0

I am new to docker, and have been playing with the docker image in hub.docker.com

I want to add ssh service to the container. I could apt-get install the package (after apt-get update), but I don't know how to start it. Normally (not in this container), we could start the service via a regular command of service ssh start. But I don't know how to do this in the container without out interfering with the ENTRYPOINT and CMD mechanisms.

The dockerfile comes with a docker-entrypoint.sh (see source code here) that pretty much expects to have a line for CMD

CMD ["mysqld"]

I have read some related SO articles, such as these:

but they are not directly applicable here due to the interplay of ENTRYPOINT and CMD in the docker file.

leeyuiwah
  • 6,562
  • 8
  • 41
  • 71
  • 1
    Why do you need to do this? For opening an sql client connected to the server? – lifeisfoo Oct 10 '17 at 16:31
  • Yes I want sql client to come in through port 22. And then the packets would be forwarded to port 3306. – leeyuiwah Oct 10 '17 at 17:30
  • if you publish the server port using the `docker run -p` options, you can connect to mysql from your host os – lifeisfoo Oct 10 '17 at 19:13
  • I want to open up only port 22 (ssh) but not port 3306 (mysql) to remote machines. Is it possible to achieve that? In other words, I want to be able to start a sshd inside the container. – leeyuiwah Oct 10 '17 at 19:53

1 Answers1

1

What you want to do is not best practice, what you should do is use a user-defined docker network (Here is the documentation).

In your case you would for example:

1. Create a network

docker network create --driver bridge database_network

2. Start the mariadb container

 docker run --network=database_network -itd --name=mariadb mariadb

3. Start the ssh container

Here we are using krlmlr/debian-ssh for the example, feel free to use any other image

 docker run --network=database_network -itd --name=ssh -p 22:22 -e SSH_KEY="$(cat ~/.ssh/id_rsa.pub)" krlmlr/debian-ssh:wheezy

Then when you connect via port 22 you can connect to the database using mariadb as the hostname, so instead of let's say localhost:3306 you will use mariadb:3306 within the ssh tunnel.

This will even allow you to setup multiple containers with different ssh keys across different ports if your server can handle the load of that many containers.

To answer the question on which would be more effecient between: A) Run one container with both mysqld and sshd in it; and B) Run two containers one for mysqld and one for sshd

The difference in resource usage would be minimal because running ssh within the official mariadb image would require using supervisor or s6 which would be one more process than running the two containers individually. Which means depending on the size of the ssh image, the amount of memory usage may as well be the same. In terms of CPU usage I'm of the opinion that the case would be the same and may actually favor scenario B.

Clive Makamara
  • 2,845
  • 16
  • 31
  • That is a very interesting idea. I am going to try it. However, I do have a question. What would be the resource implication? Comparing two approaches: A) Run one container with both mysqld and sshd in it; and B) Run two containers one for mysqld and one for sshd (i.e. your suggestion), would B be more resource intensive? Are there any good pointers to some empirical studies on that? Thanks! – leeyuiwah Oct 11 '17 at 22:00
  • 1
    I've updated my answer to try and answer that. It is pure conjecture though so maybe more research on this would be good, but I think I'm mostly correct – Clive Makamara Oct 12 '17 at 09:06
  • Inspired by your answer, now I have another related question. It is about how to architecture multiple sub-systems all using MariaDB. Should each of them have their own container running a MariaDB, or should they share one common container for MariaDB? Can you take a look at https://stackoverflow.com/q/46694888 and give me your opinion? Again, ideally there are empirical evidence on the architectural decision (or how to trade off between the two options). Thanks a lot! – leeyuiwah Oct 12 '17 at 12:51
  • Yes I just tried out your suggestion and it works. Thanks a lot! – leeyuiwah Oct 12 '17 at 18:24
  • 1
    Sure thing I'll look into it now, glad my answer was able to help you – Clive Makamara Oct 13 '17 at 17:54