Skip to content

Add support for UBI 8 based images in SSHD service #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rgrunber wants to merge 2 commits into
base: main
Choose a base branch
from
+88 −47
Open

Add support for UBI 8 based images in SSHD service #653

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
15c8bc3
Inject random user if not present in /etc/passwd file.
rgrunber Feb 5, 2026
d81bf11
Add support for UBI 8 based images.
rgrunber Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/image-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,5 +198,5 @@ jobs:
run: |
SHORT_SHA1=$(git rev-parse --short=7 HEAD)
docker buildx build --platform linux/amd64 -f build/dockerfiles/dev.Dockerfile --push -t quay.io/che-incubator/che-code-dev:insiders -t quay.io/che-incubator/che-code-dev:next -t quay.io/che-incubator/che-code-dev:insiders-${SHORT_SHA1} .
docker buildx build --platform linux/amd64 -f build/dockerfiles/dev.sshd.Dockerfile --push -t quay.io/che-incubator/che-code-sshd:insiders -t quay.io/che-incubator/che-code-sshd:next -t quay.io/che-incubator/che-code-sshd:insiders-${SHORT_SHA1} .
docker buildx build --platform linux/amd64 -f build/dockerfiles/assembly.sshd.Dockerfile --push -t quay.io/che-incubator/che-code-sshd:insiders -t quay.io/che-incubator/che-code-sshd:next -t quay.io/che-incubator/che-code-sshd:insiders-${SHORT_SHA1} .

47 changes: 47 additions & 0 deletions build/dockerfiles/assembly.sshd.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Copyright (c) 2025 Red Hat, Inc.
# This program and the accompanying materials are made
# available under the terms of the Eclipse Public License 2.0
# which is available at https://www.eclipse.org/legal/epl-2.0/
#
# SPDX-License-Identifier: EPL-2.0
#

# UBI 8
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10 as sshd-ubi8

USER 0

RUN microdnf -y install libsecret openssh-server nss_wrapper-libs \
gzip tar which && \
microdnf -y clean all --enablerepo='*'

# UBI 9/10
FROM registry.access.redhat.com/ubi9/nodejs-20-minimal:9.7

USER 0

RUN microdnf -y install libsecret openssh-server nss_wrapper-libs && \
microdnf -y clean all --enablerepo='*'

RUN mkdir -p /sshd-staging/ubi8 /sshd-staging/ubi9
# UBI 8
COPY --from=sshd-ubi8 /usr/sbin/sshd /usr/bin/ssh-keygen /usr/bin/tar /usr/bin/gzip /usr/bin/which /usr/lib64/libnss_wrapper.so /usr/lib64/libpam.so.0 /sshd-staging/ubi8/
# UBI 9/10
RUN cp /usr/sbin/sshd /usr/bin/ssh-keygen /usr/bin/tar /usr/bin/gzip /usr/bin/which /usr/lib64/libnss_wrapper.so /usr/lib64/libpam.so.0 /usr/lib64/libeconf.so.0 /usr/lib64/libcrypt.so.2 /sshd-staging/ubi9/

# sshd_config is root:root 600
RUN chmod 644 /etc/ssh/sshd_config
RUN cp /etc/ssh/sshd_config /sshd-staging/

# Add script to start and stop the service
COPY --chown=0:0 /build/scripts/sshd.start /sshd-staging/

RUN mkdir /opt/www
COPY /build/scripts/code-sshd-page/* /opt/www/

# Lock down /etc/passwd until fixed in UDI
RUN chmod 644 /etc/passwd

EXPOSE 2022 3400

USER 10001
30 changes: 0 additions & 30 deletions build/dockerfiles/dev.sshd.Dockerfile
View file
Open in desktop

This file was deleted.

56 changes: 40 additions & 16 deletions build/scripts/sshd.start
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,30 @@
# SPDX-License-Identifier: EPL-2.0
#

# https://github.com/sclorg/s2i-nodejs-container/blob/master/22/root/opt/app-root/etc/generate_container_user
USER_ID=$(id -u)

export LD_PRELOAD=/sshd/libeconf.so.0:/sshd/libpam.so.0:/sshd/libcrypt.so.2
sshd_libdir=
. /etc/os-release
case $VERSION_ID in
"8"*)
sshd_libdir=/sshd/ubi8
export LD_PRELOAD=$sshd_libdir/libpam.so.0
;;
"9"*)
sshd_libdir=/sshd/ubi9
export LD_PRELOAD=$sshd_libdir/libeconf.so.0:$sshd_libdir/libpam.so.0:$sshd_libdir/libcrypt.so.2
;;
"10"*)
sshd_libdir=/sshd/ubi9
export LD_PRELOAD=$sshd_libdir/libeconf.so.0:$sshd_libdir/libpam.so.0:$sshd_libdir/libcrypt.so.2
;;
*)
sshd_libdir=/sshd/ubi9
export LD_PRELOAD=$sshd_libdir/libeconf.so.0:$sshd_libdir/libpam.so.0:$sshd_libdir/libcrypt.so.2
;;
esac

