dstack0.20.14 (0.20.16 for user-managed SSH public keys support) or newer- A host with access to the
dstackserver and fleets instances (HTTP and SSH egress traffic, respectively), which is accessible todstackusers (ingress SSH traffic)
There are pre-built x86-64 Linux binaries on the GitHub Releases page and Docker images on the Docker Hub.
If you prefer to build from source, see scripts/build.sh for a build command.
dstack-sshproxy is configured via command-line arguments and/or environment variables. Command-line arguments have higher priority than environment variables.
See dstack-proxy --help for a list of configuration settings and corresponding variables.
There are two mandatory settings:
-
Host private keys
Used for SSH server host authentication as described in RFC 4251 Section 4.1.
- CLI:
--host-key PATH– a path to a private key file. May be used multiple times. Each file may contain multiple concatenated keys:cat ssh_host_*_key > ssh_host_keys - environment variable:
DSTACK_SSHPROXY_HOST_KEYS– concatenated key files contents
Keys must be in the OpenSSH format. For convenience, there is
scripts/generate-host-keys.shscript which generates host keys of all default key types (rsa, ecdsa, and ed25519) usingssh-keygen -Aand prints their contents to stdout. - CLI:
-
dstackserver API tokenUsed to authenticate
dstack-sshproxyAPI calls todstackserver- CLI:
--api-token TOKEN - environment variable:
DSTACK_SSHPROXY_API_TOKEN
The
dstackserver URL is configured via--api-url/DSTACK_SSHPROXY_API_URL(defaults tohttp://localhost:3000, the default address of a locally running server if it's started with thedstack servercommand). - CLI:
To enable dstack-sshproxy integration on the dstack server side, see Server deployment guide in the dstack docs.
Before upgrading, check both dstack and dstack-sshproxy releases pages for any dstack↔dstack-sshproxy compatibility notes.
dstack-sshproxy – given there is no breaking changes in the dstack server integration – supports rolling upgrade. Be aware that dstack-sshproxy does not currently support graceful connection termination, that is, on a shutdown request (SIGTERM/SIGINIT signal) it closes all downstream and upstream TCP connections immediately, interrupting active SSH sessions, but it's still possible to implement a graceful shutdown with an external load balancer (i.e., the deployment strategy would be to stop forwarding new connections to the old replica, drain it – wait for active connections to terminate, interrupt still active connections after a reasonable timeout, and only then stop the replica).