From aaa1fb9f68399d0614d6959a4d5c9a9175be71b4 Mon Sep 17 00:00:00 2001 From: Mike Crowe Date: Sat, 29 Jan 2022 22:59:55 -0500 Subject: [PATCH 1/3] Better SSH socket support via ssh-agent --- rootfs/etc/profile.d/ssh-agent.sh | 53 +++++++++++++++++++++++-------- rootfs/templates/wrapper | 17 ++++++++-- 2 files changed, 55 insertions(+), 15 deletions(-) diff --git a/rootfs/etc/profile.d/ssh-agent.sh b/rootfs/etc/profile.d/ssh-agent.sh index 7927d1ffe..4f2968c8f 100755 --- a/rootfs/etc/profile.d/ssh-agent.sh +++ b/rootfs/etc/profile.d/ssh-agent.sh @@ -1,11 +1,41 @@ export SSH_KEY="${SSH_KEY:-/localhost/.ssh/id_rsa}" -# Attempt Re-use existing agent if one exists -if [ -f "${SSH_AGENT_CONFIG}" ]; then - echo "* Found SSH agent config" - . "${SSH_AGENT_CONFIG}" +if [ "$SSH_AUTH_SOCK_HOST" != "" ]; then + export SSH_AUTH_SOCK="/var/tmp/ssh-geouser" + sudo socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork,user=geouser,group=geouser,mode=777 UNIX-CONNECT:$SSH_AUTH_SOCK_HOST & + echo "Looks like we have a host ssh-agent socket at $SSH_AUTH_SOCK_HOST. Mapping to user socket at $SSH_AUTH_SOCK" fi +function _load_sshagent_env() { + [[ -r "${SSH_AGENT_CONFIG}" ]] && eval "$(<${SSH_AGENT_CONFIG})" >/dev/null +} + +function _launch_sshagent() { + (umask 066; ssh-agent > "${SSH_AGENT_CONFIG}") +} + +function _ensure_sshagent_dead() { + killall ssh-agent &> /dev/null + rm -f "${SSH_AGENT_CONFIG}" +} + +function _ensure_valid_sshagent_env() { + ssh-add -l &>/dev/null + if [[ $? -gt 1 ]]; then + # Could not open a connection to your authentication agent. + + _load_sshagent_env + ssh-add -l &>/dev/null + if [[ $? -gt 1 ]]; then + # Start agent and store agent connection info. + _ensure_sshagent_dead + _launch_sshagent + fi + fi + _load_sshagent_env + return +} + trap ctrl_c INT function ctrl_c() { @@ -14,18 +44,15 @@ function ctrl_c() { rm -f "${SSH_AUTH_SOCK}" } -# Otherwise launch a new agent -if [ -z "${SSH_AUTH_SOCK}" ] || ! [ -e "${SSH_AUTH_SOCK}" ]; then - ssh-agent | grep -v '^echo' >"${SSH_AGENT_CONFIG}" - . "${SSH_AGENT_CONFIG}" +_ensure_valid_sshagent_env - # Add keys (if any) to the agent - if [ -n "${SSH_KEY}" ] && [ -f "${SSH_KEY}" ]; then - echo "Add your local private SSH key to the key chain. Hit ^C to skip." - ssh-add "${SSH_KEY}" - fi +# Add keys (if any) to the agent +if [ -n "${SSH_KEY}" ] && [ -f "${SSH_KEY}" ]; then + echo "Add your local private SSH key to the key chain. Hit ^C to skip." + ssh-add "${SSH_KEY}" fi # Clean up trap - INT unset -f ctrl_c + diff --git a/rootfs/templates/wrapper b/rootfs/templates/wrapper index e5bfb9577..8110b8a49 100755 --- a/rootfs/templates/wrapper +++ b/rootfs/templates/wrapper @@ -61,15 +61,28 @@ function use() { if [ -n "$SSH_AUTH_SOCK" ]; then if [ "${OS}" == 'Linux' ]; then + if [ "${SSH_AUTH_SOCK:0:4}" == "/tmp" ]; then + echo "The ssh-agent socket at ${SSH_AUTH_SOCK} is in your /tmp folder and does not map to Docker" + echo "Start your ssh-agent with 'TMPDIR=/var/tmp ssh-agent'" + echo "or something like this in your ~/.bashrc script:" + echo '(umask 066; ssh-agent -a $(mktemp -d -t ssh-XXXXXXXXXX --tmpdir=/var/tmp)/agent.