# https://github.com/sclorg/s2i-nodejs-container/blob/master/22/root/opt/app-root/etc/generate_container_user
# Configure passwd/group files for SSHD
# Random user must have a login shell and appropriate home folder
if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then
Expand All @@ -22,25 +41,30 @@ if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then
# Some images (eg. UDI) may contain duplicate users with different IDs
USER_NAME=$(grep ":$USER_ID:" /etc/passwd | cut -d: -f1)

cat /etc/passwd | sed \
-e "/$USER_ID/ s|/sbin/nologin|/bin/bash|" \
-e "/$USER_ID/ s|:/:|:/var/tmp/user:|" \
-e "/$USER_NAME:/{/:$USER_ID:/!d;}" \
> $NSS_WRAPPER_PASSWD
if [ -z $USER_NAME ]; then
cp /etc/passwd $NSS_WRAPPER_PASSWD
echo "$USER_ID:x:$USER_ID:$USER_ID::/var/tmp/user:/bin/bash" >> $NSS_WRAPPER_PASSWD
else
cat /etc/passwd | sed \
-e "/$USER_ID/ s|/sbin/nologin|/bin/bash|" \
-e "/$USER_ID/ s|:/:|:/var/tmp/user:|" \
-e "/$USER_NAME:/{/:$USER_ID:/!d;}" \
> $NSS_WRAPPER_PASSWD
fi

export NSS_WRAPPER_PASSWD
export NSS_WRAPPER_GROUP
export LD_PRELOAD=$LD_PRELOAD:/sshd/libnss_wrapper.so
export LD_PRELOAD=$LD_PRELOAD:$sshd_libdir/libnss_wrapper.so
fi

if [ $HOME = "/" ]; then
if [ $HOME = "/" ] || [ -z $USER_NAME ]; then
export HOME=/var/tmp/user
mkdir -p /var/tmp/user
fi

# Common tools needed to set up service
mkdir -p $HOME/bin
cp /sshd/tar /sshd/gzip /sshd/which $HOME/bin/
cp $sshd_libdir/tar $sshd_libdir/gzip $sshd_libdir/which $HOME/bin/
echo 'export PATH=$PATH:$HOME/bin' >> $HOME/.profile

# Set up environment variables injected into PID 1 (.profile & .bashrc)
Expand All @@ -53,10 +77,10 @@ mkdir /var/tmp/ssh
chmod 755 /var/tmp/ssh

# Generate SSH Host keys
/sshd/ssh-keygen -q -N "" -t dsa -f /var/tmp/ssh/ssh_host_dsa_key && \
/sshd/ssh-keygen -q -N "" -t rsa -b 4096 -f /var/tmp/ssh/ssh_host_rsa_key && \
/sshd/ssh-keygen -q -N "" -t ecdsa -f /var/tmp/ssh/ssh_host_ecdsa_key && \
/sshd/ssh-keygen -q -N "" -t ed25519 -f /var/tmp/ssh/ssh_host_ed25519_key
$sshd_libdir/ssh-keygen -q -N "" -t dsa -f /var/tmp/ssh/ssh_host_dsa_key && \
$sshd_libdir/ssh-keygen -q -N "" -t rsa -b 4096 -f /var/tmp/ssh/ssh_host_rsa_key && \
$sshd_libdir/ssh-keygen -q -N "" -t ecdsa -f /var/tmp/ssh/ssh_host_ecdsa_key && \
$sshd_libdir/ssh-keygen -q -N "" -t ed25519 -f /var/tmp/ssh/ssh_host_ed25519_key

# Ensure appropriate permissions
chmod 600 /var/tmp/ssh/ssh_host_* /sshd/sshd_config
Expand All @@ -81,7 +105,7 @@ mkdir -p $HOME/.ssh
if [ -f /etc/ssh/dwo_ssh_key.pub ]; then
cp /etc/ssh/dwo_ssh_key.pub $HOME/.ssh/authorized_keys
else
/sshd/ssh-keygen -q -N '' -t ed25519 -f /sshd/ssh_client_ed25519_key
$sshd_libdir/ssh-keygen -q -N '' -t ed25519 -f /sshd/ssh_client_ed25519_key
cp /sshd/ssh_client_ed25519_key.pub $HOME/.ssh/authorized_keys
fi

Expand All @@ -91,5 +115,5 @@ cp /sshd/sshd_config /var/tmp/ssh/
echo -n "$(whoami)" > /sshd/username

# start SSHD
exec /sshd/sshd -D -f /var/tmp/ssh/sshd_config -E /tmp/sshd.log
exec $sshd_libdir/sshd -D -f /var/tmp/ssh/sshd_config -E /tmp/sshd.log