Improve compatibility with jenkins docker-plugin

[GunArm]

Fixes issue #62

[GunArm]

The same tests fail when I run ./make.ps1 test locally on the current master branch. Are the windows tests currently not working?

[GunArm]

Here's the output of the windows container showing the added logging changes, at the top and bottom, with rsa pubkey provided as first param

PS C:\docker_testing\ssh-key-temp> docker logs lucid_torvalds
setup-sshd.ps1 param: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtdWWavvGzQt+GlTV4azrwqlU/PmdaD0VAYTgbkoiCNkYo2M37OZDBF7YM7BQ8Q081rfJiOZjSitzKg0qnDGwzpDCEobVDhPG3zGm+zy5RWDCM8ZXjkZhB/0witP5rQ0MdtI6BoYf99ydqiH8Ex3pp4Vgbds8jZoqW1SkKzb0G+owbDeYUKH4l8hMDayEjhv8ZNhTVY3P/+Rv0Y5p8USNL7NtUGdPM70j3BRQmBfkM8XBofGvbTK3FSzO+AFh1Z72+MwhGm2qCrf+LMh2MnF+sIPT2ZWvHKKRpoqIms9oAAiuQzRRy7a0uj/p4il1fkbat/Mq+IQnwkNdZKktpURoj'
Authorizing ssh pubkey found in params.

Windows IP Configuration


Ethernet adapter vEthernet (Ethernet):

   Connection-specific DNS Suffix  . : lan.xyz.com
   Link-local IPv6 Address . . . . . : fe80::39f6:ee57:8ee:b354%17
   IPv4 Address. . . . . . . . . . . : 172.28.164.122
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.28.160.1

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:22             5ec1fd15d5f9:0         LISTENING
  TCP    0.0.0.0:135            5ec1fd15d5f9:0         LISTENING
  TCP    0.0.0.0:49164          5ec1fd15d5f9:0         LISTENING
  TCP    0.0.0.0:49165          5ec1fd15d5f9:0         LISTENING
  TCP    0.0.0.0:49166          5ec1fd15d5f9:0         LISTENING
  TCP    172.28.161.174:49162   13.88.145.64:https     TIME_WAIT
  TCP    172.28.164.122:49168   13.88.145.64:https     TIME_WAIT
  TCP    [::]:22                5ec1fd15d5f9:0         LISTENING
  TCP    [::]:135               5ec1fd15d5f9:0         LISTENING
  TCP    [::]:49164             5ec1fd15d5f9:0         LISTENING
  TCP    [::]:49165             5ec1fd15d5f9:0         LISTENING
  TCP    [::]:49166             5ec1fd15d5f9:0         LISTENING
  UDP    0.0.0.0:5353           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    [::]:5353              *:*
  UDP    [::]:5355              *:*
5660 2020-09-04 01:05:56.422 Server listening on :: port 22.
5660 2020-09-04 01:05:56.422 Server listening on 0.0.0.0 port 22.
7740 2020-09-04 01:05:57.380 error: kex_exchange_identification: Connection closed by remote host
10768 2020-09-04 01:05:57.380 error: kex_exchange_identification: Connection closed by remote host
9580 2020-09-04 01:05:57.426 WARNING: could not open __PROGRAMDATA__\\ssh/moduli (No such file or directory), using fixed modulus
9580 2020-09-04 01:05:57.595 Received disconnect from 10.6.0.5 port 58116:11: Closed due to user request. [preauth]
9580 2020-09-04 01:05:57.595 Disconnected from 10.6.0.5 port 58116 [preauth]
10284 2020-09-04 01:05:57.724 WARNING: could not open __PROGRAMDATA__\\ssh/moduli (No such file or directory), using fixed modulus
10284 2020-09-04 01:05:57.912 Accepted publickey for jenkins from 10.6.0.5 port 58120 ssh2: RSA SHA256:AZKaUux7uTIWvFrSv6eXNKtW0Wz9y8cHxAKya35dh+g

Here it is catching the default docker-plugin /usr/sbin/sshd -D -p 22 command and ignoring it, rather than halting on error.

PS C:\docker_testing\ssh-key-temp> docker logs hardcore_faraday
setup-sshd.ps1 param: '/usr/sbin/sshd'
Ignoring provided (linux) sshd command.

Windows IP Configuration


Ethernet adapter vEthernet (Ethernet):

   Connection-specific DNS Suffix  . : lan.xyz.com
   Link-local IPv6 Address . . . . . : fe80::5d83:eea5:cb70:c08e%17
   IPv4 Address. . . . . . . . . . . : 172.28.171.136
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.28.160.1

