blog/output/posts/ssh-git-repo-docker.html

<!DOCTYPE html>
<html lang="en-us">
<head>
	<meta charset="utf-8">
	<meta name="generator" content="Hugo 0.92.0" />
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="stylesheet" href="/assets/css/theme.css">
	<link rel="alternate" href="/rss.xml" type="application/rss+xml" title="Pleasant Programmer">
	<script type="text/javascript" src="//use.typekit.net/iwm5axp.js"></script>
	<script type="text/javascript">try{Typekit.load();}catch(e){}</script>
	<title>SSH Access to Git Repository in Docker - Pleasant Programmer</title>
</head>

<body>
	<header id="header" role="banner">
		<div id="thomas">
			<img src="/assets/img/thomas.gif" alt="DJ THOMAS IN DA HAUS">
			<img src="/assets/img/thomas.png" alt="Pleasant Programmer">
		</div>
		<h1 class="site-title"><a href="/">Pleasant Programmer</a></h1>
		<nav id="menu" role="navigation">
			<ul>
				<li><a href="/pages/projects.html">projects</a></li>
				<li><a href="/posts.html">archives</a></li>
				<li><a href="/tags.html">tags</a></li>
				<li><a href="/rss.xml">rss</a></li>
			</ul>
		</nav>
	</header>
	<div id="container">


<main id="content" role="main">
<article itemscope itemtype="http://schema.org/BlogPosting">
	<h1 class="p-name entry-title" itemprop="headline name">
		<a href="/posts/ssh-git-repo-docker.html">SSH Access to Git Repository in Docker</a></h1>
	<small>
		<span class="dateline">Posted: <time itemprop="datePublished" datetime="2022-01-23">2022-01-23</time></span>
		| More posts about
		
		<a class="tag p-category" href="/tags/sysadmin.html" rel="tag">
			sysadmin
		</a>
		
	</small>
	<div class="e-content entry-content" itemprop="entry-text">
		<p>With the likes of <a href="https://gogs.io/">Gogs</a> and <a href="https://gitea.io">Gitea</a>,
self-hosting a personal git service has become quite common. It&rsquo;s also not
unlikely that the software is run via docker but this brings a problem with
regards to SSH access.</p>
<p>Ideally, the git service container just exposes port 22 but this would conflict
with the host&rsquo;s own SSH service. One solution would be to just use different
ports for the git SSH and host SSH and that&rsquo;s perfectly fine. But we can also
just have the host SSH service forward the request to the git service itself
using the <code>command</code> option in <code>authorized_keys</code>. And as we&rsquo;ll find out later,
the git service itself is using this functionality.</p>
<h2 id="how-git-over-ssh-works">How git over SSH works</h2>
<p>When you do a <code>git push</code>, what actually happens is it runs <code>git-send-pack</code> which
runs <code>git-receive-pack &lt;directory&gt;</code> on the remote using SSH. The actual
communication then just simply happens via stdin/stdout. Conversely, doing a
<code>git pull</code> just runs <code>git-fetch-pack</code> and the somewhat confusingly named
<code>git-upload-pack</code> on the remote.</p>
<p>So far so good, but did you notice that when cloning via SSH, the remote is
typically <code>git@github.com:org/repo</code>? If everyone SSHs in as the <code>git</code> user, how
does the git service know which user is which? And how does it prevent users
from accessing each other&rsquo;s repositories?</p>
<p>One typically thinks of <code>authorized_keys</code> as just a list of allowed SSH keys but
it can do <a href="https://linux.die.net/man/8/sshd">much more than that</a>. Of particular
interest is the <code>command</code> directive which gets run instead of the user supplied
command. The original command is passed in as an environment variable
<code>SSH_ORIGINAL_COMMAND</code> which can be used to check if we allow it to be run or
not.</p>
<p>So with an <code>authorized_keys</code> file like so:</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-text" data-lang="text">command=&#34;verify-user user-1&#34; ssh-rsa ...
command=&#34;verify-user user-1&#34; ssh-ed25519 ...
command=&#34;verify-user user-2&#34; ssh-rsa ...
command=&#34;verify-user user-3&#34; ssh-rsa ...
</code></pre></div><p>Each key is tied to a particular user by virtue of <code>command</code>. And <code>verify-user</code>
can check the <code>SSH_ORIGINAL_COMMAND</code> if the particular user is allowed access to
the particular repository. You can also implement additional restrictions like
pull-only or push-only permissions with this setup. This is how both Gogs and
Gitea work.</p>
<h2 id="forwarding-git-ssh-to-docker">Forwarding git SSH to Docker</h2>
<p>When running Gogs on the host, it&rsquo;s typically run as the <code>git</code> user and when an
SSH key is added or removed, it simply rewrites <code>~git/.ssh/authorized_keys</code>.
Thus it just works with the host SSH service without problems. When running
inside docker, one thing we can do is bind mount the host&rsquo;s <code>~git/.ssh</code> folder
into the docker container so that the host can authorize the SSH connections.</p>
<p>The problem lies with the <code>command</code> which only exists inside the docker
container itself. So any user trying to connect can authenticate successfully
but will get a <code>command not found</code> error. For the Gogs docker image, the command
looks like <code>/app/gogs/gogs serv key-1</code>. So we can just make <code>/app/gogs/gogs</code>
available on the host and forward the command to the docker container.</p>
<p><a href="https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough">Most</a>
<a href="http://www.ateijelo.com/blog/2016/07/09/share-port-22-between-docker-gogs-ssh-and-local-system">instructions</a>
I&rsquo;ve seen with regards to this involves using <code>ssh</code> to connect to the internal
docker SSH service but this just seems overly complicated to me. If you
remember, at it&rsquo;s core git really only communicates over stdin/stdout and SSH is
just a means to get that.</p>
<p>If all we need is for our shim <code>/app/gogs/gogs</code> to be able to run a command
inside the docker container with stdin/stdout attached, then we can actually
just do that with <code>docker exec</code>. So it can be something like this:</p>
<div class="highlight"><pre tabindex="0" style="color:#e5e5e5;background-color:#000;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell"><span style="color:#0f0;font-weight:bold">#!/usr/bin/env bash
</span><span style="color:#0f0;font-weight:bold"></span>
<span style="color:#007f7f"># Requires the following in sudoers</span>
<span style="color:#007f7f"># git ALL=(ALL) NOPASSWD: /app/gogs/gogs</span>
<span style="color:#007f7f"># Defaults:git env_keep=SSH_ORIGINAL_COMMAND</span>