$$ > "${SSH_AGENT_ENV}")' + else # Bind-mount SSH agent socket into container (linux only) - DOCKER_ARGS+=(--volume "$SSH_AUTH_SOCK:$SSH_AUTH_SOCK" - --env SSH_AUTH_SOCK + local HOST_SOCK_DIR="$(dirname $SSH_AUTH_SOCK)" + local HOST_SOCK_NAME="$(basename $SSH_AUTH_SOCK)" + local DOCKER_SSH_FOLDER="/var/tmp" + local DOCKER_SSH_HOST_DIR="$DOCKER_SSH_FOLDER/host" + local DOCKER_SSH_HOST_SOCKET="$DOCKER_SSH_HOST_DIR/$HOST_SOCK_NAME" + DOCKER_ARGS+=(--volume="$HOST_SOCK_DIR:$DOCKER_SSH_HOST_DIR" + --env SSH_AUTH_SOCK_HOST="$DOCKER_SSH_HOST_SOCKET" --env SSH_CLIENT --env SSH_CONNECTION --env SSH_TTY --env USER --env USER_ID --env GROUP_ID) + echo "# Binding your SSH_AUTH_SOCK of $SSH_AUTH_SOCK to $DOCKER_SSH_HOST_SOCKET" + fi elif [ "${OS}" == 'Darwin' ] && [ "${GEODESIC_MAC_FORWARD_SOCKET}" == 'true' ]; then # Bind-mount SSH-agent socket (available in docker-for mac Edge 2.2 release) # Note that the file/socket /run/host-services/ssh-auth.sock does not exist From 27789eb7c7bd2cfc7edb8ca28eea5be026499627 Mon Sep 17 00:00:00 2001 From: Mike Crowe Date: Sat, 29 Jan 2022 23:19:48 -0500 Subject: [PATCH 2/3] Add socat to the base debian image --- os/debian/Dockerfile.debian | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/debian/Dockerfile.debian b/os/debian/Dockerfile.debian index 6753659af..16ce5a1b8 100644 --- a/os/debian/Dockerfile.debian +++ b/os/debian/Dockerfile.debian @@ -33,7 +33,7 @@ RUN apt-get update && apt-get install -y apt-utils # Install the packages that are needed to build python3 RUN apt-get update && apt-get install -y build-essential zlib1g-dev libncurses5-dev libgdbm-dev \ - libnss3-dev libssl-dev libsqlite3-dev libreadline-dev libffi-dev curl libbz2-dev + libnss3-dev libssl-dev libsqlite3-dev libreadline-dev libffi-dev curl libbz2-dev socat # Download the Python source code RUN curl -1sLfO https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz && \ From dbb19cbab7d830d3c9a7b7f8f942930eafbacb70 Mon Sep 17 00:00:00 2001 From: Mike Crowe Date: Sat, 29 Jan 2022 23:40:35 -0500 Subject: [PATCH 3/3] Adding reference to socat instructions --- rootfs/etc/profile.d/ssh-agent.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/rootfs/etc/profile.d/ssh-agent.sh b/rootfs/etc/profile.d/ssh-agent.sh index 4f2968c8f..9f60234f9 100755 --- a/rootfs/etc/profile.d/ssh-agent.sh +++ b/rootfs/etc/profile.d/ssh-agent.sh @@ -1,6 +1,7 @@ export SSH_KEY="${SSH_KEY:-/localhost/.ssh/id_rsa}" if [ "$SSH_AUTH_SOCK_HOST" != "" ]; then + # https://gist.github.com/d11wtq/8699521?permalink_comment_id=3878388#gistcomment-3878388 export SSH_AUTH_SOCK="/var/tmp/ssh-geouser" sudo socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork,user=geouser,group=geouser,mode=777 UNIX-CONNECT:$SSH_AUTH_SOCK_HOST & echo "Looks like we have a host ssh-agent socket at $SSH_AUTH_SOCK_HOST. Mapping to user socket at $SSH_AUTH_SOCK"