(If you want the solution, scroll down to the end.)
I recently took it upon myself to figure out a lightweight solution for a few Docker-utilizing services I manage. Upon creating a new instance in Google Cloud Platform, I noticed the support for Container-Optimized OS (which for the sake of length will be referenced as
cos). It seemed pretty cool, so I spun up an instance and got to work.
One of my services requires the default SSH (22) port to be open, whereas cos default exposes its SSH on 22. My first thought was that it’d be pretty easy to
sudo vi /etc/ssh/sshd_config and add
Port 2222 to the end.
…reboot… yup, nothing.
The documentation on cos’ filesystem says that
/etc is stateless. Basically, it’s mounted from a read-only image and then binded over with keys. My changes wouldn’t be kept.
Secondly, we’d have to create
iptables rule to allow our custom SSH port, 2222, seeing as per the firewall documentation only 22 is exposed by default. The same documentation recommends to have a service at boot.
My solution was to use
cloud-config to, at boot, allow our custom port, unload the default ssh daemon and create our own service with the custom port.
#cloud-config write_files: - path: /etc/systemd/system/sshd-correct.service permissions: 0644 owner: root content: | [Unit] Description=OpenSSH server daemon except custom port from Google After=syslog.target sshd.service network.target auditd.service [Service] ExecStartPre=/usr/bin/ssh-keygen -A ExecStart=/usr/sbin/sshd -D -e -p 2222 ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target runcmd: - systemctl daemon-reload - systemctl stop sshd.service - systemctl start sshd-correct.service bootcmd: - iptables -w -A INPUT -p tcp --dport 2222 -j ACCEPT
In your VM Instance’s details, hit edit and go to
Custom metadata. From there, you can copy and paste the above.
A restart away, and tada: custom port!