SwissDataScienceCenter · Panaetius · Feb 13, 2023 · Jan 10, 2023 · Jan 12, 2023 · Jan 17, 2023
diff --git a/docker/generic/Dockerfile b/docker/generic/Dockerfile
@@ -14,7 +14,7 @@ USER root
 SHELL [ "/bin/bash", "-c", "-o", "pipefail" ]
 
 ENV NB_UID 1000
-ENV NB_GID 1000
+ENV NB_GID 100
 ENV VENV_DIR /srv/venv
 ENV HOME /home/${NB_USER}
 ENV SHELL bash
@@ -55,7 +55,7 @@ ENV PATH ${CONDA_PATH}/bin:$PATH
 # inject the renku-jupyter stack
 COPY --from=renku_base /opt/conda /opt/conda
 COPY --from=renku_base /entrypoint.sh /entrypoint.sh
-COPY --from=renku_base --chown=1000:1000 \
+COPY --from=renku_base --chown=1000:100 \
     /home/jovyan/ /home/${NB_USER}/
 
 WORKDIR $HOME

diff --git a/docker/py/Dockerfile b/docker/py/Dockerfile
@@ -25,7 +25,8 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \
     nano \
     netcat \
     unzip \
-    vim && \
+    vim \
+    openssh-server && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
     ln -s /usr/lib/x86_64-linux-musl/libc.so /lib/libc.musl-x86_64.so.1 && \
@@ -34,9 +35,19 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \
     /tmp/git-lfs-3.3.0/install.sh && \
     rm -rf /tmp/git-lfs*
 
-# Add a new group with id 1000 and arbitrary name
-# Note: this is to standardize groups between the R and jupyter images
-RUN groupadd -g 1000 jovyan
+# Setup ssh keys
+RUN mkdir -p /opt/ssh/sshd_config.d /opt/ssh/ssh_host_keys /opt/ssh/pid && \
+    ssh-keygen -q -N "" -t dsa -f /opt/ssh/ssh_host_keys/ssh_host_dsa_key && \
+    ssh-keygen -q -N "" -t rsa -b 4096 -f /opt/ssh/ssh_host_keys/ssh_host_rsa_key && \
+    ssh-keygen -q -N "" -t ecdsa -f /opt/ssh/ssh_host_keys/ssh_host_ecdsa_key && \
+    ssh-keygen -q -N "" -t ed25519 -f /opt/ssh/ssh_host_keys/ssh_host_ed25519_key
+
+
+COPY sshd_config /opt/ssh/sshd_config
+
+RUN chown -R 0:100 /opt/ssh/ && \
+    chmod -R u=rwX,g=rX,o= /opt/ssh && \
+    chmod -R u=rwX,g=rwX,o= /opt/ssh/pid
 
 # switch to the notebook user
 USER $NB_USER
@@ -56,6 +67,11 @@ RUN conda install gxx_linux-64 && \
     conda config --system --set channel_priority flexible && \
     conda clean --all -f -y
 
+# setup sshd
+RUN mkdir -p "$HOME/.ssh" && \
+    touch "$HOME/.ssh/authorized_keys" && \
+    chmod u=rw,g=,o= "$HOME/.ssh/authorized_keys"
+
 # install renku-python
 ENV RENKU_DISABLE_VERSION_CHECK 1
 
@@ -68,15 +84,20 @@ RUN mkdir -p "$HOME/.renku/bin" && \
     source "$HOME/.renku/venv/bin/activate" && \
     pip install --no-cache-dir -r /tmp/renku-requirements.txt && \
     deactivate && \
-    ln -s "$HOME/.renku/venv/bin/renku" "$HOME/.renku/bin/renku"
+    ln -s "$HOME/.renku/venv/bin/renku" "$HOME/.renku/bin/renku" && \
+    echo $'if (tty -s); then\n\
+    source ~/.renku/venv/bin/activate\n\
+    export PATH=/opt/conda/bin:$PATH\n\
+fi\n\
+'>> "/home/${NB_USER}/.bashrc"
 
 # configure git
 COPY git-config.bashrc /home/$NB_USER/
 RUN cat "/home/$NB_USER/git-config.bashrc" >> "/home/$NB_USER/.bashrc" && rm "/home/$NB_USER/git-config.bashrc"
 
 # configure powerline
-COPY --chown=1000:1000 powerline.bashrc /tmp/powerline.bashrc
-COPY --chown=1000:1000 powerline.config /home/${NB_USER}/.config/powerline-shell/config.json
+COPY --chown=1000:100 powerline.bashrc /tmp/powerline.bashrc
+COPY --chown=1000:100 powerline.config /home/${NB_USER}/.config/powerline-shell/config.json
 
 RUN cat /tmp/powerline.bashrc >> ~/.bashrc && rm /tmp/powerline.bashrc
 

diff --git a/docker/py/entrypoint.sh b/docker/py/entrypoint.sh
@@ -34,5 +34,16 @@ if [ -f "./post-init.sh" ]; then
     . ./post-init.sh
 fi
 
+# inject ssh public keys if any exist
+if [ -f "./.ssh/authorized_keys" ]; then
+    echo >> ~/.ssh/authorized_keys
+    cat ./.ssh/authorized_keys >> ~/.ssh/authorized_keys
+    echo >> ~/.ssh/authorized_keys
+    chmod 600 ~/.ssh/authorized_keys
+fi
+
+# Start the SHH daemon in the background
+/usr/sbin/sshd -f /opt/ssh/sshd_config -E /tmp/sshd.log
+
 # run the command
 $@
diff --git a/docker/py/sshd_config b/docker/py/sshd_config
@@ -0,0 +1,21 @@
+Include /opt/ssh/sshd_config.d/*.conf
+Port 2022
+
+HostKey /opt/ssh/ssh_host_keys/ssh_host_dsa_key
+HostKey /opt/ssh/ssh_host_keys/ssh_host_rsa_key
+HostKey /opt/ssh/ssh_host_keys/ssh_host_ecdsa_key
+HostKey /opt/ssh/ssh_host_keys/ssh_host_ed25519_key
+
+ChallengeResponseAuthentication no
+
+UsePAM no
+
+X11Forwarding yes
+PrintMotd no
+PidFile /opt/ssh/pid/sshd.pid
+
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+AuthorizedKeysFile .ssh/authorized_keys
diff --git a/docker/r/Dockerfile b/docker/r/Dockerfile
@@ -12,7 +12,7 @@ USER root
 
 ENV NB_USER rstudio
 ENV NB_UID 1000
-ENV NB_GID 1000
+ENV NB_GID 100
 ENV VENV_DIR /srv/venv
 ENV HOME /home/${NB_USER}
 ENV SHELL bash
@@ -84,7 +84,7 @@ COPY --from=renku_base /entrypoint.sh /entrypoint.sh
 # set permissions of the R library directory to be editable by NB_USER
 COPY fix-permissions.sh /usr/local/bin
 RUN fix-permissions.sh /usr/local/lib/R && \
-    chown 1000:1000 /opt/conda && \
+    chown 1000:100 /opt/conda && \
     usermod -a -G users rstudio && \
     # this hack lets some of the setup from the base renku image work here
     ln -s /home/${NB_USER} /home/jovyan && \