Adding sshd to docker is considered an anti-pattern except in the case of AWS Fargate as highlighted by a long standing issue.
This repo is an example of how to get docker running effectively for Alpine to use in Fargate.
- Add your public key to
authorized-keys/
docker build -t openssh .
docker run -p 2222:22 -it openssh /bin/sh -c "SSH_ENABLED=true /usr/local/bin/docker-entrypoint.sh && sleep infinity"
ssh -i ~/path/to/private_key -p 2222 root@localhost
To be realistically accessible while still being secure, sshd should remain off until necessary.
-
Leave
SSH_ENABLED
environment variablefalse
for all containers. -
Create an extra ECS Cluster as a One-Off Fargate task whose sole purpose is to be the SSH connector. Cloudformation CMD becomes:
... ContainerDefinitions: ... Command: - /bin/sh - '-c' - "SSH_ENABLED=true /usr/local/bin/docker-entrypoint.sh && sleep infinity"
or if manually creating in AWS Fargate UI for container definitions:
/bin/sh,-c,SSH_ENABLED=true /usr/local/bin/docker-entrypoint.sh && sleep infinity
-
Now, there is now on-demand SSH. Be sure to
stop
the task when finished. -
Use a Bastion/Jump machine.
SSH_ENABLED
flag turns on/off sshd. Default:false
- SSH wipes the environment - the trick is to re-hydrate the session via
env | grep '_\|PATH' | awk...
in theentry-point.sh
- Change
_\|PATH
to capture the envs you need. Keep in mind you don't want all of them (some session ones do weird things to the terminal). Ideally all your envs have_
in them.
- Change
- Fargate does not let
HostPort
andContainerPort
be different. This means only one container can expose 22 at a time. Hard limitation. - Assumes you connect into your container to
root
. - Key management is not the point of this repo, manage your keys well please.
sleep infinity
is cool.
Improvements to the files or to the Practical Fargate section are always welcomed.