3

I'm attempting to mount a single file in an azure container instance, in this case the ssh host key file as described in this docker image: https://github.com/atmoz/sftp

However from my experiments Azure Container Instances via ARM / Azure CLI seem to only support mounting folders.

If I attempt to mount as a file I suspect it's actually mounting as a folder, as the built in bash appears to miss the fact it already exists, and then errors when it tries to write to it.

Are there any undocumented features to mount individual files? I'm hoping not needing to resorting customising the docker image, as it would defeat my objective of using a ready made image. :-(

Alex KeySmith
  • 16,657
  • 11
  • 74
  • 152
  • 1
    I don't believe we support mounting a single file. Only a file share... That being said, you could reach out here to confirm with the ACI team directly https://github.com/MicrosoftFeedback/aci-issues/issues – micahmckittrick Apr 11 '19 at 21:13
  • Thanks @Micah_MSFT I've added a piece of feedback: https://github.com/MicrosoftFeedback/aci-issues/issues/30 – Alex KeySmith Apr 12 '19 at 08:44

2 Answers2

3

You can mount files using Key Vault. If you are deploying your ACI container group using an ARM template, you can integrate it with an instance of Azure Key Vault. It is possible to mount a key vault "secret" as a single file within a directory of your choosing. Refer to the ACI ARM template reference for more details.

Houssem AZZOUZ
  • 171
  • 8
  • That's a nice approach thanks! I'm not in the same role now to try this out, but it sounds promising enough for me to mark this as the answer. – Alex KeySmith Sep 07 '20 at 15:59
2

You can do it via Azure Container Instance secrets.
Either azure cli:

az container create \
--resource-group myResourceGroup \
--name secret-volume-demo \
--image mcr.microsoft.com/azuredocs/aci-helloworld \
--secrets id_rsa.pub="<file-content>" \
--secrets-mount-path /home/foo/.ssh/keys

or with terraform:

resource "azurerm_container_group" "aci_container" {
    name                = ""
    resource_group_name = ""
    location            = ""
    ip_address_type     = "public"
    dns_name_label      = "dns_endpoint"
    os_type             = "Linux"

    container {
        name   = "sftp"
        image  = "docker.io/atmoz/sftp:alpine-3.7"
        cpu    = "1"
        memory = "0.5"

        ports {
            port     = 22
            protocol = "TCP"
        }

        // option 1: mount key as Azure Container Instances secret volume
        volume {
            name       = "user-pub-key"
            mount_path = "/home/foo/.ssh/keys"
            secret = {
            "id_rsa.pub" = base64encode("<public-key-content>")
            }
        }

        // option 2: mount ssh public key as Azure File share volume
        // Note: This option will work for user keys to auth, but not for the host keys 
        // since atmoz/sftp logic is to change files permission, 
        // but Azure File share does not support this POSIX feature
        volume {
            name = "user-pub-key"     
            mount_path = "/home/foo/.ssh/keys"
            read_only = true
            share_name = "share-name"
            storage_account_name = "storage-account-name"
            storage_account_key  = "storage-account-key"
        }
}

In both cases, you will have a file /home/foo/.ssh/keys/id_rsa.pub with the given content.

Dmytro Kutetskyi
  • 701
  • 6
  • 11