Blog Post

Apps on Azure Blog
3 MIN READ

Enable WEBSSH for RedHat based Custom Docker image

Hanli_Ren's avatar
Hanli_Ren
Icon for Microsoft rankMicrosoft
Nov 11, 2021

In App Service platform, the WEBSSH feature is backed by openssh-server. For Azure App Service built-in docker images, the platform by default has OpenSSH server configured. But for custom docker image, you will have to setup the OpenSSH server by yourself.

 

We used to notice the following RedHat issue that may cause your custom docker container failed to install openssh-server.
Not Finding openssh-server-8.0p1-3.el8.x86_64.rpm in REDHAT ubi 8 docker image - Red Hat Customer Portal
At that time, you only have two options: either you register the RedHat system running within the container and attach it to a RedHat subscription, or you can download the openssh-server package and manually install it inside your docker container.

 

The good news is that RedHat openssh-server package now became available in both authenticated (registry.redhat.io) and unauthenticated (registry.access.redhat.com) registries.
That means we can simply now use "yum install" command to install openssh-server in an unregistered docker container.

 

According to 1750907 – UBI7 - Request for openssh-server package in UBI7 image (redhat.com), since 2021 Oct,
openssh-server is now included in RedHat ubi7 and ubi8 repositories.
For more details about RedHat UBI images, repositories and packages, please refer to:
Universal Base Images (UBI): Images, repositories, packages, and source code - Red Hat Customer Portal


The following article shows a demonstration of how to enable WebSSH for your customer docker image which is build based on Redhat UBI docker image.

 

1.  Modify your Dockerfile to install OpenSSH server and set root user password.

Notes:

  • We can use registry.access.redhat.com/ubi8/ubi or registry.access.redhat.com/ubi7/ubi as the base docker image
  • Both openssh-server and openssh-clients packages require to be installed
  • Need to set root user password to "Docker!"
  • Other than your web application listening port (e.g. 80), we also need to open port 2222 for WEBSSH access
  • Need to set our customized sshd_config
  • Create ENTRYPOINT script, since we need to bring up OpenSSH server before booting up your application

2. Create sshd_config file in the same folder as your Dockerfile

 

# This is ssh server systemwide configuration file.
#
# /etc/sshd_config

Port                    2222
ListenAddress           0.0.0.0
LoginGraceTime          180
X11Forwarding           yes
Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-sha1-96
StrictModes             yes
SyslogFacility          DAEMON
PasswordAuthentication  yes
PermitEmptyPasswords    no
PermitRootLogin         yes
Subsystem sftp internal-sftp

 

 

3. Create init.sh file in the same folder as your Dockerfile

In the following example:

  • Modify the /etc/profile file to get environment variables to show up in SSH session
  • Start the /usr/sbin/sshd before booting up my Nginx server.

 

#!/usr/bin/bash

# Get environment variables to show up in SSH session
eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)

# starting sshd process
/usr/sbin/sshd

# starting Nginx
nginx -g 'daemon off;'

 

 

4. Build your custom docker image

docker build -t <docker registry account>/<image name>:<tag> .

For example:

 

5. Test the OpenSSH feature in your local machine.

Find your new created docker image id

docker images


Start the docker container use the new created docker image

docker run -d -p 80:80 <docker image id>

 

Get the docker container ID

docker ps

 

Get into the docker container, then test ssh access

docker exec -it <container id> /bin/bash
ssh root@localhost -p 2222

 

6. Push your new docker image to Docker Hub/Azure Container Registry

docker push <docker registry account>/<image name>:<tag>

 

7. Setup your Azure App Service "Registry settings"

 

8. After the App Service being restarted, you should be able to use the WEBSSH feature now.

Go to https://<app-service-bane>.scm.azurewebsites.net/webssh/host

 

 

Updated Nov 10, 2021
Version 1.0

1 Comment

  • Add one comment.

     

    In some situation, customer doesn't want to use ROOT user to run the app. But we requires to use ROOT user to start SSH service. 

    As a workaround to mitigate the issue, we could use below steps:

    1. install "sudo" in Dockerfile during the build process: RUN yum -y install sudo

    2. Only use ROOT user to start the SSH service in startup script: echo 'Docker!' | su root -c "/usr/sbin/sshd"

     

    Hope that will help 🙂