(If you want the solution, scroll down to the end.)

I recently took it upon myself to figure out a lightweight solution for a few Docker-utilizing services I manage. Upon creating a new instance in Google Cloud Platform, I noticed the support for Container-Optimized OS (which for the sake of length will be referenced as cos). It seemed pretty cool, so I spun up an instance and got to work.

One of my services requires the default SSH (22) port to be open, whereas cos default exposes its SSH on 22. My first thought was that it'd be pretty easy to sudo vi /etc/ssh/sshd_config and add Port 2222 to the end.

...reboot... yup, nothing.

The documentation on cos' filesystem says that /etc is stateless. Basically, it's mounted from a read-only image and then binded over with keys. My changes wouldn't be kept.

Secondly, we'd have to create an iptables rule to allow our custom SSH port, 2222, seeing as per the firewall documentation only 22 is exposed by default. The same documentation recommends to have a service at boot.

My solution was to use cloud-config to on boot allow our custom port, unload the default ssh daemon and create our own service with the custom port.

#cloud-config

write_files:
- path: /etc/systemd/system/sshd-correct.service
  permissions: 0644
  owner: root
  content: |
    [Unit]
    Description=OpenSSH server daemon except custom port from Google
    After=syslog.target sshd.service network.target auditd.service

    [Service]
    ExecStartPre=/usr/bin/ssh-keygen -A
    ExecStart=/usr/sbin/sshd -D -e -p 2222
    ExecReload=/bin/kill -HUP $MAINPID

    [Install]
    WantedBy=multi-user.target

runcmd:
- systemctl daemon-reload
- systemctl stop sshd.service
- systemctl start sshd-correct.service

bootcmd:
- iptables -w -A INPUT -p tcp --dport 2222 -j ACCEPT

In your VM Instance's details, hit edit and go to Custom metadata. From there, you can copy and paste the above. Use the key name meta-data. A restart away, and tada: custom port!