Skip to content
This repository has been archived by the owner on Oct 19, 2022. It is now read-only.

ssh config files and/or private keys #33

Merged
merged 3 commits into from
Sep 5, 2017
Merged

ssh config files and/or private keys #33

merged 3 commits into from
Sep 5, 2017

Conversation

vieux
Copy link
Owner

@vieux vieux commented Aug 25, 2017
edited
Loading

close #24 #22

@vieux vieux force-pushed the private_key branch 7 times, most recently from 5de841b to 3988740 Compare August 25, 2017 22:05
@vieux vieux changed the title [WIP] ssh config files and/or private keys Aug 25, 2017
@vieux
Copy link
Owner Author

vieux commented Aug 25, 2017

@cyli @stevvooe what's wrong with this version ?

/cc @mattzuba @davidwilliamson

@vieux vieux force-pushed the private_key branch 19 times, most recently from 6204c10 to 8f251b0 Compare August 26, 2017 00:45
@vieux
add private key support
22864c1 
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
@stevvooe
Copy link

Looks reasonable. Using a mount to get the keys in!

@marcelo-ochoa
Copy link

It works perfect, thanks for the contribution.
When this patch will be merged with master branch??
Best regards, Marcelo.

@vieux
Copy link
Owner Author

vieux commented Sep 1, 2017

@marcelo-ochoa I'll merge today, push the v1.3 image today and if everything go as planned, I'll update latest -> 1.3 next week.

@marcelo-ochoa
Copy link

Great!!! Thanks a lot. In the meantime I'll configure my volumes using vieux/sshfs:next compile from sources.

@mattzuba
Copy link

mattzuba commented Sep 1, 2017

The only question I'd have is why not mount it to /root/.ssh, instead of /.ssh? /root/.ssh would allow more flexibility with a ssh config file rather than having to specify all of the -o options in the volume create command.

My use-case is probably somewhat unique, but I basically have an in-house ci/cd system modeled after Bitbucket's Pipelines with an added extension that allows me to specify mounts in the docker containers to push builds to for qa and production deployments (see example below). The simpler I can keep this, the better off we are. With the yaml config below, along with the simple change I mentioned in my issue, I can do all of the ssh settings in a ssh_config file which is mounted in /root/.ssh of this plugin along with the ssh keys. With the proposed PR, I'd likely have to add an 'options' array to the mount definition and pass those as a bunch of -o options to the volume create command.

If /root/.ssh is a security risk, I completely understand and I can work around it (maybe using -F /.ssh/config in volume create?)

image: deploy-image

pipelines:
  branches:
    stable:
      - step:
          mounts:
            - linux01
          script:
            - deploy -d /mnt/linux01/srv/www/myapp

definitions:
  mounts:
   linux01:
      type: linux
      host: linux01.mydomain.com
      path: /

@vieux
Copy link
Owner Author

vieux commented Sep 1, 2017

@mattzuba how about like this ?

@mattzuba
Copy link

mattzuba commented Sep 1, 2017

Yup, I think that would be perfect! I already left work for the day so I can't test it out right now, but I don't see why it wouldn't work!

mattzuba
mattzuba reviewed Sep 1, 2017
View reviewed changes
Dockerfile Outdated
@@ -10,6 +10,6 @@ CMD ["/go/bin/docker-volume-sshfs"]

FROM alpine
RUN apk update && apk add sshfs
RUN mkdir -p /run/docker/plugins /mnt/state /mnt/volumes
RUN mkdir -p /run/docker/plugins /mnt/state /mnt/volumes .ssh
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be adjusted to be /root/.ssh instead of just .ssh?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take a look, I'm not sure it's needed since the tests are passing right now

@vieux
change path
4dbf79b 
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
@vieux
update readme
69972ed 
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
@marcelo-ochoa
Copy link

I tested latest commit and it works without passing the argument:
-o IdentityFile=/.ssh/id_rsa
but it still requires the plugin setting:
docker plugin set vieux/sshfs:next sshkey.source=/root/.ssh/
to works with keys stored and named using ssh default settings.
Its there a possibility to avoid above setting having a default value when the plugin is installed/enabled?
Best regards, Marcelo.
PD: After installing plugin mounts look like:

            "Mounts": [
                {
                    "Description": "",
                    "Destination": "/mnt/state",
                    "Name": "state",
                    "Options": [
                        "rbind"
                    ],
                    "Settable": [
                        "source"
                    ],
                    "Source": "/var/lib/docker/plugins/",
                    "Type": "bind"
                },
                {
                    "Description": "",
                    "Destination": "/root/.ssh",
                    "Name": "sshkey",
                    "Options": [
                        "rbind"
                    ],
                    "Settable": [
                        "source"
                    ],
                    "Source": "",
                    "Type": "bind"
                }
            ]

note the property "Source": "", after calling plugin set it is defined "Source": "/root/.ssh/"

@marcelo-ochoa
Copy link

well this simple patch makes Source property with a default value :)

diff --git a/config.json b/config.json
index e396ffa..6852b4b 100644
--- a/config.json
+++ b/config.json
@@ -52,6 +52,7 @@
       "settable": [
         "source"
       ],
+      "Source": "/root/.ssh/",
       "type": "bind"
     }
   ],

@vieux
Copy link
Owner Author

vieux commented Sep 2, 2017 via email

@mattzuba
Copy link

mattzuba commented Sep 2, 2017 via email

@marcelo-ochoa
Copy link

OK, my point is to provide two step installing.
IMO plugin installer should be root for the bare metal server which for sure have access to /root/.ssh directory, if plugin installer are other user rather than root what happen if they call to
docker plugin set vieux/sshfs:next sshkey.source=/root/.ssh/
to gain access to root directory?
Best regards, Marcelo.

@marcelo-ochoa
Copy link

Forget the diff about config.json file, I found that if Source property is set in that file then is not possible to change at run-time with:
docker plugin set vieux/sshfs:next sshkey.source=/root/.ssh
on the other hand if a regular user is included into Unix docker group, it will be able to enable/disable the plugin and obviously setting above property which could open a security hole in docker plugin run-time by changing the directory to other which have different private keys.
But if the server's sysadmin grants another user to the group docker for sure trust in that user ;)

@vieux vieux mentioned this pull request Sep 4, 2017
Closed
@vieux vieux merged commit d7c3e8e into master Sep 5, 2017
@vieux vieux deleted the private_key branch September 5, 2017 21:00
@vieux vieux mentioned this pull request Sep 5, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mattzuba mattzuba mattzuba left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ssh config files and/or private keys
4 participants
@vieux @stevvooe @marcelo-ochoa @mattzuba