skipped Advanced part in the guide. But as you mentioned, our git-user on the docker-host has a 999 id. Luckily there is no user with 998 yet. So I guess we have to try changing the UID/GID. Thanks!
|
Hello, I think this pull request is outdate because we already implemented a way how to reuse ssh. For this see #1731. If it's not enough please reopen this PR we and start a discussion again. |
|
I see. Yes, since you added support for the proxy key to the core this method is easier and more reliable as it doesn't need to monitor permissions. My PR was working with unmodified docker-gitlab. I believe it's fully superseded now, indeed. What I don't like in your new guide is that it tells to run the large bash script on the host without any explanation on what it's going to do and which distros it's compatible with. But, who cares... |
13 participants
This PR adds explanation on how to use the SSH daemon on the Docker host to connect to Gitlab, and adds the option to set more relaxed permissions if needed (see #725). This needs proofreading at the very least.