serverless-python-requirements icon indicating copy to clipboard operation
serverless-python-requirements copied to clipboard

Published 20 hours ago verified publisher icon serverless

dockerSsh option fails to mount non-RSA keys into container

Open jacksgt opened this issue 5 years ago • 1 comments

As per the README, "The dockerSsh option will mount your $HOME/.ssh/id_rsa and $HOME/.ssh/known_hosts as a volume in the docker container".

However, also other paths and key formats are used for SSH keys (e.g. specific SSH keys for specific sites, ecdsa or ed25510, etc.).

If no RSA SSH key is present, I get the following error:

Serverless: Using download cache directory /home/jack/.cache/serverless-python-requirements/downloadCacheslspyc
Serverless: Running docker run --rm -v /home/jack/.cache/serverless-python-requirements/413378d9b4915169d34e398a2e96757e42a01b4a91c532d04d36d297c6041eb2_slspyc\:/var/task\:z -v /home/jack/.ssh/id_rsa\:/root/.ssh/id_rsa\:z -v /home/jack/.ssh/known_hosts\:/root/.ssh/known_hosts\:z -v /tmp/ssh-4OmyoDvmZaPi/agent.1416\:/tmp/ssh_sock\:z -e SSH_AUTH_SOCK\=/tmp/ssh_sock -v /home/jack/.cache/serverless-python-requirements/downloadCacheslspyc\:/var/useDownloadCache\:z lambci/lambda\:build-python3.6 /bin/sh -c 'chown -R 0\\:0 /var/useDownloadCache && python3.6 -m pip install -t /var/task/ -r /var/task/requirements.txt --cache-dir /var/useDownloadCache && chown -R 1000\\:1000 /var/task && chown -R 1000\\:1000 /var/useDownloadCache && find /var/task -name \\*.so -exec strip \\{\\} \\;'...
 
  Error --------------------------------------------------
 
  Error: STDOUT: Obtaining repo from [email protected]/[email protected] (from -r /var/task/requirements.txt (line 1))
    Cloning [email protected]:repo.git (to revision v0.0.3) to ./src/repo  
    Running command git clone -q [email protected]:repo.git /var/task/src/repo
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0755 for '/root/.ssh/id_rsa' are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    Load key "/root/.ssh/id_rsa": bad permissions
    Permission denied (publickey).
    fatal: Could not read from remote repository.

Even if no RSA key is present, the plugin still tries to mount ~/.ssh/id_rsa into the container. Docker then subsequently creates this path (as a directory), but with standard permissions (hence the above error message). In the end, the SSH private key (which is in ~/.ssh/id_ed25519) is not present in the container, thus the "permission denied" error for the private repository occurs.

jacksgt avatar Mar 09 '20 08:03 jacksgt

Here is a work around if you need to use a private repo:

pythonRequirements:
    dockerizePip: true
    dockerImage: mlupin/docker-lambda:python3.9-build
    dockerSsh: true
    dockerRunCmdExtraArgs:
      - '-e'
      - 'GIT_SSH_COMMAND="cp ~/.ssh/id_rsa ~/id_rsa && chmod 600 ~/id_rsa && ssh -i ~/id_rsa"'

jeanbmar avatar Mar 03 '22 11:03 jeanbmar