Add "Bind IP Addresses" option to SSH Service

Stux · September 2, 2024, 2:45am

Problem/Justification

SSH Service (sshd) can only currently be confiugured to bind to a specific interfaces.

This means that the sshd instance will bind to all IP Aliases/Addresses configured on that interface.

Thus there is no way to vacate port 22 on an IP Alias, which means the IP Alias can not be used for binding port 22 in an app or docker-compose.

This is the current adanced settings for ssh service

This is the bind IP address UI from SMB service

This is what needs to be added to SSH so that apps and docker containers can bind 22 on unused IP aliases.

sshd_config can be configured to bind to specific IP like so:

Port 22
AddressFamily any
ListenAddress 192.168.0.34
ListenAddress ::

Which then allow the other IP to be utilized.

Which would then means that docker-compose could be used to bind port 22 to a specific IP.

NickF1227 · September 2, 2024, 3:45am

@Stux can you share a bit more on your network config?
Its typically a bad practice for the TrueNAS to have multiple IPs in the same broadcast domain anyway.

Stux · September 2, 2024, 5:06am

Electric Eel has native docker support.

If one wishes to bind port 22 in a docker container to a host IP alias, one needs to disable ssh on that IP alias.

For example, a local gitlab implementation

services:
  web:
    image: gitlab/gitlab-ce:16.11.6-ce.0
    logging:
      options:
        max-size: "1g"
        max-file: "3"
    restart: always
    stop_grace_period: 5m
    ports:
      # bind to specific IP or all IPs... which will most likely fail since SSH already exists.
      - '${GITLAB_IP:-0.0.0.0}:80:80'
      - '${GITLAB_IP:-0.0.0.0}:443:443'
      - '${GITLAB_IP:-0.0.0.0}:22:22'

An alternative is to use macvlan/ipvlan networking, but that will force you to burn an IP address per container, and requires a host to container route to be created if you desire host<->container networking.

The feature request is related to this: