docker-bastion/scripts/start-container

#!/bin/sh
set -eu

echo "=========================================="
echo "  docker-bastion starting"
echo "=========================================="
echo "Date:        $(date)"
echo "Hostname:    $(hostname)"
echo "OpenSSH:     $(/usr/sbin/sshd -V 2>&1 | head -1 || echo n/a)"
echo "Docker CLI:  $(docker --version 2>/dev/null || echo n/a)"
echo "=========================================="

SSH_USER="agent"
SSH_PORT="${SSH_PORT:-22}"
FORCE_COMMAND_VALUE="${FORCE_COMMAND:-}"
AUTHORIZED_KEYS_HOST="${AUTHORIZED_KEYS_HOST:-/etc/bastion/authorized_keys.host}"
AUTHORIZED_KEYS_REPO="${AUTHORIZED_KEYS_REPO:-/etc/bastion/authorized_keys.repo}"

# ---------------------------------------------------------------------------
# 1) Validate config
# ---------------------------------------------------------------------------
if [ -z "$FORCE_COMMAND_VALUE" ]; then
    echo "FATAL: FORCE_COMMAND must be set."
    echo "       e.g. FORCE_COMMAND='docker exec -it app bash'"
    echo "       or   FORCE_COMMAND='cd /workspace && ./deploy.sh'"
    exit 1
fi

# ---------------------------------------------------------------------------
# 2) Host keys — generate on first boot, persist via /etc/ssh/keys volume
# ---------------------------------------------------------------------------
echo "[1/5] Host keys..."
mkdir -p /etc/ssh/keys
chmod 700 /etc/ssh/keys
for keytype in ed25519 rsa; do
    keyfile="/etc/ssh/keys/ssh_host_${keytype}_key"
    if [ ! -f "$keyfile" ]; then
        echo "  Generating new $keytype host key"
        ssh-keygen -t "$keytype" -f "$keyfile" -N "" -q
    else
        echo "  Reusing existing $keytype host key"
    fi
    chmod 600 "$keyfile"
    [ -f "${keyfile}.pub" ] && chmod 644 "${keyfile}.pub"
done

# ---------------------------------------------------------------------------
# 3) Merge authorized_keys sources
# ---------------------------------------------------------------------------
echo "[2/5] Authorized keys..."
AUTH_FILE="/home/${SSH_USER}/.ssh/authorized_keys"
mkdir -p "$(dirname "$AUTH_FILE")"
: > "$AUTH_FILE"

added=0
for src in "$AUTHORIZED_KEYS_HOST" "$AUTHORIZED_KEYS_REPO"; do
    if [ -f "$src" ]; then
        echo "  + Merging $src"
        cat "$src" >> "$AUTH_FILE"
        # Force newline between sources (final file may not end with one).
        printf '\n' >> "$AUTH_FILE"
        added=$((added + 1))
    fi
done

if [ "$added" -eq 0 ]; then
    echo "FATAL: no authorized_keys source found."
    echo "       Mount at least one of:"
    echo "         $AUTHORIZED_KEYS_HOST   (typically ~/.ssh/authorized_keys from host)"
    echo "         $AUTHORIZED_KEYS_REPO   (typically ./docker/bastion/authorized_keys)"
    exit 1
fi

key_count=$(grep -cvE '^[[:space:]]*(#|$)' "$AUTH_FILE" 2>/dev/null || echo 0)
echo "  Loaded $key_count authorized key(s) from $added source(s)"

chown -R "${SSH_USER}:${SSH_USER}" "$(dirname "$AUTH_FILE")"
chmod 700 "$(dirname "$AUTH_FILE")"
chmod 600 "$AUTH_FILE"

# ---------------------------------------------------------------------------
# 4) ForceCommand wrapper
#
# Write the configured command to a plain file, then a small wrapper that
# exec's `sh -c "$(cat ...)"`. This way:
#   - Shell metacharacters in $FORCE_COMMAND work (&&, |, redirects, cd).
#   - The wrapper itself stays static (no escaping of user input into a
#     heredoc), and the command file is read at session start so changes
#     to $FORCE_COMMAND only need a container restart, not a rebuild.
# ---------------------------------------------------------------------------
echo "[3/5] ForceCommand..."
mkdir -p /etc/bastion
printf '%s\n' "$FORCE_COMMAND_VALUE" > /etc/bastion/force-command.cmd
chmod 0644 /etc/bastion/force-command.cmd

cat > /etc/bastion/force-command <<'WRAPPER'
#!/bin/sh
# Auto-generated by docker-bastion start-container.
# sshd invokes this script for every authenticated session.
# SSH_ORIGINAL_COMMAND is intentionally ignored — clients cannot override.
exec sh -c "$(cat /etc/bastion/force-command.cmd)"
WRAPPER
chmod 0755 /etc/bastion/force-command
echo "  $FORCE_COMMAND_VALUE"

