Skip to content

Commit dde8b6d

Browse files
committed
Add support for UBI 8 based images.
- Use a multi-stage image build to support different UBI based images. - Use folders within /sshd-staging/ to determine base of user container (eg. /sshd-staging/ubi8/ , /sshd-staging/ubi9/) - Place all landing page setup into sshd.init script. Signed-off-by: Roland Grunberg <rgrunber@redhat.com>
1 parent 7b9094f commit dde8b6d

5 files changed

Lines changed: 99 additions & 41 deletions

File tree

.github/workflows/image-publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,5 +198,5 @@ jobs:
198198
run: |
199199
SHORT_SHA1=$(git rev-parse --short=7 HEAD)
200200
docker buildx build --platform linux/amd64 -f build/dockerfiles/dev.Dockerfile --push -t quay.io/che-incubator/che-code-dev:insiders -t quay.io/che-incubator/che-code-dev:next -t quay.io/che-incubator/che-code-dev:insiders-${SHORT_SHA1} .
201-
docker buildx build --platform linux/amd64 -f build/dockerfiles/dev.sshd.Dockerfile --push -t quay.io/che-incubator/che-code-sshd:insiders -t quay.io/che-incubator/che-code-sshd:next -t quay.io/che-incubator/che-code-sshd:insiders-${SHORT_SHA1} .
201+
docker buildx build --platform linux/amd64 -f build/dockerfiles/assembly.sshd.Dockerfile --push -t quay.io/che-incubator/che-code-sshd:insiders -t quay.io/che-incubator/che-code-sshd:next -t quay.io/che-incubator/che-code-sshd:insiders-${SHORT_SHA1} .
202202
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
# Copyright (c) 2025 Red Hat, Inc.
2+
# This program and the accompanying materials are made
3+
# available under the terms of the Eclipse Public License 2.0
4+
# which is available at https://www.eclipse.org/legal/epl-2.0/
5+
#
6+
# SPDX-License-Identifier: EPL-2.0
7+
#
8+
9+
# UBI 8
10+
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10 as sshd-ubi8
11+
12+
USER 0
13+
14+
RUN microdnf -y install libsecret openssh-server nss_wrapper-libs \
15+
gzip tar which && \
16+
microdnf -y clean all --enablerepo='*'
17+
18+
# UBI 9/10
19+
FROM registry.access.redhat.com/ubi9/nodejs-20-minimal:9.7
20+
21+
USER 0
22+
23+
RUN microdnf -y install libsecret openssh-server nss_wrapper-libs && \
24+
microdnf -y clean all --enablerepo='*'
25+
26+
RUN mkdir -p /sshd-staging/ubi8 /sshd-staging/ubi9
27+
# UBI 8
28+
COPY --from=sshd-ubi8 /usr/sbin/sshd /usr/bin/ssh-keygen /usr/bin/tar /usr/bin/gzip /usr/bin/which /usr/lib64/libnss_wrapper.so /usr/lib64/libpam.so.0 /sshd-staging/ubi8/
29+
# UBI 9/10
30+
RUN cp /usr/sbin/sshd /usr/bin/ssh-keygen /usr/bin/tar /usr/bin/gzip /usr/bin/which /usr/lib64/libnss_wrapper.so /usr/lib64/libpam.so.0 /usr/lib64/libeconf.so.0 /usr/lib64/libcrypt.so.2 /sshd-staging/ubi9/
31+
32+
# sshd_config is root:root 600
33+
RUN chmod 644 /etc/ssh/sshd_config
34+
RUN cp /etc/ssh/sshd_config /sshd-staging/
35+
36+
# Add script to start and stop the service
37+
COPY --chown=0:0 /build/scripts/sshd.init /build/scripts/sshd.start /sshd-staging/
38+
39+
RUN mkdir /opt/www
40+
COPY /build/scripts/code-sshd-page/* /opt/www/
41+
42+
# Lock down /etc/passwd until fixed in UDI
43+
RUN chmod 644 /etc/passwd
44+
45+
EXPOSE 2022 3400
46+
47+
USER 10001

build/dockerfiles/dev.sshd.Dockerfile

Lines changed: 0 additions & 30 deletions
This file was deleted.

build/scripts/sshd.init

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
#!/bin/bash
2+
#
3+
# Copyright (c) 2026 Red Hat, Inc.
4+
# This program and the accompanying materials are made
5+
# available under the terms of the Eclipse Public License 2.0
6+
# which is available at https://www.eclipse.org/legal/epl-2.0/
7+
#
8+
# SPDX-License-Identifier: EPL-2.0
9+
#
10+
11+
# copy provisioned data (from che-code-sshd) to shared volume
12+
cp -rp /sshd-staging/. /sshd/
13+
14+
# wait for main container to set up sshd (will indicate username)
15+
while [ ! -e /sshd/username ]; do
16+
sleep 1s
17+
done
18+
19+
# start the landing page
20+
pushd /opt/www/
21+
exec node /opt/www/server.js
22+

build/scripts/sshd.start

Lines changed: 29 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,30 @@
88
# SPDX-License-Identifier: EPL-2.0
99
#
1010

11-
# https://github.com/sclorg/s2i-nodejs-container/blob/master/22/root/opt/app-root/etc/generate_container_user
1211
USER_ID=$(id -u)
1312

