support SSH connection

[AkihiroSuda]

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

- What I did

Added support for SSH connection. e.g. docker -H ssh://me@server

- How I did it

Followed @tonistiigi 's suggestion: #889 (comment)

The cli should accept ssh://me@server for DOCKER_HOST and -H. Using that would execute ssh with the passed config.
The ssh command would call a hidden command on the docker CLI binary on the remote side. For example, docker dial-stdio.
This command will make a connection to the local DOCKER_HOST variable (almost always the default local socket) and forward that connection on the commands stdio.
Even though this command is supposed to run locally to the dockerd binary, we think that it is an invalid configuration for this feature to remove the local docker binary so we can rely on it always being present.

- How to verify it

docker -H ssh://me@server run -it --rm busybox

- Description for the changelog

support SSH connection

- A picture of a cute animal (not mandatory but encouraged)

https://commons.wikimedia.org/wiki/File:Manchot_Ad%C3%A9lie_juv%C3%A9nile.jpg

Vendor: moby/moby#36630 (merged)

---

Tests (currently tested manually):

• echo hello | ./docker -H ssh://10.2.54.48 run -i --rm busybox cat; echo world
• ./docker -H ssh://10.2.54.48 run --rm busybox echo hello; echo world
• ./docker -H ssh://10.2.54.48 run -i --rm busybox echo hello; echo world

[cpuguy83]

Design LGTM! cc @tonistiigi for design as well.
Tested this out and it works pretty well.

I did notice that this:

echo hello | ./docker-dev -H ssh://docker@$ip run -i --rm busybox cat

Doesn't echo anything to my term when using the ssh connector.
But a normal interactive container works fine. Image pull also works well.

[AkihiroSuda]

@cpuguy83
Thank you for testing.

The issue can be mitigated by increasing this timeout, which is the equivalent of socat -t and nc -q: https://github.com/docker/cli/pull/1014/files#diff-065a55b1c9d14a6817c97ca733652920R17

However, increasing this value introduces extra sleep.

I'll try to find a more robust way

[vdemeester]

Design LGTM too, this is cool 😻

[tonistiigi]

Overall design LGTM. I don't understand the timeout logic on handling EOF though.

[tonistiigi]

It may be confusing to use dockerCli here. I'd just use os pkg.

[tonistiigi]

is this wip?

[tonistiigi]

Just Host. We can also leave a sane default here if WithHost is not called. So connection helper case doesn't need to call it at all (or even better if connectionhelper just returns the client options directly instead of a struct).

[tonistiigi]

I think we should just add WithDialer instead of overriding client and remove WithHijackDialer. Using it would create a new client with a transport pointing to the current dialer and set it to hijack as well.

[tonistiigi]

I think this would be slightly better as a Dialer() func(ctx) (net.Conn, error) . Otherwise, it seems like a method that calls to the remote side. We could also solve this by breaking up NewClientWithOpts so that we always get access to dialer in cli before creating the client and store the dialer so we can reuse it.

[tonistiigi]

I'm not sure I understand this timeout. Why isn't the close of connection handled cleanly? This could be just a connection timeout but then it should be much bigger (20 sec) and increasing it shouldn't have any downsides when timeout isn't reached.

[tonistiigi]

These might be better handled with a wrapper around conn. But I guess I don't understand the need for the current timeout atm.

[cpuguy83]

Any update here?

[AkihiroSuda]

Sorry still stuck at the stream connection issue #1014 (comment)

Will try to look into this again ASAP

[cpuguy83]

No worries I just thought this was already merged and realized it wasn't!

[codecov-io]

Codecov Report

Merging #1014 into master will decrease coverage by 0.28%.
The diff coverage is 34.46%.

@@            Coverage Diff            @@
##           master   #1014      +/-   ##
=========================================
- Coverage   54.29%     54%   -0.29%     
=========================================
  Files         268     272       +4     
  Lines       17843   18068     +225     
=========================================
+ Hits         9687    9758      +71     
- Misses       7546    7694     +148     
- Partials      610     616       +6

[sandys]

Thanks for your reply. Will it not accept parameters passed through command line ? This is very convenient for portability (when using through different laptops, etc). Secondly we have more -o options that we pass.

…

On Mon, 20 Aug, 2018, 09:15 Akihiro Suda, ***@***.***> wrote: @sandys <https://github.com/sandys> ~/.ssh/config should work Host foo Hostname gcp.red.com PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1014 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAEsU0WZDcoIQ79_eUWMRCJMA12QJgdTks5uSjDWgaJpZM4TdNDQ> .

[AkihiroSuda]

Currently no, could you open a github issue?

Secondly we have more -o options that we pass.

Any option that cannot be configured via ~/.ssh/config?

[BretFisher]

From ops and sysadmins everywhere, we thank you for this fantastic and unexpected feature. I'm hoping this will seriously cut down the number of times I see people opening dockerd TCP w/o TLS and just opt for SSH endpoints for remote mgmt. 👍 😂

[overmike]

is this possible to use in docker golang client rather than cli? just like docker-py understand the ssh:// DOCKER_HOST

[cpuguy83]

@overmike No, none of the client helpers will set this up for you. Nothing is stopping someone from doing this themselves with the client, though. client.NewClient accepts an http client, which you can setup on your own.

The CLI is using a helper subcommand (hidden from --help) to assist in wiring up std i/o with the remote.

[overmike]

@cpuguy83 , thanks for your feedback. It clarifies I need to add connhelper code in our golang client.

I think you meant "docker system dial-stdio" for the hidden subcommand. And seems like docker-py 3.6.0 is going to support ssh DOCKER_HOST.

[bullno1]

How does it handle authentication? Does it support signed SSH certificate? What about revocation?

[cpuguy83]

It just shells out to the ssh bin. You can add whatever options for the host to your ssh config. I think there is another pr to support passing ssh opts through an environment var as well.

[zmilonas]

You can actually get a unparsedHost here which is not parseable - has no schema.
Like 127.0.0.1:2364

[AkihiroSuda]

GetConnectionHelper returns nil without error when no helper is registered for the scheme.

[zmilonas]

I think, this is actually unrelated to what I'm talking about. Just a line below you check for err from url.Parse() and since there is a possibility the passed daemonURL is in 127.0.0.1:2345 format url.Parse() will rightfully return an error per its specification - no protocol scheme. I am not sure where should the scheme be added - here or higher in the call stack but this line in particular introduced a regression in the newest stable release of docker engine - 18.09.0

[thaJeztah]

@zmilonas looks like you mean the issue that was addressed by #1443 ?

[zmilonas]

Well it might have been addressed but is not fixed 😅 I will file a new issue shortly then.

[thaJeztah]

It's fixed on master, which is what this repository is tracking.

A backport PR is open to include it in the 18.09 codebase

[zmilonas]

Can we expect it to end up in some kind of 18.09.01 release then?

[thaJeztah]

Yes, that's what the backport is for. In the meantime you could either modify your configuration (use tcp://<IP|host>:<port>), or download the static binaries for Docker 18.06 (or "nightly", which has the latest changes from "master") https://download.docker.com/linux/static/