# ---------------------------------------------------------------------------
# 5) Docker socket — if mounted, align group membership so the agent user
#    can talk to dockerd without --privileged.
# ---------------------------------------------------------------------------
echo "[4/5] Docker socket..."
if [ -S /var/run/docker.sock ]; then
    sock_gid=$(stat -c '%g' /var/run/docker.sock)
    echo "  Socket present, host gid=$sock_gid"

    grp_name=$(getent group "$sock_gid" | cut -d: -f1 || true)
    if [ -z "$grp_name" ]; then
        grp_name="dockerhost"
        addgroup -g "$sock_gid" "$grp_name" 2>/dev/null || true
        echo "  Created group $grp_name (gid=$sock_gid)"
    else
        echo "  Reusing existing group $grp_name (gid=$sock_gid)"
    fi
    addgroup "$SSH_USER" "$grp_name" 2>/dev/null || true
    echo "  Added $SSH_USER to $grp_name"
else
    echo "  WARN: /var/run/docker.sock not mounted — docker-based FORCE_COMMAND will fail."
fi

# ---------------------------------------------------------------------------
# 6) Adjust sshd_config port if non-default
# ---------------------------------------------------------------------------
if [ "$SSH_PORT" != "22" ]; then
    sed -i "s/^Port 22\$/Port ${SSH_PORT}/" /etc/ssh/sshd_config
fi

# ---------------------------------------------------------------------------
# 7) sshd config sanity check + launch
# ---------------------------------------------------------------------------
echo "[5/5] sshd config check..."
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

echo "=========================================="
echo "  Listening on port ${SSH_PORT}"
echo "  User:          ${SSH_USER}"
echo "  ForceCommand:  ${FORCE_COMMAND_VALUE}"
echo "=========================================="

# -D = foreground, -e = log to stderr (so docker logs picks it up).
exec /usr/sbin/sshd -D -e
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot. 2026-05-28 08:50:06 +00:00			`#!/bin/sh`
			`set -eu`

			`echo "=========================================="`
			`echo " docker-bastion starting"`
			`echo "=========================================="`
			`echo "Date: $(date)"`
			`echo "Hostname: $(hostname)"`
			`echo "OpenSSH: $(/usr/sbin/sshd -V 2>&1 \| head -1 \|\| echo n/a)"`
			`echo "Docker CLI: $(docker --version 2>/dev/null \|\| echo n/a)"`
			`echo "=========================================="`

			`SSH_USER="agent"`
			`SSH_PORT="${SSH_PORT:-22}"`
			`FORCE_COMMAND_VALUE="${FORCE_COMMAND:-}"`
			`AUTHORIZED_KEYS_HOST="${AUTHORIZED_KEYS_HOST:-/etc/bastion/authorized_keys.host}"`
			`AUTHORIZED_KEYS_REPO="${AUTHORIZED_KEYS_REPO:-/etc/bastion/authorized_keys.repo}"`

			`# ---------------------------------------------------------------------------`
			`# 1) Validate config`
			`# ---------------------------------------------------------------------------`
			`if [ -z "$FORCE_COMMAND_VALUE" ]; then`
			`echo "FATAL: FORCE_COMMAND must be set."`
			`echo " e.g. FORCE_COMMAND='docker exec -it app bash'"`
			`echo " or FORCE_COMMAND='cd /workspace && ./deploy.sh'"`
			`exit 1`
			`fi`

			`# ---------------------------------------------------------------------------`
			`# 2) Host keys — generate on first boot, persist via /etc/ssh/keys volume`
			`# ---------------------------------------------------------------------------`
			`echo "[1/5] Host keys..."`
			`mkdir -p /etc/ssh/keys`
			`chmod 700 /etc/ssh/keys`
			`for keytype in ed25519 rsa; do`
			`keyfile="/etc/ssh/keys/ssh_host_${keytype}_key"`
			`if [ ! -f "$keyfile" ]; then`
			`echo " Generating new $keytype host key"`
			`ssh-keygen -t "$keytype" -f "$keyfile" -N "" -q`
			`else`
			`echo " Reusing existing $keytype host key"`
			`fi`
			`chmod 600 "$keyfile"`
			`[ -f "${keyfile}.pub" ] && chmod 644 "${keyfile}.pub"`
			`done`

			`# ---------------------------------------------------------------------------`
			`# 3) Merge authorized_keys sources`
			`# ---------------------------------------------------------------------------`
			`echo "[2/5] Authorized keys..."`
			`AUTH_FILE="/home/${SSH_USER}/.ssh/authorized_keys"`
			`mkdir -p "$(dirname "$AUTH_FILE")"`
			`: > "$AUTH_FILE"`

