Investigate dropping reliance on /usr/bin/ssh for docker client connections #251

New Issue

decentral1se · 2021-11-18T20:24:57Z

decentral1se commented

2021-11-18 20:24:57 +00:00

Describe the current behavior

abra actually relies on /usr/bin/ssh existing which is bad for portability.

Steps to reproduce

Do anything with abra.

Describe the expected behavior

Not the worst but so far it looked it was totally a self-reliant single binary.

Maybe we can re-use the built-in ssh lib to avoid this reliance.

Any idea how this might be fixed?

Use pkg/ssh/... to pass something to the dialer code in pkg/upstream/....

## Describe the current behavior `abra` actually relies on `/usr/bin/ssh` existing which is bad for portability. ## Steps to reproduce Do anything with `abra`. ## Describe the expected behavior Not the worst but so far it looked it was totally a self-reliant single binary. Maybe we can re-use the built-in ssh lib to avoid this reliance. ## Any idea how this might be fixed? Use `pkg/ssh/...` to pass something to the dialer code in `pkg/upstream/...`.

decentral1se added this to the (deleted) milestone 2021-11-18 20:24:58 +00:00

decentral1se added the

bug

abra

labels 2021-11-18 20:24:58 +00:00

decentral1se added this to the Beta release (software) project 2021-11-18 20:25:30 +00:00

decentral1se referenced this issue from toolshed/docs.coopcloud.tech

2021-11-18 20:27:19 +00:00

Demystifying abra + ssh logic #27

decentral1se commented

2021-11-18 20:30:07 +00:00

The built-in ssh lib seems to have a matching signature via https://pkg.go.dev/golang.org/x/crypto/ssh#Client.DialTCP which gives a net.Conn which we might be able to use as a drop-in replacement here! Also https://pkg.go.dev/golang.org/x/crypto/ssh#NewServerConn? Something to investigate soon.

The built-in ssh lib seems to have a matching signature via https://pkg.go.dev/golang.org/x/crypto/ssh#Client.DialTCP which gives a `net.Conn` which we might be able to use as a drop-in replacement here! Also https://pkg.go.dev/golang.org/x/crypto/ssh#NewServerConn? Something to investigate soon.

decentral1se referenced this issue

2021-11-22 17:41:39 +00:00

Blocked on "ssh: handshake failed:" for server add flow #250

knoflook self-assigned this 2021-11-24 11:31:50 +00:00

knoflook commented

2021-11-24 12:37:40 +00:00

commit: 6ef15e0a26fbe98b2394606af9c17847c8e95948 (head)
i renamed /usr/bin/ssh and tried to run abra but this is all i'm getting:
FATA[0000] error during connect: Get "http://docker.example.com/v1.24/containers/json?filters=%7B%22name%22%3A%7B%22traefik_cc_marinara_xyz%22%3Atrue%7D%7D&limit=0": exec: "ssh": executable file not found in $PATH

i think i don't understand. Doesn't ssh-agent still require openssh to be installed?

commit: 6ef15e0a26fbe98b2394606af9c17847c8e95948 (head) i renamed /usr/bin/ssh and tried to run abra but this is all i'm getting: `FATA[0000] error during connect: Get "http://docker.example.com/v1.24/containers/json?filters=%7B%22name%22%3A%7B%22traefik_cc_marinara_xyz%22%3Atrue%7D%7D&limit=0": exec: "ssh": executable file not found in $PATH ` i think i don't understand. Doesn't ssh-agent still require openssh to be installed?

