So I'm not yet sure why this works, but I was struggling to get SSH to work against an IBM DataPower Gateway Docker image/container.
14cffe1113a3
Unauthorized access prohibited.
login: admin
Password: *****
Welcome to IBM DataPower Gateway console configuration.
Copyright IBM Corporation 1999-2017
Version: IDG.7.6.0.0 build 289959 on Jul 20, 2017 1:16:22 PM
Serial number: 0000001
Notice: startup config contains errors.
idg#
Whilst the configuration looked OK: -
the service would refuse to become active, instead frustratingly staying as disabled ( 0x0034000d ).
This meant that, whilst I could connect to the DataPower via the web admin interface: -
having previously enabled it: -
configure; web-mgmt 0 9090 9090;
thanks to this: -
I wasn't able to SSH into the box.
Thankfully, I could still attach to the serial terminal using docker attach: -
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
14cffe1113a3 ibmcom/datapower "/bin/drouter" 9 minutes ago Up 23 seconds 0.0.0.0:5554->5554/tcp, 0.0.0.0:8000-8010->8000-8010/tcp, 0.0.0.0:9022->9022/tcp, 0.0.0.0:9090->9090/tcp idg
14cffe1113a3 ibmcom/datapower "/bin/drouter" 9 minutes ago Up 23 seconds 0.0.0.0:5554->5554/tcp, 0.0.0.0:8000-8010->8000-8010/tcp, 0.0.0.0:9022->9022/tcp, 0.0.0.0:9090->9090/tcp idg
docker attach 14cffe1113a3
login: admin
Password: *****
Welcome to IBM DataPower Gateway console configuration.
Copyright IBM Corporation 1999-2017
Version: IDG.7.6.0.0 build 289959 on Jul 20, 2017 1:16:22 PM
Serial number: 0000001
Notice: startup config contains errors.
idg#
login: admin
Password: *****
Welcome to IBM DataPower Gateway console configuration.
Copyright IBM Corporation 1999-2017
Version: IDG.7.6.0.0 build 289959 on Jul 20, 2017 1:16:22 PM
Serial number: 0000001
Notice: startup config contains errors.
idg#
I tried various things, but to no avail.
I then started wondering whether the problem might be related to the fact that I'm running the Docker container as a non-root user, and whether the underlying OS was therefore preventing me from starting a service on a port less than 1024.
For the record, this is kinda Unix 101, one cannot run any service on, say, ports 22 or 80 or 443, unless one is running as root.
It's for that reason that I always configure my web servers ( IBM HTTP Server ) to run on ports 8080 and 8443, because who wants to run a web server as root ? Clue: NOBODY
So I changed the SSH configuration: -
configure terminal
ssh 0.0.0.0 9022
write memory
and then changed my startup script from this: -
docker run -it \
-v $PWD/config:/drouter/config \
-v $PWD/local:/drouter/local \
-e DATAPOWER_ACCEPT_LICENSE=true \
-e DATAPOWER_INTERACTIVE=true \
-p 9090:9090 \
-p 9022:22 \
-p 5554:5554 \
-p 8000-8010:8000-8010 \
--name idg \
ibmcom/datapower
-v $PWD/config:/drouter/config \
-v $PWD/local:/drouter/local \
-e DATAPOWER_ACCEPT_LICENSE=true \
-e DATAPOWER_INTERACTIVE=true \
-p 9090:9090 \
-p 9022:22 \
-p 5554:5554 \
-p 8000-8010:8000-8010 \
--name idg \
ibmcom/datapower
to this: -
docker run -it \
-v $PWD/config:/drouter/config \
-v $PWD/local:/drouter/local \
-e DATAPOWER_ACCEPT_LICENSE=true \
-e DATAPOWER_INTERACTIVE=true \
-p 9090:9090 \
-p 9022:9022 \
-p 5554:5554 \
-p 8000-8010:8000-8010 \
--name idg \
ibmcom/datapower
-v $PWD/config:/drouter/config \
-v $PWD/local:/drouter/local \
-e DATAPOWER_ACCEPT_LICENSE=true \
-e DATAPOWER_INTERACTIVE=true \
-p 9090:9090 \
-p 9022:9022 \
-p 5554:5554 \
-p 8000-8010:8000-8010 \
--name idg \
ibmcom/datapower
In other words. I'm mapping port 9022 within the container to port 9022 within the host.
Once I did this, I was able to SSH into the box: -
ssh -p 9022 localhost
14cffe1113a3
Unauthorized access prohibited.
login: admin
Password: *****
Welcome to IBM DataPower Gateway console configuration.
Copyright IBM Corporation 1999-2017
Version: IDG.7.6.0.0 build 289959 on Jul 20, 2017 1:16:22 PM
Serial number: 0000001
Notice: startup config contains errors.
idg#
and the SSH service looks nice n' happy: -
No comments:
Post a Comment