Skip to content

Add option to disable bundled sshd service in Docker init-container script

Description:

Currently, the official GitLab Omnibus Docker image (init-container script) unconditionally configures and enables the bundled sshd service:

# sshd loads the keys from /etc/gitlab, but the GitLab backend looks for keys
# from within /etc/ssh
ln -fs /etc/gitlab/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key
ln -fs /etc/gitlab/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub

if [[ ! -f /etc/gitlab/ssh_host_ecdsa_key ]]; then
    echo "Generating ssh_host_ecdsa_key..."
    ssh-keygen -f /etc/gitlab/ssh_host_ecdsa_key -N '' -t ecdsa
    chmod 0600 /etc/gitlab/ssh_host_ecdsa_key
fi
ln -fs /etc/gitlab/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key
ln -fs /etc/gitlab/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub

if [[ ! -f /etc/gitlab/ssh_host_ed25519_key ]]; then
    echo "Generating ssh_host_ed25519_key..."
    ssh-keygen -f /etc/gitlab/ssh_host_ed25519_key -N '' -t ed25519
    chmod 0600 /etc/gitlab/ssh_host_ed25519_key
fi
ln -fs /etc/gitlab/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key
ln -fs /etc/gitlab/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ed25519_key.pub

# Remove all services, the reconfigure will create them
echo "Preparing services..."
rm -f /opt/gitlab/service/*
ln -s /opt/gitlab/sv/sshd /opt/gitlab/service
ln -sf /opt/gitlab/embedded/bin/sv /opt/gitlab/init/sshd
mkdir -p /var/run/sshd
mkdir -p /var/log/gitlab/sshd
mkdir -p /var/log/gitlab/reconfigure

This logic always generates host SSH keys, sets up /etc/ssh symlinks, and adds the sshd service, regardless of whether it's needed.

With the introduction of the new gitlab-sshd service, there are scenarios where users may want to disable the bundled OpenSSH daemon entirely and only run gitlab-sshd.

Problem:

  • No way to skip sshd initialization in the container.
  • Wasted resources and potential conflicts when using gitlab-sshd instead of the legacy OpenSSH-based sshd.

Proposed solution:

Introduce an environment variable in the Docker image (e.g. DISABLE_SSHD=true or ENABLE_SSHD=false) that makes the init script skip:

  1. Host key generation
  2. /etc/ssh symlinks for /etc/gitlab
  3. Service symlink creation for /opt/gitlab/sv/sshd

Example logic change in init-container:

if [[ "${ENABLE_SSHD}" != "false" ]]; then
    # existing sshd setup code here
fi

Benefits:

  • Allows users to switch fully to gitlab-sshd without extra patching.
  • Keeps current default behavior for backwards compatibility.
  • Reduces attack surface if system sshd is not needed.
Edited by Michael Kazakov