Use user identify from $LIMA_HOME/_config/user #83
Conversation
pkg/sshutil/sshutil.go
Outdated
| return nil | ||
| } else { | ||
| // Check that private key exists and then try to read public key | ||
| if _, err := os.Stat(privateKeyPath); err == nil { |
There was a problem hiding this comment.
Return err if !error.Is(err, os.ErrNorExist)
There was a problem hiding this comment.
DefaultPubKeys doesn't return any errors; it just ignores key files it cannot read. So not sure what to do here.
In the end the user would be told to run ssh-keygen when DefaultPubKeys returns an empty list, so not sure that aborting on the first error is really helpful.
pkg/sshutil/sshutil.go
Outdated
| @@ -83,5 +124,12 @@ func SSHArgs(instDir string) ([]string, error) { | |||
| "-o", "Compression=no", | |||
| "-o", "BatchMode=yes", | |||
| } | |||
| configDir, err := store.LimaConfigDir() | |||
| if err == nil { | |||
There was a problem hiding this comment.
Return err if !error.Is(err, os.ErrNorExist)
pkg/sshutil/sshutil.go
Outdated
| configDir, err := store.LimaConfigDir() | ||
| if err == nil { | ||
| privateKeyPath := filepath.Join(configDir, "user") | ||
| if _, err := os.Stat(privateKeyPath); err == nil { |
There was a problem hiding this comment.
Return err if !error.Is(err, os.ErrNorExist)
pkg/store/store.go
Outdated
| @@ -29,6 +29,20 @@ func LimaDir() (string, error) { | |||
| return dir, nil | |||
| } | |||
|
|
|||
| // LimaConfigDir returns the path of the config directory, $LIMA_HOME/_config. | |||
| // It will create the directory if it doesn't yet exist. | |||
There was a problem hiding this comment.
I’m not sure this function should make the dir.
There was a problem hiding this comment.
Yeah, it is inconsistent with what LimaDir does, but I was thinking about letting that one create the directory too. Would that simplify the calling code?
pkg/store/store.go
Outdated
| if err != nil { | ||
| return "", err | ||
| } | ||
| configDir := filepath.Join(limaDir, "_config") |
There was a problem hiding this comment.
“_config” should be a constant.
There was a problem hiding this comment.
Yes, I was tempted to put it into store/filenames, but that package claims it only defines names for the instance directories. So where should _config be defined? New package?
jandubois
force-pushed
the
ssh-key
branch
2 times, most recently
from
b8c126b
to
6242841
Compare
|
@AkihiroSuda I believe I've addresses all issues you pointed out. Can you please confirm? But I'm wondering now if the Should |
|
Sorry, I refactored By tightening the error handling I've also reduced the logic nesting level a bit, as it was getting out of hand. I've also gone ahead and added other file and directory names to the I believe I'm done with it now (unless you have more feedback). |
jandubois
force-pushed
the
ssh-key
branch
3 times, most recently
from
0eb0b94
to
e329055
Compare
By default lima uses the public keys from ~/.ssh/*.pub This change makes it try $LIME_HOME/_config/user.pub first and only fall back on the ~/.ssh/*.pub keys when that one does not exist. It will create the key under $LIMA_HOME/_config if there aren't any public keys under ~/.ssh. Signed-off-by: Jan Dubois <jan.dubois@suse.com>
|
@AkihiroSuda The latest CI failure is different, but I've seen a lot of errors like this before: Any idea why that is happening? You would think the connection between gha and ghcr should be pretty solid... |
|
I guess macOS instances might be running on a different infra that isn't optimal for ghcr? |
| if err := os.MkdirAll(configDir, 0700); err != nil { | ||
| return nil, errors.Wrapf(err, "could not create %q directory", configDir) | ||
| } | ||
| keygenCmd := exec.Command("ssh-keygen", "-t", "ed25519", "-q", "-N", "", "-f", |
There was a problem hiding this comment.
We should lock the directory. I can open a follow-up PR.
pkg/sshutil/sshutil.go
Outdated
| args := []string{ | ||
| "-i", privateKeyPath, |
There was a problem hiding this comment.
Question: would it be possible to let ssh read both ~/.lima/_config keys and ~/.ssh keys?
Otherwise this will break existing instances.
There was a problem hiding this comment.
Question: would it be possible to let ssh read both
~/.lima/_configkeys and~/.sshkeys?
Yes, you can specify multiple -i options, and the identities will be tried in sequence. I think the server may be limiting the number of attempts to 3, so it could still fail if the user added multiple keys after creating the instance. But that is already a problem with the current implementation, so doesn't change anything. Just another reason to have a lima-specific identity, and always specify that one first.
There was a problem hiding this comment.
Question: would it be possible to let ssh read both
~/.lima/_configkeys and~/.sshkeys?
I've pushed the change in a separate commit for easier review; lmk if you want me to squash it!
Otherwise instances created with the previous release of lima would become inaccessible by the `limactl shell` command. Signed-off-by: Jan Dubois <jan.dubois@suse.com>
By default lima uses the public keys from
~/.ssh/*.pub.This change makes it try
$LIME_HOME/_config/user.pubfirst and only fall back on the~/.ssh/*.pubkeys when that one does not exist. It will create the key under$LIMA_HOME/_configif there aren't any public keys under~/.ssh.Fixes #78