Docker Community Forums

Share and learn in the Docker community.

SSH to gitolite from client to container on server


#1

Expected behaviour:
SSH to gitolite container works.

Actual behaviour:
SSH reports “Connection refused”

To reproduce:
Create and instantiate a container for image “desiato/gitolite:latest”
try to connnect from client with ssh -p 2222 -vvvv git@gitolite info

Environment
Client:
otto@adelie:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

Docker Host:
user@magellan:/docker$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

Background:
I installed the image according to the (minimal) instructions, but am not able to connect from the client. As far as I can tell, SSH is having problems connecting. I can’t eliminate Gitolite, but I suspect it’s not being called. I’ve tried two different images, but have the same issue with both.

My questions:
Is there Docker functionality preventing the connection? Have I missed setting an option?
Why does the netstat command below only list an IPV6-format address?
Why is there no entry like /Home/{someuser}/.ssh/authorizedKeys? I suspect Gitolite bends things, but that’s what helps it work.

Best regards
Otto

Detailled Information:

certificate on the client:
otto@adelie: ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQE(snip)d0YZ/wfR1w== ssh certificate for (site)
certificate on the docker host (works for a SSH connection)
user@magellan: ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQE(snip)d0YZ/wfR1w== ssh certificate for (site)

Docker-compose.yml
user@magellan:/docker/docker-compose.yml

version: '3'
services:

  (snip) mariadb, phpmyadmin, ngnix-proxy, etc.

  gitolite:
    image: "desiato/gitolite:latest"
    domainname: schreibke.home
    container_name: gitolite
    restart: always
    privileged: true
    env_file:
      - /docker/env
      - /docker/gitolite/env
    ports:
      - "2222:22"
    volumes:
#      - /docker/gitolite/keys:/etc/ssh/keys
      - /docker/gitolite/keys/id_rsa.pub:/admin.pub
      - /docker/gitolite/repos:/var/lib/git
    environment:
      - PK_PATH=/admin.pub

Logs:
user@magellan:docker logs gitolite

Server listening on 0.0.0.0 port 2222.
Server listening on :: port 2222.

Docker tasks
user@magellan:docker ps

CONTAINER ID        IMAGE                            COMMAND                  CREATED             STATUS         PORTS                                                                                                                       NAMES
8561228000b4        desiato/gitolite:latest          "/bin/sh -c start"       4 hours ago         Up 4 hours          2222/tcp, 0.0.0.0:2222->22/tcp                                                                                              gitolite
(more...)

Connection attempt:
otto@adelie:~$ ssh -p 2222 -vvvv git@gitolite info
OpenSSH_7.2p2 Ubuntu-4ubuntu2.6, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving “gitolite” port 2222
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to gitolite [192.168.0.2] port 2222.
debug1: connect to address 192.168.0.2 port 2222: Connection refused
ssh: connect to host gitolite port 2222: Connection refused

Connection test on the Docker host:
user@magellan:/docker$ nc -vz gitolite 2222
nc: connect to gitolite port 2222 (tcp) failed: Connection refused

Listening ports on the Docker host:
user@magellan:/docker$ sudo netstat -plnt

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name 
(more...)
tcp6       0      0 :::2222                 :::*                    LISTEN      32170/docker-proxy  
(more)

SSH config in the gitolite container. Uncommented lines only.
user@magellan:/docker$ docker exec -t gitolite cat /etc/ssh/sshd_config
(uncommented lines)
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no # pam does that
Subsystem sftp /usr/lib/ssh/sftp-server

AuthorizedKeys files
user@magellan:/docker$ docker exec -t gitolite find / -name authorized_keys
/var/lib/git/.ssh/authorized_keys
/var/lib/gitolite/.ssh/authorized_keys

/var/lib/git/.ssh/authorized_keys contents
user@magellan:/docker$ docker exec -t gitolite cat /var/lib/git/.ssh/authorized_keys
# gitolite start
command="/usr/lib/gitolite/gitolite-shell otto",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQE(snip)d0YZ/wfR1w== ssh certificate for (site)
# gitolite end

/var/lib/gitolite/.ssh/authorized_keys contents
user@magellan:/docker$ docker exec -t gitolite cat /var/lib/gitolite/.ssh/authorized_keys
# gitolite start
command="/usr/lib/gitolite/gitolite-shell admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQE(snip)td0YZ/wfR1w== ssh certificate for (site)
# gitolite end