Enable SSH access to an EnterMedia Docker Instance

If you'd like to remotely access your Entermedia Database in a scure way, then SSH is best way to do it. This page documents the process to create an SSH user, generate the keys, and open the firewall using our convienient scripts.

Enable the SSH script

Entermedia instances include most of the necessary scripts to make this happen, although the script needed to access the instance via SSH is not included for security purposes. Once the Docker instance has been built, EMDB will look for bash scripts under the /media/instance/services/ folder in the host machine.

We have to run this script within the container; and we can do this by accessing the root user within the container using the bash.sh script under /media/emsites/INSTANCE/NODE_NUMBER/

Download the following add-on script into /media/services/ folder. The script will create a default client user, enable SSH access by generating a key pair, create a /client/ folder, and enable the SSHD daemon when the instance starts.

wget https://raw.githubusercontent.com/entermedia-community/entermediadb-docker/master/scripts/entermedia-sshd.sh

Change the permissions to make this executable with chmod, and then run it:

chmod +x entermedia-sshd.sh ./entermedia-sshd.sh

Restart the EnterMedia Instance

Restart the docker container, We stronlgy recommend using the restart.sh or stop.sh/start.sh scripts located under the /media/emsites/INSTANCE/NODENUMBER/ folder. 

After restarting EnterMedia Instance, a public (client.pub) and private key (client.pk) will be created under:

/media/INSTANCE/services/client/.ssh/
NOTE: This folder is a shared folder between the Host machine and the EnterMedia Docker Container.

Enable external traffic to the Instance

You will need to route the traffic from an external port direct to the 22 port on the instance. You can use oour Firewall rules documentation, download the firewall script and customize with the following rules:

#Enable route traffic from port 2299 to instance's port 22

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2299 -j DNAT --to-destination 172.18.0.99:22

Customize the iptables rule with the Container internal (172.18.0.99) and the custom external port (2299) you want to route to internal 22 port.

NOTE: Depending on your environment you may need to comment out the Docker restart command at the end of this script!

 

SSH to the Container 

Move the client.pk to the machine that will be accessing this instance through SSH.

Depending on your environment set up it might be easier to open the client.pk file and copy/paste it's contents to another file on a different system than using scp or rsync. Make sure you set the correct permissions!

ssh -i /PATH_TO_KEY/PRIVATE_KEY.PK client@instance.entermediadb.net -p 2299