sshforward: implement ssh socket forwarding #608
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tonistiigi
force-pushed
the
ssh-forwarding
branch
from
2618dcd to
56ef9fc
Compare
AkihiroSuda
reviewed
Sep 7, 2018
session/sshforward/ssh.proto
Outdated
|
|
||
| service SSH { | ||
| rpc CheckAgent(CheckAgentRequest) returns (CheckAgentResponse); | ||
| rpc ForwardAgent(stream BytesMessage) returns (stream BytesMessage); |
tonistiigi
force-pushed
the
ssh-forwarding
branch
2 times, most recently
from
5a557bd to
1b7f365
Compare
AkihiroSuda
reviewed
Sep 7, 2018
session/sshforward/ssh.go
Outdated
| // DefaultID is the default ssh ID | ||
| const DefaultID = "default" | ||
|
|
||
| const KeySSHID = "buildkitd.ssh.id" |
AkihiroSuda
reviewed
Sep 7, 2018
| return nil, err | ||
| } | ||
| if conf.ID == "" { | ||
| conf.ID = "default" |
AkihiroSuda
approved these changes
Sep 7, 2018
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tonistiigi
force-pushed
the
ssh-forwarding
branch
from
1b7f365 to
68502db
Compare
tiborvass
reviewed
Sep 10, 2018
| } | ||
|
|
||
| s := &server{l: l} | ||
| go s.run(agent) |
There was a problem hiding this comment.
An error on a single connection shouldn't fail the build. If it causes process to exit then that will become the error.
tiborvass
reviewed
Sep 10, 2018
| }) | ||
| } | ||
|
|
||
| var SSHOptional = sshOptionFunc(func(si *SSHInfo) { |
There was a problem hiding this comment.
why make this writable?
tiborvass
reviewed
Sep 10, 2018
| func NewSSHAgentProvider(confs []AgentConfig) (session.Attachable, error) { | ||
| m := map[string]source{} | ||
| for _, conf := range confs { | ||
| if len(conf.Paths) == 0 || len(conf.Paths) == 1 && conf.Paths[0] == "" { |
There was a problem hiding this comment.
why have the OR condition if you error out for the same condition further below? nevermind I understand now.
tiborvass
reviewed
Sep 10, 2018
| } | ||
| fi, err := os.Stat(p) | ||
| if err != nil { | ||
| return source{}, errors.Wrapf(err, "failed to stat %s", p) |
There was a problem hiding this comment.
unnecessary wrapping, PathError already has similar message such as stat /my/path: No such file or directory
tiborvass
reviewed
Sep 10, 2018
| return errors.Errorf("removing keys not allowed by buildkit") | ||
| } | ||
|
|
||
| func (a *readOnlyAgent) Lock(_ []byte) error { |
There was a problem hiding this comment.
Might as well protect Unlock too, no?
There was a problem hiding this comment.
It is hard to unlock unexpectedly to the user, what the other cases are protecting from.
tiborvass
reviewed
Sep 10, 2018
session/sshforward/ssh.go
Outdated
| id = DefaultID | ||
| } | ||
|
|
||
| go s.run(ctx, l, id) |
tiborvass
reviewed
Sep 10, 2018
| return err | ||
| } | ||
|
|
||
| go Copy(ctx, conn, stream) |
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
tonistiigi
force-pushed
the
ssh-forwarding
branch
from
68502db to
1604b1b
Compare
|
Can we merge? |
|
Any ETA of Dockerfile frontend for this? ^^ |
|
@AkihiroSuda I'll work on the release/test stages for the experimental dockerfiles in next days so we can run them with travis and can probably do it after that. If you have cycles feel free to submit it yourself. The UI should be the same as the secrets with extra mount type and should automatically set up the environment variable if it is unset. |
AkihiroSuda
added a commit
to AkihiroSuda/cli
that referenced
this pull request
Oct 5, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
AkihiroSuda
added a commit
to AkihiroSuda/cli
that referenced
this pull request
Oct 5, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Oct 10, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> Upstream-commit: db7399a016bed833205a17129ed80fad4d15e48d Component: cli
thaJeztah
pushed a commit
to thaJeztah/cli
that referenced
this pull request
Oct 11, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> (cherry picked from commit db7399a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
pushed a commit
to thaJeztah/cli
that referenced
this pull request
Oct 11, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> (cherry picked from commit db7399a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
pushed a commit
to thaJeztah/cli
that referenced
this pull request
Oct 11, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> (cherry picked from commit db7399a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
lifubang
pushed a commit
to lifubang/cli
that referenced
this pull request
Oct 12, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
docker-jenkins
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Oct 12, 2018
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp> (cherry picked from commit db7399a016bed833205a17129ed80fad4d15e48d) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: e942084530002e5e02466b3f5941f0dc0136675e Component: cli
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add ssh agent socket forwarding support through a SSH mount type in LLB. Optional ID can be assigned on a mount to support multiple sockets.
@AkihiroSuda @tiborvass
Follow-up: expose in Dockerfile, expose to git sources