			`added=0`
			`for src in "$AUTHORIZED_KEYS_HOST" "$AUTHORIZED_KEYS_REPO"; do`
			`if [ -f "$src" ]; then`
			`echo " + Merging $src"`
			`cat "$src" >> "$AUTH_FILE"`
			`# Force newline between sources (final file may not end with one).`
			`printf '\n' >> "$AUTH_FILE"`
			`added=$((added + 1))`
			`fi`
			`done`

			`if [ "$added" -eq 0 ]; then`
			`echo "FATAL: no authorized_keys source found."`
			`echo " Mount at least one of:"`
			`echo " $AUTHORIZED_KEYS_HOST (typically ~/.ssh/authorized_keys from host)"`
			`echo " $AUTHORIZED_KEYS_REPO (typically ./docker/bastion/authorized_keys)"`
			`exit 1`
			`fi`

			`key_count=$(grep -cvE '^[[:space:]]*(#\|$)' "$AUTH_FILE" 2>/dev/null \|\| echo 0)`
			`echo " Loaded $key_count authorized key(s) from $added source(s)"`

			`chown -R "${SSH_USER}:${SSH_USER}" "$(dirname "$AUTH_FILE")"`
			`chmod 700 "$(dirname "$AUTH_FILE")"`
			`chmod 600 "$AUTH_FILE"`

			`# ---------------------------------------------------------------------------`
			`# 4) ForceCommand wrapper`
			`#`
			`# Write the configured command to a plain file, then a small wrapper that`
			# exec's `sh -c "$(cat ...)"`. This way:
			`# - Shell metacharacters in $FORCE_COMMAND work (&&, \|, redirects, cd).`
			`# - The wrapper itself stays static (no escaping of user input into a`
			`# heredoc), and the command file is read at session start so changes`
			`# to $FORCE_COMMAND only need a container restart, not a rebuild.`
			`# ---------------------------------------------------------------------------`
			`echo "[3/5] ForceCommand..."`
			`mkdir -p /etc/bastion`
			`printf '%s\n' "$FORCE_COMMAND_VALUE" > /etc/bastion/force-command.cmd`
			`chmod 0644 /etc/bastion/force-command.cmd`

			`cat > /etc/bastion/force-command <<'WRAPPER'`
			`#!/bin/sh`
			`# Auto-generated by docker-bastion start-container.`
			`# sshd invokes this script for every authenticated session.`
			`# SSH_ORIGINAL_COMMAND is intentionally ignored — clients cannot override.`
			`exec sh -c "$(cat /etc/bastion/force-command.cmd)"`
			`WRAPPER`
			`chmod 0755 /etc/bastion/force-command`
			`echo " $FORCE_COMMAND_VALUE"`

			`# ---------------------------------------------------------------------------`
			`# 5) Docker socket — if mounted, align group membership so the agent user`
			`# can talk to dockerd without --privileged.`
			`# ---------------------------------------------------------------------------`
			`echo "[4/5] Docker socket..."`
			`if [ -S /var/run/docker.sock ]; then`
			`sock_gid=$(stat -c '%g' /var/run/docker.sock)`
			`echo " Socket present, host gid=$sock_gid"`

			`grp_name=$(getent group "$sock_gid" \| cut -d: -f1 \|\| true)`
			`if [ -z "$grp_name" ]; then`
			`grp_name="dockerhost"`
			`addgroup -g "$sock_gid" "$grp_name" 2>/dev/null \|\| true`
			`echo " Created group $grp_name (gid=$sock_gid)"`
			`else`
			`echo " Reusing existing group $grp_name (gid=$sock_gid)"`
			`fi`
			`addgroup "$SSH_USER" "$grp_name" 2>/dev/null \|\| true`
			`echo " Added $SSH_USER to $grp_name"`
			`else`
			`echo " WARN: /var/run/docker.sock not mounted — docker-based FORCE_COMMAND will fail."`
			`fi`

			`# ---------------------------------------------------------------------------`
			`# 6) Adjust sshd_config port if non-default`
			`# ---------------------------------------------------------------------------`
			`if [ "$SSH_PORT" != "22" ]; then`
			`sed -i "s/^Port 22\$/Port ${SSH_PORT}/" /etc/ssh/sshd_config`
			`fi`

			`# ---------------------------------------------------------------------------`
			`# 7) sshd config sanity check + launch`
			`# ---------------------------------------------------------------------------`
			`echo "[5/5] sshd config check..."`
			`/usr/sbin/sshd -t -f /etc/ssh/sshd_config`

			`echo "=========================================="`
			`echo " Listening on port ${SSH_PORT}"`
			`echo " User: ${SSH_USER}"`
			`echo " ForceCommand: ${FORCE_COMMAND_VALUE}"`
			`echo "=========================================="`

			`# -D = foreground, -e = log to stderr (so docker logs picks it up).`
			`exec /usr/sbin/sshd -D -e`