new feature: docker -H ssh://host#33566
Conversation
This commit allows connecting to a Unix socket listening on a remote daemon via an OpenSSH connection. e.g. `docker -H ssh://host` or `docker -H ssh://me@host:22/var/run/docker.sock`. The feature is purely implemented on the client side. No need to configure the daemon. Signed-off-by: Akihiro Suda <[email protected]>
|
cc-ing those who has commented on #32161 @vdemeester @n4ss @diogomonica @thaJeztah @justincormack @friism @nathanleclaire @tonistiigi @jhowardmsft @arianitu @rca @stevvooe @chungers |
AkihiroSuda
added
area/security
impact/cli
status/1-design-review
status/needs-vendoring
and removed
status/0-triage
labels
| case "fd": | ||
| return addr, nil | ||
| case "ssh": // unix over ssh (can be specified for `docker -H` but not for `dockerd -H`) | ||
| usr, err := whoami() |
There was a problem hiding this comment.
Why not let ssh(1) handle this? This calls into /etc/passwd parsing on macOS that doesn't work for regular users. It also overrides any user set in the ssh config.
|
Given that Windows will soon have native openssh support, it seems weird to special case it now? |
|
@justincormack |
design discussion held at docker/go-connections#39 Comments are welcome at docker/go-connections#39 |
|
What do you think about implementing a "connection helpers" interface like we do for credentials. {
"ssh": "~/.docker/ssh_connection_helper",
"weird": "~/my_weird_connection_helper"
}Where |
|
@cpuguy83 SGTM, I'll try to update this PR. |
|
Temporarily closing. Further discussion should be at #31871 |
|
Implemented @cpuguy83 's proposal: docker/cli#889 |
5 participants
- What I did
Implemented
docker -H ssh://host, which allows connecting to a Unix socket listening on a remote daemon via an OpenSSH connection.Replaces #32161 (which used Go-native SSH rather than
os/execeven on Unix, and hence didn't support~/.ssh/config)Closes #31871
Motivations:
ssh-keygenvs a bunch of openssl blah -blah -blah -blah ..., Improve usability for TLS usage and setup #6817)The feature is purely implemented on the client side.
No need to configure the daemon.
- How I did it
on Unix: By
os/exec-utingssh -L local.sock:/var/run/docker.sock. So it should even work with~/.ssh/config.on Windows: using pageant + Go-native ssh (golang.org/x/crypto/ssh)
- How to verify it
No need to configure the daemon. Even no need to replace the daemon built from this PR. I confirmed this PR works well with vanilla 17.05.0-ce daemon.
You just need to create a SSH user account that can access
/var/run/docker.sockOn Windows client, you need to register your key to
pageant.exe. No need to installssh.exe.The argument can be also:
ssh://me@host:22/var/run/docker.sockssh://host(using$USERas the user name)- Description for the changelog
Now docker client can connect to a Unix socket listening on a remote daemon via an OpenSSH connection
- A picture of a cute animal (not mandatory but encouraged)
TODO
Signed-off-by: Akihiro Suda [email protected]