knoflook removed their assignment 2021-11-24 12:52:56 +00:00

decentral1se commented

2021-11-24 12:55:16 +00:00

yeh its a bit difficult to unpack but here is what i know:

the docker cli code shells out via the /usr/bin/ssh command to make connections to remote servers so it can speak to the remote docker daemon. we've had to copy/pasta that over to 759a00eeb3/pkg/upstream/commandconn/connection.go (L59) - you can do this yourself, just run ssh myserver.com docker system dial-stdio and then you can type out http requests to docker like a telnet session.
that implementation uses 759a00eeb3/pkg/upstream/commandconn/commandconn.go which seems to be an implementation of a thing that produces something that looks and works like a net.Conn but specific to what docker expects - hence it is hard to drop this code because then we need to reimplement their weirdness (still possible I hope! this would make a lot of problems go away)
when you run ssh on the cli, it does a few things, one is reading the ~/.ssh/config file but also if the keys require a passphrase, it asks ssh-agent (a process running in the background and part of openssh-client) to load that password)
sooooo, abra requires /usr/bin/ssh to exist and currently ssh-agent because we do 759a00eeb3/pkg/ssh/ssh.go (L70)
we also try to read the ~/.ssh/config in 759a00eeb3/pkg/ssh/ssh.go (L537) and also also the docker context itself in 759a00eeb3/pkg/ssh/ssh.go (L490)
if you can get your head into this, we can try to simplify it 🙏

yeh its a bit difficult to unpack but here is what i know: - the docker cli code shells out via the /usr/bin/ssh command to make connections to remote servers so it can speak to the remote docker daemon. we've had to copy/pasta that over to https://git.coopcloud.tech/coop-cloud/abra/src/commit/759a00eeb3aa5fb30b9e4b9424440494b0aa86e7/pkg/upstream/commandconn/connection.go#L59 - you can do this yourself, just run `ssh myserver.com docker system dial-stdio` and then you can type out http requests to docker like a telnet session. - that implementation uses https://git.coopcloud.tech/coop-cloud/abra/src/commit/759a00eeb3aa5fb30b9e4b9424440494b0aa86e7/pkg/upstream/commandconn/commandconn.go which seems to be an implementation of a thing that produces something that looks and works like a `net.Conn` but specific to what docker expects - hence it is hard to drop this code because then we need to reimplement their weirdness (still possible I hope! this would make a lot of problems go away) - when you run `ssh` on the cli, it does a few things, one is reading the `~/.ssh/config` file but also if the keys require a passphrase, it asks `ssh-agent` (a process running in the background and part of `openssh-client`) to load that password) - sooooo, `abra` requires `/usr/bin/ssh` to exist and currently `ssh-agent` because we do https://git.coopcloud.tech/coop-cloud/abra/src/commit/759a00eeb3aa5fb30b9e4b9424440494b0aa86e7/pkg/ssh/ssh.go#L70 - we also try to read the `~/.ssh/config` in https://git.coopcloud.tech/coop-cloud/abra/src/commit/759a00eeb3aa5fb30b9e4b9424440494b0aa86e7/pkg/ssh/ssh.go#L537 and also also the docker context itself in https://git.coopcloud.tech/coop-cloud/abra/src/commit/759a00eeb3aa5fb30b9e4b9424440494b0aa86e7/pkg/ssh/ssh.go#L490 - if you can get your head into this, we can try to simplify it 🙏

knoflook commented

2021-11-25 11:38:18 +00:00

ok the way i understand this is we need a net.Conn-like object for docker library to throw its api calls at and it's returned by net/ssh library that needs ssh binary to be installed. If that's right then we have 4 options?

don't care, most people have ssh installed on their systems
bundle openssh with abra (cursed)
find a library that will return the same thing and use it
take code from an ssh client written in go and put it in abra (have an ssh client built in)

things were easier back in ye olden days when abra was written in bash

ok the way i understand this is we need a `net.Conn`-like object for docker library to throw its api calls at and it's returned by net/ssh library that needs ssh binary to be installed. If that's right then we have 4 options? - don't care, most people have ssh installed on their systems - bundle openssh with abra (cursed) - find a library that will return the same thing and use it - take code from an ssh client written in go and put it in abra (have an ssh client built in) things were easier back in ye olden days when abra was written in bash

decentral1se removed the

bug

label 2021-12-21 23:14:13 +00:00

decentral1se added the

documentation

label 2021-12-31 15:28:47 +00:00

decentral1se commented

2022-02-09 17:46:28 +00:00

https://docs.coopcloud.tech/abra/trouble/#ssh-connection-issues

decentral1se closed this issue

2022-02-09 17:46:28 +00:00

Sign in to join this conversation.