(If you want the solution, scroll down to the end.)

I recently took it upon myself to figure out a lightweight solution for a few Docker-utilizing services I manage. Upon creating a new instance in Google Cloud Platform, I noticed the support for Container-Optimized OS (which for the sake of length will be referenced as cos). It seemed pretty cool, so I spun up an instance and got to work.

One of my services requires the default SSH (22) port to be open, whereas cos default exposes its SSH on 22. My first thought was that it’d be pretty easy to sudo vi /etc/ssh/sshd_config and add Port 2222 to the end.

…reboot… yup, nothing.

The documentation on cos’ filesystem says that /etc is stateless. Basically, it’s mounted from a read-only image and then binded over with keys. My changes wouldn’t be kept.

Secondly, we’d have to create iptables rule to allow our custom SSH port, 2222, seeing as per the firewall documentation only 22 is exposed by default. The same documentation recommends to have a service at boot.

My solution was to use cloud-config to, at boot, allow our custom port, unload the default ssh daemon and create our own service with the custom port.


- path: /etc/systemd/system/sshd-correct.service
  permissions: 0644
  owner: root
  content: |
    Description=OpenSSH server daemon except unfucked from Google
    After=syslog.target sshd.service network.target auditd.service

    ExecStartPre=/usr/bin/ssh-keygen -A
    ExecStart=/usr/sbin/sshd -D -e -p 2222
    ExecReload=/bin/kill -HUP $MAINPID


- systemctl daemon-reload
- systemctl stop sshd.service
- systemctl start sshd-correct.service

- iptables -w -A INPUT -p tcp --dport 2222 -j ACCEPT

In your VM Instance’s details, hit edit and go to Custom metadata. From there, you can copy and paste the above. A restart away, and tada: custom port!

Metadata edit screenshot