Develop Reference

Using SSH inside docker with correct file permissions?

There are a few posts on how to use Docker + SSH. There are also posts on how to edit files mounted in a docker container, such that editing them won't cause the permissions to become root.
I'm trying to combine the 2 things, so I can SSH into a docker container and edit files without messing up their permissions.
For, using the correct file permissions, I use:
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
in my docker-compose.yml and
docker compose -f commands/dev/docker-compose.yml run \
--service-ports \
--user $(id -u) \
develop \
bash
so that when I start the docker container, my user is the same user as my local computer.
However, this breaks up my SSH setup inside the Docker container:
useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo ubuntu
echo 'ubuntu:ubuntu' | chpasswd
# passwd -d ubuntu
apt install -y --no-install-recommends openssh-server vim-tiny sudo
# See: https://stackoverflow.com/questions/22886470/start-sshd-automatically-with-docker-container
sed 's#session\s*required\s*pam_loginuid.so#session optional pam_loginuid.so#g' -i /etc/pam.d/sshd
mkdir /var/run/sshd
bash -c 'install -m755 <(printf "#!/bin/sh\nexit 0") /usr/sbin/policy-rc.d'
ex +'%s/^#\zeListenAddress/\1/g' -scwq /etc/ssh/sshd_config
ex +'%s/^#\zeHostKey .*ssh_host_.*_key/\1/g' -scwq /etc/ssh/sshd_config
RUNLEVEL=1 dpkg-reconfigure openssh-server
ssh-keygen -A -v
update-rc.d ssh defaults
# Configure sudo
ex +"%s/^%sudo.*$/%sudo ALL=(ALL:ALL) NOPASSWD:ALL/g" -scwq! /etc/sudoers
Here I'm creating a user called ubuntu with password ubuntu for SSH-ing. This lets me SSH in ubuntu#localhost using the password ubuntu.
The issue is that by mounting the /etc/passwd file into my container, I erase the ubuntu user inside the container. This means when I try to ssh in with ssh -p 9002 ubuntu#localhost, the authentication fails (9002 is what I bind port 22 in the container to on the host).
Does anyone have a solution?

Here's a first pass answer.
I can use:
useradd -rm -d /home/yourusername -s /bin/bash -g root -G sudo yourusername
instead of
useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo ubuntu
echo 'ubuntu:ubuntu' | chpasswd
then, I:
Run the ssh server in the container with:
su root
/usr/sbin/sshd -D -o ListenAddress=0.0.0.0 -o PermitRootLogin=yes
I can ssh into the container as root (using the root password "root", which I set with RUN echo 'root:root' | chpasswd in the Dockerfile).
Then, I can do su yourusername, to switch my user.
While this works, it is pretty annoying since I need to bake the user name into the Docker container.

execution of remote script containing "sudo su" through ssh [duplicate]

This question already has answers here:
Pass commands as input to another command (su, ssh, sh, etc)
(3 answers)
Closed 1 year ago.
I need to run a script which needs to be run with root privileges remotely. Therefore I add "sudo su" command at the start of the script. However the ssh just login the remote server and stuck at sudo su command, and it does not continue from next line in the script.
server.sh
sudo -s
sudo apt-get update
sudo apt-get upgrade
client.sh
scp -i "$key.pem" server.sh "$dns:/tmp"
ssh -tt -i "$key.pem" $dns "bash /tmp/server.sh"
server.sh and client.sh is at the same local directory. When I run ./client.sh, server.sh which is run remotely stuck at first line and does not continue with "sudo apt-get update" command. What is the reason of this behavious and is there a solution?

When you run the command sudo -s you change the user and the rest of the script is lost because it is in a new shell.
Remove the line sudo -s and try running the script again.
Note: it is important to remember that the user running sudo must be in the /etc/sudoers file with the username ALL=(ALL) NOPASSWD:ALL permissions.

sudo -s with no command starts a new, interactive shell. The following commands won't execute until it exits. See man sudo.
If you are already running apt-get via sudo, and sudo does not require a password, why do you need the sudo -s?

You can use
ssh user#ip '[command]'
to run [command] on the remote host. If you have a user with root privileges (aka. sudo) and if you can use commands without passwords (NOPASSWD:[command,list or ALL]) this is the safest way i can suggest however if you want the script to run on the remote server and triggered by the local computer you can always
ssh user#ip 'sudo /bin/bash /home/[user]/server.sh'
This would work as well. You can also use "scp" command to copy the script and then delete it with ssh again for automated one-script approach.

Bash script to pull pending Linux security updates from remote servers

I'm trying to pull pending linux updates from remote servers and plug them into Nagios. Here's a stripped down version of the code - the code that's giving me an error:
UPDATES=$(sshpass -p "password" StrictHostKeyChecking=no user#server:/usr/lib/update-notifier/apt-check 2>&1)
echo $UPDATES
Error message:
sshpass: Failed to run command: No such file or directory

Command in the question is wrong in multiple ways.
sshpass -p"password" \
ssh -o StrictHostKeyChecking=no user#server "/usr/lib/update-notifier/apt-check" 2>&1
For the -p option, there shouldn't be any space between the option and the value.
sshpass needs a command as argument, which is ssh in this case.
StrictHostKeyChecking=no should be following the option -o for ssh.
A space, not a : is needed between user#server and the command you are going to run remotely, i.e., /usr/lib/....