GOGS_CONTAINER=git-gogs-1

<span style="color:#fff;font-weight:bold">if</span> [[ $EUID -ne <span style="color:#ff0;font-weight:bold">0</span> ]]; <span style="color:#fff;font-weight:bold">then</span>
  <span style="color:#fff;font-weight:bold">exec</span> sudo <span style="color:#0ff;font-weight:bold">&#34;</span>$0<span style="color:#0ff;font-weight:bold">&#34;</span> <span style="color:#0ff;font-weight:bold">&#34;</span>$@<span style="color:#0ff;font-weight:bold">&#34;</span>
<span style="color:#fff;font-weight:bold">fi</span>

<span style="color:#fff;font-weight:bold">if</span> [ <span style="color:#0ff;font-weight:bold">&#34;</span>$1<span style="color:#0ff;font-weight:bold">&#34;</span> != <span style="color:#0ff;font-weight:bold">&#34;serv&#34;</span> ]; <span style="color:#fff;font-weight:bold">then</span>
  <span style="color:#fff;font-weight:bold">exit</span> <span style="color:#ff0;font-weight:bold">1</span>
<span style="color:#fff;font-weight:bold">fi</span>

<span style="color:#fff;font-weight:bold">exec</span> docker <span style="color:#fff;font-weight:bold">exec</span> -i -u git -e <span style="color:#0ff;font-weight:bold">&#34;SSH_ORIGINAL_COMMAND=</span>$SSH_ORIGINAL_COMMAND<span style="color:#0ff;font-weight:bold">&#34;</span> <span style="color:#0ff;font-weight:bold">&#34;</span>$GOGS_CONTAINER<span style="color:#0ff;font-weight:bold">&#34;</span> /app/gogs/gogs <span style="color:#0ff;font-weight:bold">&#34;</span>$@<span style="color:#0ff;font-weight:bold">&#34;</span>
</code></pre></div><p>So for git SSH access to Gogs running in docker, the necessary steps here are:</p>
<ol>
<li>Have a <code>git</code> user on the host</li>
<li>Bind mount <code>~git/.ssh</code> to <code>/data/git/.ssh</code> in the Gogs container</li>
<li>Add the shim script to <code>/app/gogs/gogs</code> (make sure it&rsquo;s owned by root and
is chmod-ed <code>0755</code>)</li>
<li>Add the listed sudoers rules</li>
</ol>

	</div>
	<aside class="postpromonav">
		<nav>
			<ul class="pager clearfix">
				
				<li class="previous">
					<a href="/posts/android-multisim.html" rel="prev" title="Android Multisim Pre-5.1">&larr; Previous post</a>
				</li>
				
				
			</ul>
		</nav>
	</aside>
	<section class="comments">
		<script
	data-isso="https://isso.pleasantprogrammer.com/"
	data-isso-require-author="true"
	data-isso-vote="false"
	src="https://isso.pleasantprogrammer.com/js/embed.min.js">
</script>
<section id="isso-thread"></section>

	</section>
</article>
</main>


	<footer id="footer" role="contentinfo">
		<p>
		<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/deed.en_US">
			<img alt="CC-BY-SA" style="border-width:0" src="https://licensebuttons.net/l/by-sa/3.0/80x15.png">
		</a> &copy; 2022 Thomas Dy - Powered by <a href="http://gohugo.io">Hugo</a></p>
	</footer>
</div>

<script src="/assets/js/konami.js"></script>
<script>
var easter_egg = new Konami();
easter_egg.code = function() {
	var el = document.getElementById('thomas');
	if(el.className == "whoa") {
		el.className = "";
	}
	else {
		el.className = "whoa";
	}
	document.body.scrollTop = document.documentElement.scrollTop = 0;
}
easter_egg.load();



</script>



</body>
</html>