@dmikusa-pivotal please try this out.

You might need to turn off SELinux in the podman VM. Also you will need to set --docker-host flag (e.g. --docker-host=unix:///var/run/docker.sock).

Work is still in progress. There are no prompts for password/passphrase.

Why is CI using go 1.14?

Codecov Report

Merging #1282 (224e0a4) into main (fc9cb50) will increase coverage by 0.35%.
The diff coverage is 91.43%.

@@            Coverage Diff             @@
##             main    #1282      +/-   ##
==========================================
+ Coverage   80.11%   80.46%   +0.35%     
==========================================
  Files         143      144       +1     
  Lines        8760     9039     +279     
==========================================
+ Hits         7017     7272     +255     
- Misses       1285     1301      +16     
- Partials      458      466       +8     

Flags with carried forward coverage won't be shown. Click here to find out more.

@dmikusa-pivotal please try this out.

Also it would be great if somebody tried this on Windows.

@joshuawhite929 please try this out.

Sorry for the delay. It is working for me.

I checked out your code, make build and used ./out/pack to do a pack build. I had DOCKER_HOST set to ssh://user@my-vm:port. It didn't require setting --docker-host.

Looks good!

@aemengo

@dmikusa-pivotal, do you have some sort of ssh proxy forwarding traffic from 22 to a Docker daemon listening on a port? Maybe we can look at your setup together to speed this along.

You need a VM with two things to make this work:

1. OpenSSH installed. Basically, you should be able to ssh into the VM. For a Linux VM, just install your distro's openssh server package.
2. Docker Daemon running. You can use the Docker instructions for installing Docker community. If you can docker version on the remote VM as the user you're planning to connect with over ssh then you should be set (you may also need to add the user you're connecting with to the docker group so it can access the daemon without needing sudo).

There's nothing specific you have to do to Docker to make it support this. It's basically functionality in the docker client & now pack to run docker commands remotely.

Hope that helps!

@dmikusa-pivotal Thanks for the help. I followed your instructions but am still having trouble using an ssh connection on a windows machine. I am able to use the ssh client directly.

Please let me know if I'm doing something wrong. Happy to look at this with someone.

PS> $env:DOCKER_HOST="ssh://[email protected]"
PS> $env:DOCKER_HOST_SSH_IDENTITY="C:\Users\aemengo\Desktop\rdp\id_ed25519"
PS> pack build aemengo/hello -p ..\hello -B cnbs/sample-builder:dotnet-framework-1809
ERROR: failed to build: failed to fetch builder image 'index.docker.io/cnbs/sample-builder:dotnet-framework-1809': error during connect: Post "http://example.com%2F/v1.38/images/create?fromImage=cnbs%2Fsample-builder&tag=dotnet-framework-1809": ssh: rejected: connect failed (open failed)

@aemengo - FYI, I only tested with password-less login. I'm not sure if it works if you have to login over ssh.

Are you able to ssh [email protected] without any additional prompts? Password most notably, but also make sure you've trusted the host key.

Also, can you docker images and see images from the remote docker? Docker should also work over ssh. If that works but pack doesn't, then it would be something specific with pack that's failing.

There should already be implemented prompt for password and for temporary trusting the server.

So ssh "ssh://[email protected]" -i "C:\Users\aemengo\Desktop\rdp\id_ed25519" does work?
Is aemengo user in docker group?

@aemengo Does something like:
ssh -NL localhost:2374:/var/run/docker.sock "ssh://[email protected]" -i "C:\Users\aemengo\Desktop\rdp\id_ed25519"
work?

also what Daniel said: try whether docker CLI works with DOCKER_HOST="ssh://[email protected]"

@aemengo could you please try Windows again, I did some changes.

@dmikusa-pivotal I did some changes could you please re-test it?

How can I rerun Codecov?

@aemengo @jromero PTAL

@matejvasek Don't know your magic, but things seems to be working well on my windows machine 👍🏾
Please give me a few more to finish reviewing.

@matejvasek Don't know your magic, but things seems to be working well on my windows machine 👍🏾 Please give me a few more to finish reviewing.

I allowed use of standard docker system dial-stdio mechanism if the commands happens to be in the remote machine. If it's not it will use tunneling. I mean I call https://pkg.go.dev/github.com/docker/cli/cli/connhelper#GetConnectionHelper if it should work in given machine.

I allowed use of standard docker system dial-stdio mechanism if the commands happens to be in the remote machine. If it's not it will use tunneling.

I could also do it other way around: use tunneling if possible (i.e. with everything but npipe) and use docker system dial-stdio as the fallback.

Nice work on buildpack ssh support @matejvasek

This is wildly impressive work, @matejvasek . I am a bit nervous about the future upkeep for this, so I would definitely rather the ssh_dialers functionality comes through an imported function from podman; if they'd consider exposing the required api and we could use that, I think it would definitely make it a lot safer for us to import it.

@jromero wrt host key callbck

Where are these keys persisted?

We are not persisting it anywhere yet. I could print instruction what line should be appended to ~/.ssh/known_hosts to persist trust.

What/How do we handle non-interactive scenarios?

You can forward output of the yes utility to input of pack command: yes | pack build ....
Or you can add the host key into ~/.ssh/know_hosts somehow else.

This is wildly impressive work, @matejvasek . I am a bit nervous about the future upkeep for this, so I would definitely rather the ssh_dialers functionality comes through an imported function from podman; if they'd consider exposing the required api and we could use that, I think it would definitely make it a lot safer for us to import it.

@dfreilich I totally agree this is not best place to keep it. Initial I created separate repo: https://github.com/matejvasek/sshdialer.
Especially because this code might be useful in another projects. But then I would be responsible for maintaining it.

So latter I moved it here, one of the reasons was that I really liked your GithubActions. You even have custom runner for Windows with Linux containerization which I found really useful.

I could talk to people from https://github.com/containers about it. But I am afraid I won't be able to run WIndows tests in CI there.

@jromero @dfreilich PTAL

I am going to squash review requested fixups.