Installation
ContainerSSH can be deployed outside of a container. On our downloads page we provide binaries for Linux, Windows, and MacOS. We also provide DEB, RPM and APK (Alpine Linux) packages.
Before running ContainerSSH you will need to create a config.yaml
file that tells ContainerSSH where to find the SSH host key and the authentication server. The minimum configuration file looks like this:
ssh:
hostkeys:
- /path/to/your/host.key
auth:
password:
method: webhook
webhook:
url: http://your-auth-server/
Tip
You can generate a new host key using openssl genrsa
. Please don't use ssh-keygen
as it regenerates OpenSSH-specific keys.
Tip
Details about the authentication server are described in the Authentication section.
ContainerSSH can then be started by running ./containerssh --config /path/to/your/config.yaml
When deploying in Docker you must first prepare a configuration file that tells ContainerSSH where to find the SSH host key and the authentication server. The minimum configuration file looks like this:
ssh:
hostkeys:
- /var/run/secrets/host.key
auth:
password:
method: webhook
webhook:
url: http://your-auth-server/
Tip
You can generate a new host key using openssl genrsa
Tip
Details about the authentication server are described in the Authentication section.
You can then run ContainerSSH with the following command line:
docker run -d \
-v /srv/containerssh/config.yaml:/etc/containerssh/config.yaml \
-v /srv/containerssh/host.key:/var/run/secrets/host.key \
-p 2222:2222 \
containerssh/containerssh:0.4
When running ContainerSSH inside a Kubernetes cluster you must first create a Secret
that contains the host key.
openssl genrsa | kubectl create secret generic containerssh-hostkey --from-file=host.key=/dev/stdin
Next, you can create a ConfigMap to hold the ContainerSSH configuration:
( cat << EOF
ssh:
hostkeys:
- /etc/containerssh/host.key
auth:
password:
method: webhook
webhook:
url: http://your-auth-server/
EOF
) | kubectl create configmap containerssh-config --from-file=config.yaml=/dev/stdin
Tip
Details about the authentication server are described in the Authentication section.
Then you can create a deployment to run ContainerSSH:
( cat << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: containerssh
labels:
app: containerssh
spec:
replicas: 1
selector:
matchLabels:
app: containerssh
template:
metadata:
labels:
app: containerssh
spec:
containers:
- name: containerssh
image: containerssh/containerssh:0.4
ports:
- containerPort: 2222
volumeMounts:
- name: hostkey
mountPath: /etc/containerssh/host.key
subPath: host.key
readOnly: true
- name: config
mountPath: /etc/containerssh/config.yaml
subPath: config.yaml
readOnly: true
volumes:
- name: hostkey
secret:
secretName: containerssh-hostkey
- name: config
configMap:
name: containerssh-config
EOF
) | kubectl apply -f -
Finally, you can create a service to expose the SSH port. You can customize this to create a loadbalancer or nodeport to make SSH publicly available. See kubectl expose --help
for details.
kubectl expose deployment containerssh \
--port=2222 --target-port=2222 \
--name=containerssh
Note
This still does not configure ContainerSSH to use Kubernetes as a container backend. This is described in detail in the Kubernetes backend section.