SSH access with a Docker service

I have a Docker service I need to setup for SSH access in order to be able to migrate data to a disk via scp. I am getting the following error when I attempt to connect via the ssh command ssh -v [redacted]@ssh.oregon.render.com:

debug1: Authentication succeeded (publickey).
Authenticated to ssh.oregon.render.com ([34.83.8.109]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: channel 0: free: client-session, nchannels 1
Connection to ssh.oregon.render.com closed by remote host.
Connection to ssh.oregon.render.com closed.
Transferred: sent 2760, received 1448 bytes, in 2.0 seconds
Bytes per second: sent 1401.1, received 735.1
debug1: Exit status -1

I have the following Dockerfile:

FROM python:3.9.12-slim-bullseye

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

# Set work directory
WORKDIR /code

# Install OS security updates and deps for Weazyprint (libpango-1.0-0 libpangoft2-1.0-0)
# The git dep is for pip checkouts from git repos (payflowpro)
# The openssh-server is so render.com can support SSH connections for scp disk access
RUN apt-get update && apt-get -y upgrade &&  \
    apt-get -y install libpango-1.0-0 libpangoft2-1.0-0 git openssh-server && \
    apt-get clean && rm -rf /var/lib/apt/lists/*

# create directory for the app user
# RUN mkdir -p /home/app

# create the app user
RUN addgroup --system app && adduser --ingroup app --home /home/app --shell /bin/sh app

# create the appropriate directories
ENV HOME=/home/app
ENV APP_HOME=/home/app/web
RUN mkdir $APP_HOME
# Setup empty ~/.ssh directory
RUN mkdir $HOME/.ssh
WORKDIR $APP_HOME

# Install dependencies
COPY ./Pipfile .
COPY ./Pipfile.lock .
RUN pip install --upgrade pip setuptools wheel &&  \
    pip install pipenv &&  \
    pipenv install --ignore-pipfile

# copy project
COPY . $APP_HOME

# chown all the files to the app user
RUN chown -R app:app $APP_HOME && chown -R app:app $HOME/.ssh && chmod o+rwx $HOME/.ssh

# change to the app user
USER app

# Verify write access to the .ssh folder
RUN touch $HOME/.ssh/foobar.txt

# Collect static files
RUN export DJANGO_SETTINGS_MODULE=globalfingerprints.settings.render &&  \
    pipenv run ./manage.py collectstatic --no-input

I know ~/.ssh has write access because I can see the foobar.txt file created by the Dockerfile after switching to the user. I can also see a file that I think Render puts in there via the web shell access. Is there something else I am missing to allow a Docker service to have SSH access?

We have reached out to the user through DM to get their service id so we can investigate further.

Thank you I sent the details you requested. Happy to share the solution here once we get it worked out. There must be something I am missing. :slight_smile:

With the help Render support I was able to get this working. I changed this line

RUN chown -R app:app $APP_HOME && chown -R app:app $HOME/.ssh && chmod o+rwx $HOME/.ssh

to

RUN chown -R app:app $APP_HOME && chown -R app:app $HOME/.ssh && chmod 700 $HOME/.ssh

The chmod 700 $HOME/.ssh change was the key part that got it working.

1 Like