In App Service platform, the WEBSSH feature is backed by openssh-server. For Azure App Service built-in docker images, the platform by default has OpenSSH server configured. But for custom docker image, you will have to setup the OpenSSH server by yourself.
We used to notice the following RedHat issue that may cause your custom docker container failed to install openssh-server.
Not Finding openssh-server-8.0p1-3.el8.x86_64.rpm in REDHAT ubi 8 docker image - Red Hat Customer Portal
At that time, you only have two options: either you register the RedHat system running within the container and attach it to a RedHat subscription, or you can download the openssh-server package and manually install it inside your docker container.
The good news is that RedHat openssh-server package now became available in both authenticated (registry.redhat.io) and unauthenticated (registry.access.redhat.com) registries.
That means we can simply now use "yum install" command to install openssh-server in an unregistered docker container.
According to 1750907 – UBI7 - Request for openssh-server package in UBI7 image (redhat.com), since 2021 Oct,
openssh-server is now included in RedHat ubi7 and ubi8 repositories.
For more details about RedHat UBI images, repositories and packages, please refer to:
Universal Base Images (UBI): Images, repositories, packages, and source code - Red Hat Customer Portal
The following article shows a demonstration of how to enable WebSSH for your customer docker image which is build based on Redhat UBI docker image.
1. Modify your Dockerfile to install OpenSSH server and set root user password.
Notes:
- We can use registry.access.redhat.com/ubi8/ubi or registry.access.redhat.com/ubi7/ubi as the base docker image
- Both openssh-server and openssh-clients packages require to be installed
- Need to set root user password to "Docker!"
- Other than your web application listening port (e.g. 80), we also need to open port 2222 for WEBSSH access
- Need to set our customized sshd_config
- Create ENTRYPOINT script, since we need to bring up OpenSSH server before booting up your application
2. Create sshd_config file in the same folder as your Dockerfile
# This is ssh server systemwide configuration file.
#
# /etc/sshd_config
Port 2222
ListenAddress 0.0.0.0
LoginGraceTime 180
X11Forwarding yes
Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-sha1-96
StrictModes yes
SyslogFacility DAEMON
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Subsystem sftp internal-sftp
3. Create init.sh file in the same folder as your Dockerfile
In the following example:
- Modify the /etc/profile file to get environment variables to show up in SSH session
- Start the /usr/sbin/sshd before booting up my Nginx server.
#!/usr/bin/bash
# Get environment variables to show up in SSH session
eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)
# starting sshd process
/usr/sbin/sshd
# starting Nginx
nginx -g 'daemon off;'
4. Build your custom docker image
docker build -t <docker registry account>/<image name>:<tag> .
For example:
5. Test the OpenSSH feature in your local machine.
Find your new created docker image id
docker images
Start the docker container use the new created docker image
docker run -d -p 80:80 <docker image id>
Get the docker container ID
docker ps
Get into the docker container, then test ssh access
docker exec -it <container id> /bin/bash
ssh root@localhost -p 2222
6. Push your new docker image to Docker Hub/Azure Container Registry
docker push <docker registry account>/<image name>:<tag>
7. Setup your Azure App Service "Registry settings"
8. After the App Service being restarted, you should be able to use the WEBSSH feature now.
Go to https://<app-service-bane>.scm.azurewebsites.net/webssh/host
Updated Nov 10, 2021
Version 1.0
Hanli_Ren
Microsoft
Microsoft