Support for SSH connection

[matejvasek]

Summary

This allows for connection via SSH by setting DOCKER_HOST.

Documentation

• Should this change be documented?
  • Yes, see #___
  • No

Related

Resolves #1259

[matejvasek]

@dmikusa-pivotal please try this out.

You might need to turn off SELinux in the podman VM. Also you will need to set --docker-host flag (e.g. --docker-host=unix:///var/run/docker.sock).

[matejvasek]

Work is still in progress. There are no prompts for password/passphrase.

[matejvasek]

Why is CI using go 1.14?

[codecov]

Codecov Report

Merging #1282 (224e0a4) into main (fc9cb50) will increase coverage by 0.35%.
The diff coverage is 91.43%.

@@            Coverage Diff             @@
##             main    #1282      +/-   ##
==========================================
+ Coverage   80.11%   80.46%   +0.35%     
==========================================
  Files         143      144       +1     
  Lines        8760     9039     +279     
==========================================
+ Hits         7017     7272     +255     
- Misses       1285     1301      +16     
- Partials      458      466       +8     

Flag	Coverage Δ
os_linux	79.08% <91.43%> (+0.36%)	⬆️
os_macos	73.63% <0.36%> (-2.34%)	⬇️
os_windows	80.29% <89.29%> (+0.29%)	⬆️
unit	80.46% <91.43%> (+0.35%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[matejvasek]

How should we name these envvars?

[aemengo]

Are these the same ones that Docker uses? If so, we should keep them

[matejvasek]

No they are not used by docker. It's my addition. With docker you need to put identity at default location with default name or add it to ssh-agent, you cannot specify identity file AFAIK.

[matejvasek]

@dmikusa-pivotal please try this out.

[matejvasek]

Also it would be great if somebody tried this on Windows.

[matejvasek]

@joshuawhite929 please try this out.

[dmikusa]

Sorry for the delay. It is working for me.

I checked out your code, make build and used ./out/pack to do a pack build. I had DOCKER_HOST set to ssh://user@my-vm:port. It didn't require setting --docker-host.

Looks good!

[aemengo]

(fearfully) attempting to validate on Windows here. But not really sure how these VMs are set up to be able to communicate over SSH.

@dmikusa-pivotal, do you have some sort of ssh proxy forwarding traffic from 22 to a Docker daemon listening on a port? Maybe we can look at your setup together to speed this along.

[aemengo]

Are these the same ones that Docker uses? If so, we should keep them

[dmikusa]

@aemengo

@dmikusa-pivotal, do you have some sort of ssh proxy forwarding traffic from 22 to a Docker daemon listening on a port? Maybe we can look at your setup together to speed this along.

You need a VM with two things to make this work:

1. OpenSSH installed. Basically, you should be able to ssh into the VM. For a Linux VM, just install your distro's openssh server package.
2. Docker Daemon running. You can use the Docker instructions for installing Docker community. If you can docker version on the remote VM as the user you're planning to connect with over ssh then you should be set (you may also need to add the user you're connecting with to the docker group so it can access the daemon without needing sudo).

There's nothing specific you have to do to Docker to make it support this. It's basically functionality in the docker client & now pack to run docker commands remotely.

Hope that helps!

[aemengo]

@dmikusa-pivotal Thanks for the help. I followed your instructions but am still having trouble using an ssh connection on a windows machine. I am able to use the ssh client directly.

Please let me know if I'm doing something wrong. Happy to look at this with someone.

PS> $env:DOCKER_HOST="ssh://[email protected]"
PS> $env:DOCKER_HOST_SSH_IDENTITY="C:\Users\aemengo\Desktop\rdp\id_ed25519"
PS> pack build aemengo/hello -p ..\hello -B cnbs/sample-builder:dotnet-framework-1809
ERROR: failed to build: failed to fetch builder image 'index.docker.io/cnbs/sample-builder:dotnet-framework-1809': error during connect: Post "http://example.com%2F/v1.38/images/create?fromImage=cnbs%2Fsample-builder&tag=dotnet-framework-1809": ssh: rejected: connect failed (open failed)

[dmikusa]

@aemengo - FYI, I only tested with password-less login. I'm not sure if it works if you have to login over ssh.

Are you able to ssh [email protected] without any additional prompts? Password most notably, but also make sure you've trusted the host key.

Also, can you docker images and see images from the remote docker? Docker should also work over ssh. If that works but pack doesn't, then it would be something specific with pack that's failing.

[matejvasek]

There should already be implemented prompt for password and for temporary trusting the server.

[matejvasek]

So ssh "ssh://[email protected]" -i "C:\Users\aemengo\Desktop\rdp\id_ed25519" does work?
Is aemengo user in docker group?

[matejvasek]

@aemengo Does something like:
ssh -NL localhost:2374:/var/run/docker.sock "ssh://[email protected]" -i "C:\Users\aemengo\Desktop\rdp\id_ed25519"
work?

