clearml-agent icon indicating copy to clipboard operation
clearml-agent copied to clipboard

Published 20 hours ago verified publisher icon allegroai

Feature request: Allow to modify SSH forwarding for docker daemon

Open mctigger opened this issue 4 years ago • 12 comments

I usually use SSH forwarding from host to container as follows:

-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK

However, this seems to conflict with the current way of mounting the .ssh directory of the host. Could you maybe add an option in the config file to overwrite this part of the docker run arguments like the one I would like to use?

mctigger avatar Feb 06 '21 21:02 mctigger

Hi, I don't really get, what you are trying. But how about to install openssh-server inside the container, change the ssh port in /etc/ssh/sshd_config, turn it on with service ssh start and connect directly to the container? of course, you have to map the ssh port to the host machine. Or you just map the port 22 to other host port like: -p 9000:22. You can add extra docker arguments in clearmlconfig in the home directory.

vinh-cao avatar Feb 15 '21 09:02 vinh-cao

@mctigger I think that in order to make it work you need :

  1. Add to the the following extra_docker_arguments 
agent.extra_docker_arguments: ["-v", "$SSH_AUTH_SOCK:$SSH_AUTH_SOCK", "-e", "SSH_AUTH_SOCK=$SSH_AUTH_SOCK", ]

Reference: https://github.com/allegroai/clearml-agent/blob/22d5892b12efa2acde304658ad0f08594b3e4ce6/docs/clearml.conf#L131

  1. Make sure the agent does not copy/mount the ~/.ssh folder into the docker (which is currently the default behavior)

WDYT ?

bmartinn avatar Feb 15 '21 15:02 bmartinn

Thank for the answer.

Regarding 2. How do I make sure that ~/.ssh is not mounted/copied?

mctigger avatar Feb 24 '21 11:02 mctigger

Also this:

docker: Error response from daemon: invalid volume specification: '$SSH_AUTH_SOCK:$SSH_AUTH_SOCK': invalid mount config for type "volume": invalid mount path: '$SSH_AUTH_SOCK' mount path must be absolute.

mctigger avatar Feb 24 '21 20:02 mctigger

Regarding 2. How do I make sure that ~/.ssh is not mounted/copied?

docker run -it <container name> bash then inside the docker ls ~/.ssh

Docker: Error response from daemon: invalid volume specification: '$SSH_AUTH_SOCK:$SSH_AUTH_SOCK':

Try replacing $SSH_AUTH_SOCK in the -v argument, with the actual value (you can get the actual value with echo $SSH_AUTH_SOCK on the host machine)

bmartinn avatar Feb 27 '21 23:02 bmartinn

What would be the correct way to make clearml not mount the .ssh dir? The forwarding seems to not work when this directory is mounted.

mctigger avatar Mar 01 '21 12:03 mctigger

@mctigger I think we should add a flag forcing the agent to mount the SSH_AUTH_SOCK. Maybe just below force_git_ssh_protocol we could add use_ssh_auth_sock: false , WDYT?

bmartinn avatar Mar 01 '21 23:03 bmartinn

Would I still have to replace $SSH_AUTH_SOCK with the actual value then? If no, then I am all for it. If I still had to replace it anyways, then I suggest to have an option to not mount .ssh instead. As you showed I can already use extra_docker_arguments to mount SSH_AUTH_SOCK.

mctigger avatar Mar 02 '21 17:03 mctigger

@mctigger, I think the idea is for the clearml-agent to do the socket mounting automatically (i.e. resolve the $SSH_AUTH_SOCK) and at the same time disable the auto .ssh mount. How does that sound?

bmartinn avatar Mar 04 '21 01:03 bmartinn

Sounds good!

mctigger avatar Mar 04 '21 09:03 mctigger

@bmartinn Is there any update on this issue? :)

mctigger avatar Jul 10 '21 15:07 mctigger

Thanks @mctigger for pinging ! I forgot to update here, the latest RC (1.0.1rc3) already contains an option to disable the SSH mount: export CLEARML_AGENT_DISABLE_SSH_MOUNT=1

The auto SSH_AUTH_SOCK check should be merged after the weekend :)

bmartinn avatar Jul 10 '21 21:07 bmartinn

Closing this as this was already released. Please reopen if required.

jkhenning avatar Mar 15 '23 13:03 jkhenning