Investigate dropping reliance on /usr/bin/ssh for docker client connections #251
Labels
No Label
abra
abra-gandi
awaiting-feedback
backups
bug
build
ci/cd
community organising
contributing
coopcloud.tech
democracy
design
documentation
duplicate
enhancement
finance
funding
good first issue
help wanted
installer
kadabra
performance
proposal
question
recipes.coopcloud.tech
security
test
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: coop-cloud/organising#251
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Describe the current behavior
abra
actually relies on/usr/bin/ssh
existing which is bad for portability.Steps to reproduce
Do anything with
abra
.Describe the expected behavior
Not the worst but so far it looked it was totally a self-reliant single binary.
Maybe we can re-use the built-in ssh lib to avoid this reliance.
Any idea how this might be fixed?
Use
pkg/ssh/...
to pass something to the dialer code inpkg/upstream/...
.The built-in ssh lib seems to have a matching signature via https://pkg.go.dev/golang.org/x/crypto/ssh#Client.DialTCP which gives a
net.Conn
which we might be able to use as a drop-in replacement here! Also https://pkg.go.dev/golang.org/x/crypto/ssh#NewServerConn? Something to investigate soon.commit: 6ef15e0a26fbe98b2394606af9c17847c8e95948 (head)
i renamed /usr/bin/ssh and tried to run abra but this is all i'm getting:
FATA[0000] error during connect: Get "http://docker.example.com/v1.24/containers/json?filters=%7B%22name%22%3A%7B%22traefik_cc_marinara_xyz%22%3Atrue%7D%7D&limit=0": exec: "ssh": executable file not found in $PATH
i think i don't understand. Doesn't ssh-agent still require openssh to be installed?
yeh its a bit difficult to unpack but here is what i know:
759a00eeb3/pkg/upstream/commandconn/connection.go (L59)
- you can do this yourself, just runssh myserver.com docker system dial-stdio
and then you can type out http requests to docker like a telnet session.759a00eeb3/pkg/upstream/commandconn/commandconn.go
which seems to be an implementation of a thing that produces something that looks and works like anet.Conn
but specific to what docker expects - hence it is hard to drop this code because then we need to reimplement their weirdness (still possible I hope! this would make a lot of problems go away)ssh
on the cli, it does a few things, one is reading the~/.ssh/config
file but also if the keys require a passphrase, it asksssh-agent
(a process running in the background and part ofopenssh-client
) to load that password)abra
requires/usr/bin/ssh
to exist and currentlyssh-agent
because we do759a00eeb3/pkg/ssh/ssh.go (L70)
~/.ssh/config
in759a00eeb3/pkg/ssh/ssh.go (L537)
and also also the docker context itself in759a00eeb3/pkg/ssh/ssh.go (L490)
ok the way i understand this is we need a
net.Conn
-like object for docker library to throw its api calls at and it's returned by net/ssh library that needs ssh binary to be installed. If that's right then we have 4 options?things were easier back in ye olden days when abra was written in bash
https://docs.coopcloud.tech/abra/trouble/#ssh-connection-issues