[matejvasek]

also what Daniel said: try whether docker CLI works with DOCKER_HOST="ssh://[email protected]"

[matejvasek]

@aemengo could you please try Windows again, I did some changes.

[matejvasek]

@dmikusa-pivotal I did some changes could you please re-test it?

[matejvasek]

How can I rerun Codecov?

[matejvasek]

@aemengo @jromero PTAL

[aemengo]

@matejvasek Don't know your magic, but things seems to be working well on my windows machine 👍🏾
Please give me a few more to finish reviewing.

[matejvasek]

@matejvasek Don't know your magic, but things seems to be working well on my windows machine 👍🏾 Please give me a few more to finish reviewing.

I allowed use of standard docker system dial-stdio mechanism if the commands happens to be in the remote machine. If it's not it will use tunneling. I mean I call https://pkg.go.dev/github.com/docker/cli/cli/connhelper#GetConnectionHelper if it should work in given machine.

[matejvasek]

I allowed use of standard docker system dial-stdio mechanism if the commands happens to be in the remote machine. If it's not it will use tunneling.

I could also do it other way around: use tunneling if possible (i.e. with everything but npipe) and use docker system dial-stdio as the fallback.

[aemengo]

To be honest, I'm a little afraid of introducing something that a select few maintainers are likely to debug. But it did work stellarly during my testing.

Once again, we can't thank you enough for a PR of such depth.

[n1hility]

Nice work on buildpack ssh support @matejvasek

[dfreilich]

Could we move these functions to a separate file in this directiory, maybe docker_init.go? I like keeping cmd/cmd.go simple and self-contained

[dfreilich]

This is wildly impressive work, @matejvasek . I am a bit nervous about the future upkeep for this, so I would definitely rather the ssh_dialers functionality comes through an imported function from podman; if they'd consider exposing the required api and we could use that, I think it would definitely make it a lot safer for us to import it.

[jromero]

I don't see trust being persisted. Should it be? What's the experience connecting to the same connection a second time?

[matejvasek]

It could be written into ~/.ssh/known_hosts. But I am not too eager to write into system files. I could however print hint, something like: "add this line {key record here} into your ~/.ssh/known_hosts, or "to trust the key connect to the host via ssh first". BTW standard docker CLI is not solving this at all, you must add trust by yourself.

[matejvasek]

So right now you are asked each time.

[matejvasek]

BTW standard docker CLI is not solving this at all, you must add trust by yourself.

to be more specific you will get:

~> docker image ls
error during connect: Get "http://docker.example.com/v1.24/images/json": command [ssh -l root -p 45383 -- localhost docker system dial-stdio] has exited with exit status 255, please make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=ssh_askpass: exec(/usr/libexec/openssh/ssh-askpass): No such file or directory
Host key verification failed.

[matejvasek]

Also standard docker CLI does not support password authentication.
And you cannot specify identity file (and its passphrase) -- it either has to be at standard location with standard name,
or it has to be added to ssh-agent. Passphrase reading also has to be handled by ssh-agent.

[matejvasek]

@jromero wrt host key callbck

Where are these keys persisted?

We are not persisting it anywhere yet. I could print instruction what line should be appended to ~/.ssh/known_hosts to persist trust.

What/How do we handle non-interactive scenarios?

You can forward output of the yes utility to input of pack command: yes | pack build ....
Or you can add the host key into ~/.ssh/know_hosts somehow else.

[matejvasek]

This is wildly impressive work, @matejvasek . I am a bit nervous about the future upkeep for this, so I would definitely rather the ssh_dialers functionality comes through an imported function from podman; if they'd consider exposing the required api and we could use that, I think it would definitely make it a lot safer for us to import it.

@dfreilich I totally agree this is not best place to keep it. Initial I created separate repo: https://github.com/matejvasek/sshdialer.
Especially because this code might be useful in another projects. But then I would be responsible for maintaining it.

So latter I moved it here, one of the reasons was that I really liked your GithubActions. You even have custom runner for Windows with Linux containerization which I found really useful.

I could talk to people from https://github.com/containers about it. But I am afraid I won't be able to run WIndows tests in CI there.

[matejvasek]

@jromero here I added message for user with instruction how to make server trusted. Is it OK?

[matejvasek]

@jromero @dfreilich PTAL

[dfreilich]

LGTM!

I appreciate the rigorous tests, which definitely makes it a lot easier to support. At the same time, if the podman team is open to supporting this, that would be great, and I'd appreciate adding a link to an issue on their repo so we can track this integration.

@jromero , what do you think? Holding it off until your approval.

[jromero]

Minor nits.

Overall good. Excited to get this in.

Could you resolve the merge conflict? I can then give it a quick test and merge this in.

EDIT: Looks like conflict is resolved.

[matejvasek]

I am going to squash review requested fixups.