ansible-silo icon indicating copy to clipboard operation
ansible-silo copied to clipboard

Published 20 hours ago verified publisher icon groupon

On OS X user always has to enter passphrase for protected SSH key

Open udondan opened this issue 8 years ago • 7 comments

Silo forwards the SSH socket into the container. Docker for Mac does currently not support mounting sockets into a container. Therefore the users ssh key (which gets mounted) is used. If this key is protected by a passphrase the user will always have to unlock the key on every silo call.

The original problem is described here:

There is an experimental workaround we might want to look into, as it seems the problem is not going to be addressed anytime soon on Docker side: https://github.com/uber-common/docker-ssh-agent-forward

udondan avatar Jul 12 '17 13:07 udondan

ssh-add does not help ?

dMopp avatar Jul 20 '17 10:07 dMopp

We're doing an ssh-add and that's where the passphrase is requested. Since the Silo container is not persistent the authentication-agent won't know about the previously added key when the container is started again. Therefore you need to enter the passphrase every time ansible/ansible-playbook is invoked.

udondan avatar Jul 24 '17 07:07 udondan

Using the docker-ssh-agent-forward work around has been working pretty well for me esp. since I'm using gpg-agent with ssh-support mode. Once I've setup the forward, I use this ~/.ansible-silo file:

silo_ssh_key_forwarding() {
  if command -v pinata-ssh-mount >/dev/null 2>&1; then
    forwarding_status=$(docker inspect -f '{{.State.Running}}' pinata-sshd)
    if [ "$forwarding_status" == 'true' ]; then
      return=$(pinata-ssh-mount)
      echo "${return}"
      return
    fi
  fi

  # Original silo_ssh_key_forwarding()
  local auth_sock_link_dir auth_sock_dir return=""

  if [[ ! -z "${SSH_AUTH_SOCK}" ]]; then
    if [[ -L "${SSH_AUTH_SOCK}" ]]; then
      auth_sock_link_dir="$(dirname "$(cd "${SSH_AUTH_SOCK}" && pwd -P)")"
      return+="--volume \"${auth_sock_link_dir}\":\"${auth_sock_link_dir}\" "
    fi
    auth_sock_dir="$(dirname "${SSH_AUTH_SOCK}")"
    return+="--volume \"${auth_sock_dir}\":\"${auth_sock_dir}\" "
    return+="--env SSH_AUTH_SOCK"
  fi
  echo "${return}"
}

woneill avatar Sep 14 '17 14:09 woneill

@woneill Using your function since a while and pinata works reliably for me and my team.

May I use your function as is to include in the next Silo release? Or if you like, send a PR so you're credited appropriately for the contribution.

udondan avatar Jun 06 '18 08:06 udondan

Awesome! Feel free to use the function as-is since I likely found it elsewhere and wouldn't want to claim credit inappropriately.

I'm interested in seeing how you suggest new users setup pinata. That's been a stumbling block for me when encouraging people to use docker in general.

woneill avatar Jun 06 '18 20:06 woneill

Thanks @woneill, documentation for this is pending but I just added the function.

BTW, I am using a fork from Uber as the original is not working for me: https://github.com/uber-common/docker-ssh-agent-forward

udondan avatar Jun 08 '18 13:06 udondan

2.2.0 just got released with your function. Thanks again. 😸

udondan avatar Jun 08 '18 14:06 udondan