Starting sshd daemon service in docker container fails at RSA keygen on fedora 30 operating system

I have installed fedora linux 30. I have installed Docker version 19.03.1, build 74b1e89. I have selinux set to enforcing.

I am trying to run a Oracle Linux based docker image. It tries to start sshd daemon service, but fails at RSA keygen.

I am not an expert with linux or selinux. But just guessing that key generation failed due to fedora selinux container policy. Can experts here help me work around this issue?

  1. Docker container run output snippet
    + sed -i -e 's/#Port 22/Port 22/g' /etc/ssh/sshd_config
    + service sshd start
     Generating SSH2 RSA host key: [FAILED]
  1. Snippet from container - cat /etc/init.d/sshd
    KEYGEN=/usr/bin/ssh-keygen
    SSHD=/usr/sbin/sshd
    RSA1_KEY=/etc/ssh/ssh_host_key

    do_rsa_keygen() {
    	if [ ! -s $RSA_KEY ]; then
    		echo -n $"Generating SSH2 RSA host key: "
    		rm -f $RSA_KEY
    		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
    			chmod 600 $RSA_KEY
    			chmod 644 $RSA_KEY.pub
    			if [ -x /sbin/restorecon ]; then
    			    /sbin/restorecon $RSA_KEY.pub
    			fi
    			success $"RSA key generation"
    			echo
    		else
    			failure $"RSA key generation"
    			echo
    			exit 1
    		fi
    	fi
    }

You can check the journal to find more detailed information about the issue.

I initially tried - sudo journalctl -f -b -u sshd and sudo journalctl -f -b -u ssh, and tried running the container but nothing got printed.

Then I tried sudo journalctl -f -b -u docker. Even though it gave me some messages but there isn’t much info on the rootcause of issue.

sudo journalctl -f -b -u docker
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.443755124+05:30" level=debug msg="/usr/sbin/iptables, [--wait -t nat -A POSTROUTING -p tcp -s 172.18.0.2 -d 172.18.0.2 --dport 7001 -j MASQUERADE]"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.447696096+05:30" level=debug msg="EnableService 847791036cd1956c9d4e614f1935e1c3d57cc4e3d8961c53c3ff392b8622f238 START"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.447718258+05:30" level=debug msg="EnableService 847791036cd1956c9d4e614f1935e1c3d57cc4e3d8961c53c3ff392b8622f238 DONE"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.451740734+05:30" level=debug msg="bundle dir created" bundle=/var/run/docker/containerd/847791036cd1956c9d4e614f1935e1c3d57cc4e3d8961c53c3ff392b8622f238 module=libcontainerd namespace=moby root=/scratch/docker/overlay2/71b9381112502d521b4056f70fa543fc938d1bf660956040cf339007f4a7cbe2/merged
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.621551062+05:30" level=debug msg="sandbox set key processing took 93.5935ms for container 847791036cd1956c9d4e614f1935e1c3d57cc4e3d8961c53c3ff392b8622f238"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.749719387+05:30" level=debug msg=event module=libcontainerd namespace=moby topic=/tasks/create
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.762216205+05:30" level=debug msg=event module=libcontainerd namespace=moby topic=/tasks/start
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.767977790+05:30" level=debug msg=OpenMonitorChannel
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.831554250+05:30" level=debug msg=event module=libcontainerd namespace=moby topic=/tasks/exit
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859333430+05:30" level=debug msg=event module=libcontainerd namespace=moby topic=/tasks/delete
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859381230+05:30" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859337948+05:30" level=debug msg="attach: stdout: end"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859354169+05:30" level=debug msg="attach: stderr: end"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859459908+05:30" level=debug msg="attach done"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859373715+05:30" level=debug msg="CloseMonitorChannel: waiting for probe to stop"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859521103+05:30" level=debug msg="CloseMonitorChannel done"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859608258+05:30" level=debug msg="Stop healthcheck monitoring for container 847791036cd1956c9d4e614f1935e1c3d57cc4e3d8961c53c3ff392b8622f238 (received while idle)"
Aug 09 12:12:28 localhost.localdomain dockerd[1945]: time="2019-08-09T12:12:28.859750306+05:30" level=debug msg="Revoking external connectivity on endpoint biplatform55 (096714552d1405b1a91a12a6770d52762055dac0cabe586a236314c129bee7b3)"

Hi @chetanpatil1984 ! Welcome to the community! Please have a look at the introductory posts in the #start-here category if you haven’t had a chance to do so.

I’m not an expert as well, but as far as I know Fedora’s selinux restrictions don’t apply inside of container (where the key generation happens), only outside of it.

Something like that can happen, for example, if you mount some directory on your Fedora system as /etc of the container system.

Can you share exact command you use to start your container?


One more thing, why exactly do you want to run sshd insider your conеainer?

If it’s to connect to container from outside, wouldn’t it be better to connect to your host system (Fedora) with ssh, and the connect to container?

And if it’s for connecting from you host system, then docker has a special command for it, you don’t need to run sshd inside you container to do this.

Quick websearch for ā€œrunning sshd inside of containerā€ produced this (as a second result, I must add):

https://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/

I haven’t read it all, but author thinks along the same lines I did when I’ve read you question.

It is Oracle BI product image based on Oracle linux. I do not have control over how it is built.

The command works on Mac OS X and Oracle Linux. But on fedora 30 OS, it is giving me the problem.

Below is the command -

docker run --name biplatform55 --hostname=biplatform55 --stop-timeout=120 --init --net bi_net -p 8080:8080 -p 9704:9704 -p 7001:7001 -p 8000:8000 --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE -e RCU_DB_SCHEMA_PREFIX=CP55 bi.docker.oraclecorp.com/biplatform/5.5.0.0.0:latest /root/dev_mode
docker run -it --name biplatform55 --hostname=biplatform55 --stop-timeout=120 --init --net bi_net -p 8080:8080 -p 9704:9704 -p 7001:7001 -p 8000:8000 --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE -e RCU_DB_SCHEMA_PREFIX=CP55 bi.docker.oraclecorp.com/biplatform/5.5.0.0.0:latest /root/dev_mode

Even in interactive mode, same issue

docker run -it --name biplatform55 --hostname=biplatform55 --stop-timeout=120 --init --net bi_net -p 8080:8080 -p 9704:9704 -p 7001:7001 -p 8000:8000 --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE -e RCU_DB_SCHEMA_PREFIX=CP55 bi.docker.oraclecorp.com/biplatform/5.5.0.0.0:latest /root/dev_mode
+ exec bash -c 'DEV_MODE=True /root/run.sh'
+ DEV_MODE=True
+ NO_LOG_TAIL=no_log_tail_not_declared
+ SSH_LISTEN_PORT=22
+ ERROR_DUMP_FILE=no_dump
+ ERROR_DUMP_OWNER=no_dump_owner
+ INIT_LOG_DIR=/var/log/oac-init
+ sed -i -e 's/#Port 22/Port 22/g' /etc/ssh/sshd_config
+ service sshd start
Generating SSH2 RSA host key:                              [FAILED]
sudo setenforce 0

Does the issue persist?

Yeah. Same issue even after disabling selinux. :neutral_face:

It would be nice to remove >&/dev/null from

I’m not a container expert, but once the container is deployed, is it possibile to edit the container content? Maybe edit the image before deploying a container? By injecting the modified script with a dockerfile? Or there is a way to use /bin/bash as the entrypoint?

-v /root/.ssh

You can see an example complete here …

1 Like

@alciregi

That is the Oracle linux image. I cannot modify. But yeah, on top of it, I can have my custom script to do what you mentioned.

Nope. Did not work David.