SSH access to running containers using standalone SSH client

I would like to use VS Code remote development via SSH but cannot find a way to SSH using the standalone client. balena ssh works but I cannot see how to incorporate the container service name if I use a regualr ssh client

Hi bowenm187,

The SSH server on a balena device listens on TCP port 22222, so you can use “plain” SSH with a command like ssh -p 22222 root@<device_ip_address>. While development images have passwordless root access enabled, production images require an SSH key to be added to the config.json file. Complete details are here: https://www.balena.io/docs/learn/manage/ssh-access/.

A couple caveats: Generally speaking, it’s not good to edit files in a temporary container. We recommend adding a persistent volume via your docker-compose.yml or Dockerfile and modify files there so your edits survive service and device restarts.

We’re very interested in the developer experience, and we’d love to hear how you make out. Feel free to report back and let us know.

John

Thanks for the quick response John,
Accessing the balenaos host is no problem. However I want to access a container running on this. So effectively I need the “plain” ssh version of “balena ssh mydevice.local main”

Hi @bowenm187,

For this, you need to add a second command to your SSH command that takes you inside the container, something like ssh -t -p 22222 root@device-ip "balena-engine exec -it <container_name> /bin/sh". Note that the container name is unlikely to match what you see in the balenaCloud dashboard. Log into the device HostOS and run balena ps to get the valid container name.

With all this said, this will work using plain SSH, but may not work without some tweaking of your VS Code extension settings.

John

Hi,

I also love the quick turn-around I get when using Visual Studio Code Remote - SSH. It is invaluable when I work with libraries accessing features of my Raspberry Pi which I cannot install and test on my local machine.

Rebuilding the image is too slow and even with livepush, I don’t get the same turnaround time.
With VS Remote SSH I can also debug directly in container which afaict has no equivalent in the Balena toolbox.

In order to use VS Remote SSH, I apply the following changes to my Dockerfile and the startup script.

Dockerfile:

RUN apt-get update \
 && apt-get install -y openssh-server
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

RUN mkdir /var/run/sshd \
 && echo 'root:balena' | chpasswd \
 && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \
 && sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config

...

COPY start.sh .
CMD ./start.sh

The above will install openssh in the container and configure it for password-based access.

My startup script looks for example like this:

start.sh:

#!/bin/bash

# Start sshd if START_SSHD env variable is set
# This allows for remote access via PyCharm and ssh
if [[ "$START_SSHD" == "1" ]]; then
  /usr/sbin/sshd -p 22 &
fi

python3 main.py

If I now set the device variable START_SSHD to 1, sshd starts on port 22 and I can connect to the container using the device local IP address and the username/password root/balena.

Note: For this to work, the service needs to share the host network.

docker-compose.yml

version: '2'
services:
  my-service:
    build: ./my-service
    network_mode: host

Obviously, this has security implications and it is not a good idea to have enabled in a production setup. For development and experiments, however, it provides so much value that I find myself adding it almost all the time.

Hope this is helpful for someone. I am also curious to hear, whether there is another way to get the same experience without installing and starting sshd on the container.

cc @mpous - wdyt?

Thanks for the feedback @bowenm187 @hardy and for sharing your current solution. For additional visibility, I have created a feature request in the balena CLI repository as well: ssh: Should support Visual Studio Code remote development using SSH · Issue #2466 · balena-io/balena-cli · GitHub

Running a ssh server in each service container works for sure and the START_SSHD variable is handy to that end, however ideally we would be able to use the balenaOS host OS ssh server. FYI, I think that the ssh-uuid proof of concept implementation comes very close to meeting the requirements, except that currently it uses the balenaCloud proxy backend (device UUID instead of a local IP address) and thus would be too slow for use with Visual Studio Clode. I have also created a ssh-uuid issue (Should support local IP address as alternative to UUID (Visual Studio Code over SSH) · Issue #2 · pdcastro/ssh-uuid · GitHub), although ultimately the objective is to get the feature added to the balena CLI so that VS Code would be configured to use ‘balena ssh’.

Awesome, I am looking forward to this feature landing via the Balena CLI.

I am a bit intrigued on how this is going to work, since if I understood you correctly you want this to work w/o having an actual sshd running in the service container. sshd runs on the host only and you basically ssh into the host. From there you are somehow “emulating” ssh into the service containers (docker exec like).

From the ssh-uuid issue:

• Being named balena ssh , it suggests the provision of ssh 's functionality, while being incompatible with basic ssh command line usage.

Exactly, I have been caught by this as well. Being named ‘ssh’ one expects a certain kind of functionality, Would be great to close this gap.

–Hardy