-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use user identify from $LIMA_HOME/_config/user #83
Conversation
pkg/sshutil/sshutil.go
Outdated
return nil | ||
} else { | ||
// Check that private key exists and then try to read public key | ||
if _, err := os.Stat(privateKeyPath); err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Return err if !error.Is(err, os.ErrNorExist)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DefaultPubKeys
doesn't return any errors; it just ignores key files it cannot read. So not sure what to do here.
In the end the user would be told to run ssh-keygen
when DefaultPubKeys
returns an empty list, so not sure that aborting on the first error is really helpful.
pkg/sshutil/sshutil.go
Outdated
@@ -83,5 +124,12 @@ func SSHArgs(instDir string) ([]string, error) { | |||
"-o", "Compression=no", | |||
"-o", "BatchMode=yes", | |||
} | |||
configDir, err := store.LimaConfigDir() | |||
if err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Return err if !error.Is(err, os.ErrNorExist)
pkg/sshutil/sshutil.go
Outdated
configDir, err := store.LimaConfigDir() | ||
if err == nil { | ||
privateKeyPath := filepath.Join(configDir, "user") | ||
if _, err := os.Stat(privateKeyPath); err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Return err if !error.Is(err, os.ErrNorExist)
pkg/store/store.go
Outdated
@@ -29,6 +29,20 @@ func LimaDir() (string, error) { | |||
return dir, nil | |||
} | |||
|
|||
// LimaConfigDir returns the path of the config directory, $LIMA_HOME/_config. | |||
// It will create the directory if it doesn't yet exist. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m not sure this function should make the dir.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it is inconsistent with what LimaDir
does, but I was thinking about letting that one create the directory too. Would that simplify the calling code?
pkg/store/store.go
Outdated
if err != nil { | ||
return "", err | ||
} | ||
configDir := filepath.Join(limaDir, "_config") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
“_config” should be a constant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was tempted to put it into store/filenames
, but that package claims it only defines names for the instance directories. So where should _config
be defined? New package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkg/store.ConfigDir
b8c126b
to
6242841
Compare
@AkihiroSuda I believe I've addresses all issues you pointed out. Can you please confirm? But I'm wondering now if the Should |
Sorry, I refactored By tightening the error handling I've also reduced the logic nesting level a bit, as it was getting out of hand. I've also gone ahead and added other file and directory names to the I believe I'm done with it now (unless you have more feedback). |
0eb0b94
to
e329055
Compare
By default lima uses the public keys from ~/.ssh/*.pub This change makes it try $LIME_HOME/_config/user.pub first and only fall back on the ~/.ssh/*.pub keys when that one does not exist. It will create the key under $LIMA_HOME/_config if there aren't any public keys under ~/.ssh. Signed-off-by: Jan Dubois <jan.dubois@suse.com>
@AkihiroSuda The latest CI failure is different, but I've seen a lot of errors like this before:
Any idea why that is happening? You would think the connection between gha and ghcr should be pretty solid... |
I guess macOS instances might be running on a different infra that isn't optimal for ghcr? |
if err := os.MkdirAll(configDir, 0700); err != nil { | ||
return nil, errors.Wrapf(err, "could not create %q directory", configDir) | ||
} | ||
keygenCmd := exec.Command("ssh-keygen", "-t", "ed25519", "-q", "-N", "", "-f", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should lock the directory. I can open a follow-up PR.
pkg/sshutil/sshutil.go
Outdated
args := []string{ | ||
"-i", privateKeyPath, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: would it be possible to let ssh read both ~/.lima/_config
keys and ~/.ssh
keys?
Otherwise this will break existing instances.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: would it be possible to let ssh read both
~/.lima/_config
keys and~/.ssh
keys?
Yes, you can specify multiple -i
options, and the identities will be tried in sequence. I think the server may be limiting the number of attempts to 3, so it could still fail if the user added multiple keys after creating the instance. But that is already a problem with the current implementation, so doesn't change anything. Just another reason to have a lima-specific identity, and always specify that one first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: would it be possible to let ssh read both
~/.lima/_config
keys and~/.ssh
keys?
I've pushed the change in a separate commit for easier review; lmk if you want me to squash it!
Otherwise instances created with the previous release of lima would become inaccessible by the `limactl shell` command. Signed-off-by: Jan Dubois <jan.dubois@suse.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
By default lima uses the public keys from
~/.ssh/*.pub
.This change makes it try
$LIME_HOME/_config/user.pub
first and only fall back on the~/.ssh/*.pub
keys when that one does not exist. It will create the key under$LIMA_HOME/_config
if there aren't any public keys under~/.ssh
.Fixes #78