dockerpy fails with ssh if remote machine was not added to hosts

[ssbarnea]

This could be avoided by doing ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) before as mentioned on onyxfish/relay#11 (comment)

INTERNALERROR>   File "/root/rdo/ansible-role-container-registry/.tox/molecule/lib/python3.6/site-packages/docker/client.py", line 40, in __init__
INTERNALERROR>     self.api = APIClient(*args, **kwargs)
INTERNALERROR>   File "/root/rdo/ansible-role-container-registry/.tox/molecule/lib/python3.6/site-packages/docker/api/client.py", line 166, in __init__
INTERNALERROR>     base_url, timeout, pool_connections=num_pools
INTERNALERROR>   File "/root/rdo/ansible-role-container-registry/.tox/molecule/lib/python3.6/site-packages/docker/transport/sshconn.py", line 84, in __init__
INTERNALERROR>     self._connect()
INTERNALERROR>   File "/root/rdo/ansible-role-container-registry/.tox/molecule/lib/python3.6/site-packages/docker/transport/sshconn.py", line 94, in _connect
INTERNALERROR>     parsed.hostname, parsed.port, parsed.username,
INTERNALERROR>   File "/root/rdo/ansible-role-container-registry/.tox/molecule/lib/python3.6/site-packages/paramiko/client.py", line 416, in connect
INTERNALERROR>     self, server_hostkey_name, server_key
INTERNALERROR>   File "/root/rdo/ansible-role-container-registry/.tox/molecule/lib/python3.6/site-packages/paramiko/client.py", line 824, in missing_host_key
INTERNALERROR>     "Server {!r} not found in known_hosts".format(hostname)
INTERNALERROR> paramiko.ssh_exception.SSHException: Server 'n0' not found in known_hosts

[cmcga1125]

@ssbarnea and anyone else who, like me finds this issue.
this actually works, you just get a warning stating that you don't have a match in your known_hosts file. see the code here indicating it's just a warning, not a real error :)
https://github.com/docker/docker-py/blob/master/docker/transport/sshconn.py#L109

example connection function:

def dockerClient(SSHAddress, SSHUser):
    client = docker.DockerClient(
        base_url = 'ssh://{SSHUser}@{SSHAddress}',
        version = 'auto',
        timeout = 3600
        )
    return client

[VelorumS]

In docker-py 4.1.0 it was still an exception.

[madrover]

Still same issue on 6.0.1.
Actually, this works on 5.0.3 but #2932 broke it. Ideally this should be a configurable behavior.

[milas]

Actually, this works on 5.0.3 but #2932 broke it.

Yes, the default policy was changed with 6.x for security, see the "Upgrade Notes" in the changelog:

Native Python SSH client (used by default / `use_ssh_client=False`) will now
reject unknown host keys with `paramiko.ssh_exception.SSHException`

Ideally this should be a configurable behavior.

Agreed. I would be happy to accept/review a PR here. For reference, here's the SSH init code:

docker-py/docker/transport/sshconn.py

Line 175 in 34e6829

self._create_paramiko_client(base_url)

It's worth mentioning that there's 2x supported implementations (Python-native via Paramiko, or shelling out to host SSH binary), so we'll need to account for that.

Also, the connection gets created by APIClient, so it needs to be plumbed up through there:

docker-py/docker/api/client.py

Line 108 in 34e6829

credstore_env=None, use_ssh_client=False,

The design/coupling here means it might be a bit tricky. I think it's reasonable to overload the use_ssh_client param on APIClient's ctor to accept an object in addition to a bool to allow passing in a concrete client implementation. A new param on SSHHTTPAdapter is probably inevitable, but should be mutually exclusive with shell_out=True.

That would allow consumers to create a paramiko.SSHClient and completely control its configuration for advanced use cases, while still allowing a sane/secure configuration out-of-the-box.