[Docs] Simpler option for docker ssh config (no passthrough)

[lonix1]

Feature Description

There are many issues with the ssh passthrough/tunnelling approach and docs. I decided to follow the advice of @wxiaoguang to try something simpler: opening another port for gitea's ssh server so tunnelling is unnecessary.

But that approach is not documented at all. I've spent just as long on this problem as on passthrough. I am fairly good at linux and ssh (and comfortable with gitea settings too), so the problem is not me - there are very complex settings for this, and there seem to be some weird corner cases (maybe bugs too), so the average user will struggle.

PLEASE, document this approach, and promote it as the default instead of ssh tunnelling/passthrough. At the very least, can someone post a link to a working example, to save others (and me!) from wasting time on this.

I suggest a good place for this is another section in the "Installation with Docker" page, before the ssh passthrough section.

Screenshots

No response

[krokosik]

Could you share this approach?

[lonix1]

It was a while ago so I don't remember how I did it. But I suppose you'll need to open another port on your server (allow it through your firewall) and update gitea's config file accordingly. I recall there was more to it that that though - it unfortunately wasn't documented properly.

[bst27]

@wkrasnicki I created an example over there: https://gist.github.com/bst27/1b5d43317e50183320e0e094d1e4f7fc

[techknowlogick]

Closing as the docs do have exposing a port for ssh as the first example.

[lonix1]

@techknowlogick @wxiaoguang With respect, this shouldn't be closed. This was a very complex and painful issue.

The problem is the docs promote passthrough and most users will try it and fail miserably, not just because it's hard, but as I recall, because the docs are wrong and because of this issue.

The docs should state that passthrough is an option, but highly recommend not to use it (and use a normal port). And, that should be done only once someone can confirm that passthrough actually works - because it does not.

[florianbeisel]

Adding my two cents here:

Passthrough is indeed a viable option which I use in a rootless docker environment. But the documentation is lacking. I will try to document my steps today(ish) and try to document a working setup.

[bst27]

Adding my two cents here:

Passthrough is indeed a viable option which I use in a rootless docker environment. But the documentation is lacking. I will try to document my steps today(ish) and try to document a working setup.

Maybe you want to have a look at my example setup I shared above:

https://gist.github.com/bst27/1b5d43317e50183320e0e094d1e4f7fc

[florianbeisel]

Maybe you want to have a look at my example setup I shared above:

https://gist.github.com/bst27/1b5d43317e50183320e0e094d1e4f7fc

Sorry for the misunderstanding. I wanted really badly to keep port 22. I already have a working setup with rootless docker and SSH passthrough. I just need to retrace my steps what I did exactly and document it.

In short what I did:

• add the GID that is associated with docker.sock to the system groups so we can reference it
• add the git user to said group (in my case its called rootless-docker)
• use a systemd service to fix the permissions on /run/user/UID
• create the wrapper script for the git users shell
• create another wrapper for use with AuthorizedKeysCommand so that we can supply the path to the docker.sock

This is just from the top of my head so caveat emptor