14-
export LD_PRELOAD=/sshd/libeconf.so.0:/sshd/libpam.so.0:/sshd/libcrypt.so.2
13+
sshd_libdir=
14+
. /etc/os-release
15+
case $VERSION_ID in
16+
"8"*)
17+
sshd_libdir=/sshd/ubi8
18+
export LD_PRELOAD=$sshd_libdir/libpam.so.0
19+
;;
20+
"9"*)
21+
sshd_libdir=/sshd/ubi9
22+
export LD_PRELOAD=$sshd_libdir/libeconf.so.0:$sshd_libdir/libpam.so.0:$sshd_libdir/libcrypt.so.2
23+
;;
24+
"10"*)
25+
sshd_libdir=/sshd/ubi9
26+
export LD_PRELOAD=$sshd_libdir/libeconf.so.0:$sshd_libdir/libpam.so.0:$sshd_libdir/libcrypt.so.2
27+
;;
28+
*)
29+
sshd_libdir=/sshd/ubi9
30+
export LD_PRELOAD=$sshd_libdir/libeconf.so.0:$sshd_libdir/libpam.so.0:$sshd_libdir/libcrypt.so.2
31+
;;
32+
esac
1533

34+
# https://github.com/sclorg/s2i-nodejs-container/blob/master/22/root/opt/app-root/etc/generate_container_user
1635
# Configure passwd/group files for SSHD
1736
# Random user must have a login shell and appropriate home folder
1837
if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then
@@ -35,7 +54,7 @@ if [ x"$USER_ID" != x"0" -a x"$USER_ID" != x"1001" ]; then
3554

3655
export NSS_WRAPPER_PASSWD
3756
export NSS_WRAPPER_GROUP
38-
export LD_PRELOAD=$LD_PRELOAD:/sshd/libnss_wrapper.so
57+
export LD_PRELOAD=$LD_PRELOAD:$sshd_libdir/libnss_wrapper.so
3958
fi
4059

4160
if [ $HOME = "/" ] || [ -z $USER_NAME ]; then
@@ -45,7 +64,7 @@ fi
4564

4665
# Common tools needed to set up service
4766
mkdir -p $HOME/bin
48-
cp /sshd/tar /sshd/gzip /sshd/which $HOME/bin/
67+
cp $sshd_libdir/tar $sshd_libdir/gzip $sshd_libdir/which $HOME/bin/
4968
echo 'export PATH=$PATH:$HOME/bin' >> $HOME/.profile
5069

5170
# Set up environment variables injected into PID 1 (.profile & .bashrc)
@@ -58,10 +77,10 @@ mkdir /var/tmp/ssh
5877
chmod 755 /var/tmp/ssh
5978

6079
# Generate SSH Host keys
61-
/sshd/ssh-keygen -q -N "" -t dsa -f /var/tmp/ssh/ssh_host_dsa_key && \
62-
/sshd/ssh-keygen -q -N "" -t rsa -b 4096 -f /var/tmp/ssh/ssh_host_rsa_key && \
63-
/sshd/ssh-keygen -q -N "" -t ecdsa -f /var/tmp/ssh/ssh_host_ecdsa_key && \
64-
/sshd/ssh-keygen -q -N "" -t ed25519 -f /var/tmp/ssh/ssh_host_ed25519_key
80+
$sshd_libdir/ssh-keygen -q -N "" -t dsa -f /var/tmp/ssh/ssh_host_dsa_key && \
81+
$sshd_libdir/ssh-keygen -q -N "" -t rsa -b 4096 -f /var/tmp/ssh/ssh_host_rsa_key && \
82+
$sshd_libdir/ssh-keygen -q -N "" -t ecdsa -f /var/tmp/ssh/ssh_host_ecdsa_key && \
83+
$sshd_libdir/ssh-keygen -q -N "" -t ed25519 -f /var/tmp/ssh/ssh_host_ed25519_key
6584

6685
# Ensure appropriate permissions
6786
chmod 600 /var/tmp/ssh/ssh_host_* /sshd/sshd_config
@@ -86,7 +105,7 @@ mkdir -p $HOME/.ssh
86105
if [ -f /etc/ssh/dwo_ssh_key.pub ]; then
87106
cp /etc/ssh/dwo_ssh_key.pub $HOME/.ssh/authorized_keys
88107
else
89-
/sshd/ssh-keygen -q -N '' -t ed25519 -f /sshd/ssh_client_ed25519_key
108+
$sshd_libdir/ssh-keygen -q -N '' -t ed25519 -f /sshd/ssh_client_ed25519_key
90109
cp /sshd/ssh_client_ed25519_key.pub $HOME/.ssh/authorized_keys
91110
fi
92111

@@ -96,5 +115,5 @@ cp /sshd/sshd_config /var/tmp/ssh/
96115
echo -n "$(whoami)" > /sshd/username
97116

98117
# start SSHD
99-
exec /sshd/sshd -D -f /var/tmp/ssh/sshd_config -E /tmp/sshd.log
118+
exec $sshd_libdir/sshd -D -f /var/tmp/ssh/sshd_config -E /tmp/sshd.log
100119

0 commit comments

Comments
 (0)