feat: Support dockerPrivateKey to specify path to SSH key
#674
Conversation
|
Hey @martinezpl, thanks a lot for the proposal here. I think in this particular case we could skip the integration test as it has a bit more complicated setup - otherwise we should create a repo owned by serverless to host that package to install. As for the errors - it seems like they're only happening for this PR, do you have any idea if any change introduced might be causing it? |
|
Hi @pgrzesik!
I don't see the code-related reason here? As for the test, I invited you to that private repo so you can fork it to /serverless and substitute the key if you wish. This also serves as the only test for dockerSsh currently. Otherwise, I guess it's pretty safe to assume it's gonna work if dockerizePip tests pass, as we're just appending docker commands there. |
|
Thanks @martinezpl - I'm not sure what is happening then - I'll dive into that probably next week as I'm pretty busy with other things, sorry about the delay |
|
Please merge this! |
|
Hey @martinezpl - I believe I've fixed the CI issue, could you please rebase your branch against current |
|
@pgrzesik permission denied error persists |
|
Thanks @martinezpl - I'll look into what might be causing this 😬 |
| // Mount necessary ssh files to work with private repos | ||
| dockerCmd.push( | ||
| '-v', | ||
| `${process.env.HOME}/.ssh/id_rsa:/root/.ssh/id_rsa:z`, |
There was a problem hiding this comment.
Could you check if that change to os.homedir() could be causing these issues with permissions on runner? AFAIK it still takes the result from process.env.HOME but nothing else in this PR looks like the cause of this problem and all other PRs are passing without problems 😕
|
@pgrzesik so turns out the new test is blocking all the tests. Perhaps it's some sort of a security measure related to the SSH connection to an external repo? |
|
Hello @martinezpl - thanks for investigating - it looks like it might be the case. In that situation, I think we should skip adding such test - could we have a simpler test that just validates proper resolution of the command when custom key is involved? |
There was a problem hiding this comment.
Thanks @martinezpl - let's keep it this way - thanks a lot for your contribution 👍
pgrzesik
changed the title
dockerPrivateKey option to specify path to mounted SSH keydockerPrivateKey to specify path to SSH key
Problem
The SSH key that is being mounted to a dockerized pip is hardcoded as
~/.ssh/id_rsa. This key format is considered legacy and there's no way to use a different key. Moreover, to get the user's home directory,homeenv var is being used, which does not cover 100% of cases.Solution
Compared to previously proposed solution of mounting the whole .ssh directory , adding an option to specify the path is a lightweight approach that shouldn't be problematic.
process.env.HOMEis switched torequire('os').homedir()to increase system compatibility.The test I came up with is using a read-only deploy key to download a simple pip package from a private repo created for this purpose. Perhaps such repo should exist in /serverless profile?
Solves: #488, #617
Potentially helps: #560, #272
-edit
Some permission denied errors popped up in the second test run, not sure why?