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:22             11971dd9823f:0         LISTENING
  TCP    0.0.0.0:135            11971dd9823f:0         LISTENING
  TCP    0.0.0.0:49152          11971dd9823f:0         LISTENING
  TCP    0.0.0.0:49153          11971dd9823f:0         LISTENING
  TCP    0.0.0.0:49154          11971dd9823f:0         LISTENING
  TCP    172.28.171.136:49156   13.88.145.64:https     TIME_WAIT
  TCP    [::]:22                11971dd9823f:0         LISTENING
  TCP    [::]:135               11971dd9823f:0         LISTENING
  TCP    [::]:49152             11971dd9823f:0         LISTENING
  TCP    [::]:49153             11971dd9823f:0         LISTENING
  TCP    [::]:49154             11971dd9823f:0         LISTENING
  UDP    0.0.0.0:5353           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    [::]:5353              *:*
  UDP    [::]:5355              *:*
12248 2020-09-04 01:10:18.520 Server listening on :: port 22.
12248 2020-09-04 01:10:18.520 Server listening on 0.0.0.0 port 22.
9540 2020-09-04 01:10:19.309 error: kex_exchange_identification: Connection closed by remote host
7812 2020-09-04 01:10:19.323 error: kex_exchange_identification: Connection closed by remote host
9384 2020-09-04 01:10:19.363 WARNING: could not open __PROGRAMDATA__\\ssh/moduli (No such file or directory), using fixed modulus
9384 2020-09-04 01:10:19.529 Received disconnect from 10.6.0.5 port 38590:11: Closed due to user request. [preauth]
9384 2020-09-04 01:10:19.529 Disconnected from 10.6.0.5 port 38590 [preauth]
3040 2020-09-04 01:10:19.629 WARNING: could not open __PROGRAMDATA__\\ssh/moduli (No such file or directory), using fixed modulus
3040 2020-09-04 01:10:19.845 Received disconnect from 10.6.0.5 port 38594:11: Closed due to user request. [preauth]
3040 2020-09-04 01:10:19.845 Disconnected from authenticating user jenkins 10.6.0.5 port 38594 [preauth]

[slide]

I've been meaning to look at the tests but haven't had a chance to do so yet.

[slide]

Close and reopen to rebuild after merging in a pester fix

[slide]

I think this looks pretty good overall. I will do some testing locally as well.

[slide]

Do you think you could add a test around these changes?

[GunArm]

Last commit fixes linux test which supplied args quoted, while the code (and jenkins-plugin) provide it unquoted. For consistency I made it support both ways and a test for each, although the second test isn't super useful.

Notably after looking at the code for docker-plugin, there are other forms of this command, the port can be changed, and additional params can get added if using the Inject Credentials setting. This code only only deals with the literal form of the default command or it would get too complicated and add risk. I considered removing the linux condition entirely, but kept it because ignoring the param sshd command and running the script sshd command ensures the sshd output goes to the docker logs (with -e flag).

The linux tests pass now, the failure was an intermittent (startup time?) failure on a previously existing test.

[GunArm]

I am open to any requests for style fixes or squashing

[oleg-nenashev]

I have tested JDK8 and JDK11 ubuntu images with the patch, they work well. CI is unstable in this repo unfortunately, will try to get it fixed

[GunArm]

Is there anything preventing this from being merged? Conflicts? Complications? Needed discussion?

[GunArm]

If desired, I could also incorporate the change from PR #68 into my branch so that there is not a merge conflict between them. The only reason I didn't in the first place is to make this PR less complicated to review. But since it's been many months, maybe having them in a single branch to merge would make things easier?

[afischer211]

Hello, the line
"elif [[ "$@" == "/usr/sbin/sshd -D -p 22" ]]; then"
in PR#63 does not match in Bash/Linux.

I think, a better solution is using the operator "=~" for regexp-matching:
"elif [[ "$@" =~ /usr/sbin/sshd\ -D\ -p\ 22.* ]]; then"

Here all calls with additional parameters match, but you must mask out the spaces in the (un-quoted!) search-pattern.
See also at Stackoverflow...

[GunArm]

Hm. You are saying it doesn't match at all, as in the string is not detected?

My memory is fuzzy because this was back in september, I can do some testing to refresh. But I was pretty sure I had tested this many ways, including edge casey ways which were not actually likely to occur.
The literal string match should work as that is (or was?) exactly what was produced by the default docker-plugin configuration, but I see you are recommending to improve it by a regex match with a wildcard at the end, implying to me the argument you are receiving has more at the end of it. I'm curious why/what that is. Are you testing through docker-plugin or starting containers manually or running the unit tests? Can you show the actual full argument your setup is producing?

Something which is mentioned above is that there are other arguments docker-plugin can produce if you have something other than the default settings, but trying to support all of those is too much complexity for this stop gap fix. I'm curious if the reason you have additional characters after the command is because you don't have the default configuration?

Edit: also note that immediately after that condition you paste, we have to shift the arguments by a number of tokens, which is 4 unless the string arrives quoted and then it is 1. So if you have more arguments that are part of this command those would have to be counted/shifted as well, which is where I decided the diminishing returns of complexity were too much. I didn't want to this to dominate the rest of the script. Not averse to providing additional changes if it's not too much

Can you provide more info on your setup?

[afischer211]

Hello, the reason for my investigation is, that the last line of the entrypoint script is not executed. I use the docker-plugin inside jenkins for starting up slave-containers (connected by ssh). Because I want to receive the extended output of ssh with the option -e, I hope on the new version of this script by one of the last pullrequests.
But I must detect, the entrypoint script does not match for the given params of the docker-plugin. They are:
"/usr/sbin/sshd -D -p 22 -o AuthorizedKeysCommand=**** -o AuthorizedKeysCommandUser=****"
So my enhancement with regexp matches and works like expected (shifting out all arguments until the first -o...), the original version does not match and execute the command in the else-branch (without the -e option).