Windows Bash (WSL) - sudo: no tty present and no askpass program specified

After following this tutroial I get the following error when trying to run the commands as user or even sudo:
sudo: no tty present and no askpass program specified
The comments from Lurdan in this article state that you need to run
sudo -S <YOUR_COMMAND>
chmod 0666 /dev/tty
chmod doesn't work but sudo -S does, but surely there's another fix?

So silly, after looking further down I see a solution from Beorat:
To avoid the sudo tty issue and others, run these commands just before running do-release-upgrade:
sudo -S apt-mark hold sudo
sudo -S apt-mark hold procps
sudo -S apt-mark hold strace
If you've already upgraded, run the above commands, then manually downgrade to the Trusty packages:
sudo -S wget http://mirrors.kernel.org/ubuntu/pool/main/s/sudo/sudo_1.8.9p5-1ubuntu1.1_amd64.deb
sudo -S wget http://mirrors.kernel.org/ubuntu/pool/main/p/procps/procps_3.3.9-1ubuntu2_amd64.deb
sudo -S wget http://mirrors.kernel.org/ubuntu/pool/main/s/strace/strace_4.8-1ubuntu5_amd64.deb
sudo -S dpkg -i sudo_1.8.9p5-1ubuntu1.1_amd64.deb
sudo -S dpkg -i procps_3.3.9-1ubuntu2_amd64.deb
sudo -S dpkg -i strace_4.8-1ubuntu5_amd64.deb
More info here: https://github.com/Microsoft/BashOnWindows/issues/482

WSL uses the lxrun executable for management from Windows:
lxrun -h
Usage:
/install - Installs the subsystem
Optional arguments:
/y - Do not prompt user to accept
/uninstall - Uninstalls the subsystem
Optional arguments:
/full - Perform a full uninstall
/y - Do not prompt user to accept
/setdefaultuser - Configures the subsystem user that bash will be launched as. If the user does not exist it will be created.
Optional arguments:
username - Supply the username
/y - If username is supplied, do not prompt to create a password
/update - Updates the subsystem's package index
Given that, you can use lxrun /setdefaultuser root. Just thought I'd point out this side of it since it was required when I ran into the same issue as you after trying to upgrade to Xenial. I can confirm that running this command, then the wget / dpkg commands my issues were resolved.
The commands I used:
wget http://mirrors.kernel.org/ubuntu/pool/main/s/sudo/sudo_1.8.9p5-1ubuntu1.4_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/main/p/procps/procps_3.3.9-1ubuntu2_amd64.deb
wget http://mirrors.kernel.org/ubuntu/pool/main/s/strace/strace_4.8-1ubuntu5_amd64.deb
dpkg -i sudo_1.8.9p5-1ubuntu1.4_amd64.deb
dpkg -i procps_3.3.9-1ubuntu2_amd64.deb
dpkg -i strace_4.8-1ubuntu5_amd64.deb
Finally, you might need to run sudo apt-get install -f in case you get The following packages have unmet dependencies [xxx] but it is not going to be installed

I got rid of the error by moving /etc/hosts to /etc/hosts.bu. After closing the shell en opening again, /etc/hosts is recreated and your computer name is added. The error is gone (for me.)

Linux script to do simple setup on new install?

When I get a new VPS there is always the same tasks that I need to do before I can begin using the VPS.
I need to change the root password.
Add more repositories.
Install some programs with apt-get
Would it be possible to create a simple script to do all these things? What type of script would I need to write?

You can write a simple bash script, or you can look into power tools like Puppet, Chef, Salt or Ansible.
Scripts are very low-level, and hard to make "idempotent" (able to be run twice). The above tools let you declare what you want, and the the tools implement it, skipping over work that has already been done.

yes... it is possible:
#!/bin/bash
script=$'
apt-get install <package-name>
apt-get install <package-name>
apt-get install <package-name>
passwd <<EOF
<your-new-password>
<your-new-password>
EOF
'
while read pass port user ip; do
sshpass -p$pass ssh -o 'StrictHostKeyChecking no' -p $port $user#$ip "$Script"
done <<___HERE
<pass> <port> <user> <ip>
<pass> <port> <user> <ip>
. . . .
<pass> <port> <user> <ip>
___HERE
first of all this makes a ssh connection to your ip. after that run commands in $script and then go to your next server.
but on all of your servers you should install sshpass:
apt-get install sshpass

What your looking for is a bash script. Shell scripting using bash is a great way to automate all of those menial tasks that you run one-by-one from the command line
Check it:
http://www.panix.com/~elflord/unix/bash-tute.html