Missing access permissions to ~/.ssh/ folder on executing deployer/deployer package

[ohader]

Describe the bug

Using Composer package deployer/deployer within DDEV docker container fails due to missing access permissions on /home/~.ssh/deployer_* (which is used as ControlPath when establishing SSH connections to remote servers).

The according error message looks like

  The command "if [ -h ~/site//release ]; then echo 'true'; fi" failed.

  Exit Code: -1 (Unknown error)

  Host Name: example-host-name.anyhost.it

  ================
  bind: Permission denied
  unix_listener: cannot bind to path: /home/.ssh/deployer_example_user@example-host-name.anyhost.it.yd0q8pFtSkojDfQY

To Reproduce

Steps to reproduce the behavior:

1. install package using composer require --dev deployer/deployer:^6.3
2. create file deploy.php in project root directory containing minimal scenario

<?php
namespace Deployer;
host('example-host-name.anyhost.it')
    ->user('example_user');
task('deploy', function() {
    $result = run('ls -la');
    var_dump($result);
});

3. execute process using vendor/bin/dep deploy
4. see the error message unix_listener: cannot bind to path: /home/.ssh/deployer_*

Expected behavior
Probably(!) the /home/.ssh directory should be writable for internal container users.

Screenshots

none

Version and configuration information

• Host: macOS 10.14.2 (Mojave)
• Docker: engine 18.09.0, commit 4d60db4
• DDEV: 1.4.1

Client: Docker Engine - Community
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:47:43 2018
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:55:00 2018
  OS/Arch:          linux/amd64
  Experimental:     false```

db drud/ddev-dbserver:v1.4.0
dba drud/phpmyadmin:v1.4.0
router drud/ddev-router:v1.4.0
commit v1.4.1
cli v1.4.1
web drud/ddev-webserver:v1.4.0
ddev-ssh-agent drud/ddev-ssh-agent:v1.4.0
domain ddev.local

[ohader]

Deployer is executing remote commands like this

ssh -A \
  -o ControlMaster=auto \
  -o ControlPersist=60 \
  -o ControlPath=~/.ssh/deployer_example_user@example-host-name.anyhost.it.yd0q8pFtSkojDfQY \
  example_user@example-host-name.anyhost.it  'bash -s; printf "[exit_code:%s]" $?;'

A workaround in order to avoid using ControlPath is to disable SSH multiplexing using the following in the deploy.php file (however, disabling multiplexing might have other side effects - thus, it's really just a workaround):

host('example-host-name.anyhost.it')
    ->multiplexing(false)
    ->user('example_user');

[rfay]

I have to confess I've never seen usages like this, and have never heard of a client needing to write to .ssh. I'd have second thoughts about using a tool like that.

However, all you need to solve it is a post-start hook that does something like sudo chown -R $UID /root/.ssh Let us know if that fixes it.

The web container doesn't do anything with /root/.ssh except put the config there.

[ohader]

Thanks for your feedback, changing ownership inside the container is fine and your feedback that nothing else is using /home/.ssh is great.

SSH multiplexing is described here in more detail (Deployer just makes use of this OpenSSH feature):
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing

This issue can be closed. Maybe it helps others facing similar scenarios.

[rfay]

I think it won't be too long before we'll have a properly named and permissioned user inside the web container, and then this wouldn't have been an issue. I think it's fine to leave this open and we'll sneak in at least setting permissions on /root/.ssh in the start script.

[baschny]

Thanks for your feedback, changing ownership inside the container is fine and your feedback that nothing else is using /home/.ssh is great.

SSH multiplexing is described here in more detail (Deployer just makes use of this OpenSSH feature):
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing

This issue can be closed. Maybe it helps others facing similar scenarios.

I indeed had this problem today (unrelated to ddev, but using deployer on GitHub Actions) and your answer helped me, thanks @ohader ! 👍