gistfile1.txt

If you choose to use a password, inspired from the start.sh at: https://github.com/jbfink/docker-wordpress/blob/master/start.sh

#let's create a user to ssh into
SSH_USERPASS=`pwgen -c -n -1 8`
mkdir /home/user
useradd -G sudo -d /home/user user
chown user /home/user
echo user:$SSH_USERPASS | chpasswd
echo ssh user password: $SSH_USERPASS

As part of that, you could also go ahead and add the user to the wheel group for sudo.

Then for port (pick your port):
sudo sed -i 's/#Port 22/Port 900/g' /etc/ssh/sshd_config
This could also be left default, and just change the map with the docker run.  docker run -p 22:$NEW_PORT


Disable root login
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

OR disable password auth
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config

You could then just copy your pubkey over during the ADD.


So the flow would be, picking what you want from the above, creating small start_ssh.sh script and ADD it and then RUN chmod it and the RUN the script.

You mentioned the security of the host, who knows how secure the host will be?  not that this is total security either...

Then the only thing left would be moving zone files and config files to external volume, and that would require changing the startup script to point to the new location of named.conf. An example run:

docker run -p 53:53 -p $SSH_PORT:$SSH_PORT -h DNS1 -v /mnt/docker/config/dns:/mnt/dns/ -d dns/server1

Again, this is not a blocker, just want to get your thoughts and see if it's worth it.