Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podman tries to lookup hostname which is used for ssh connection. #21113

Open
catap opened this issue Dec 31, 2023 · 11 comments
Open

podman tries to lookup hostname which is used for ssh connection. #21113

catap opened this issue Dec 31, 2023 · 11 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@catap
Copy link

catap commented Dec 31, 2023

Issue Description

I have a machine which fake name podman.island.local which is defined inside ~/.ssh/config. This machine runs podman and I may connect to it:

√ ~ % ssh [email protected] ls /run/podman/podman.sock         
/run/podman/podman.sock
√ ~ %

When I add this machine to connection as:

√ ~ % podman system connection list | grep island                          
island                       ssh://[email protected]:22/run/podman/podman.sock                                              false
√ ~ %

and tries to use it... it fails:

√ ~ % podman --log-level=trace -c island run hello-world
INFO[0000] podman filtering at log level trace          
DEBU[0000] Called run.PersistentPreRunE(podman --log-level=trace -c island run hello-world) 
DEBU[0000] Found SSH_AUTH_SOCK "/Users/catap/.gnupg/S.gpg-agent.ssh", ssh-agent signer enabled 
DEBU[0000] SSH Agent Key SHA256:YvWliM40Quk1glrOfaP9quPdddugNbOZuTGdukR8pfM ssh-rsa 
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: dial tcp: lookup podman.island.local: no such host
DEBU[0005] Shutting down engines                        
? ~ %

Steps to reproduce the issue

Steps to reproduce the issue

  1. Add connection with impossible DNS name at ~/ssh/config
  2. Add that machine to connections
  3. Try to run something.

Describe the results you received

It fails.

Describe the results you expected

Should work.

podman info output

It's irrelevant for this case.

I'm using `podman version 4.7.1` on macOS.

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

@catap catap added the kind/bug Categorizes issue or PR as related to a bug. label Dec 31, 2023
@afbjorklund
Copy link
Contributor

Podman doesn't support ssh config at all, it defines "system connections" instead (for e.g. the key)

@catap
Copy link
Author

catap commented Jan 2, 2024

@afbjorklund when I don't understand how can I define connection via hop. Usually it calls bastion.

@afbjorklund
Copy link
Contributor

afbjorklund commented Jan 2, 2024

It would need a new feature, where the command would read and apply the normal ssh configuration.

https://github.com/containers/common/tree/main/pkg/ssh

You can probably use /etc/hosts as a workaround, or configure the podman connection using the IP?

@catap
Copy link
Author

catap commented Jan 2, 2024

It won't work.

Idea of bastion is a single point to access to some protected environment. Usually I have access to it via -J option or ProxyJump setting in ~/.ssh/config.

This is widley used technic to improve security and have one place where user should be disabled on off-boarding.

@catap
Copy link
Author

catap commented Jan 2, 2024

I see you're using https://pkg.go.dev/golang.org/x/crypto/ssh at the bottom of this.

It defiantly supports that I'm looking for but someone need to rework a bin NewConnectionWithIdentity.

Right now it expects ssh://<user>@<host>[:port]/run/podman/podman.sock?secure=True let keep it as fallback syntax and introduce the new one: ssh://<user>@<host>[:port]/unix:///run/podman/podman.sock?secure=True where instead unix:// someone may use tcp:// or even ssh:// to make a jump via server.

What do you think?

@afbjorklund
Copy link
Contributor

afbjorklund commented Jan 2, 2024

@catap adding support for ProxyJump is a bigger feature, than just adding basic user, hostname and port (and key).

I was using this library for a quick test: http://github.com/kevinburke/ssh_config but that would not change the ssh.

commit b86031b6c848e88ea8077fd804416a27908cb151 (rebased)

# This SSH config file can be passed to 'ssh -F'.
Host podman-machine-default
  User core
  Hostname 127.0.0.1
  Port 46529
  IdentityFile "/home/anders/.ssh/podman-machine-default"
  IdentitiesOnly yes
  StrictHostKeyChecking no

@catap
Copy link
Author

catap commented Jan 2, 2024

I disagree with you because I believe that it can be implemented with rework only one function NewConnectionWithIdentity into recursion one.

Idea of changes is quite simple. Instead of:

		connection = Connection{URI: _url}
		connection.Client = &http.Client{
			Transport: &http.Transport{
				DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
					return ssh.DialNet(conn, "unix", _url)
				},
			}}

someone should:

  • concat path and query part of _url into new string a re-parse it, and if resulted URI hasn't got scheme to add unix://
  • call NewConnectionWithIdentity with new url string :)

The next changes to make it works is adding sshCon *Con to argument of NewConnectionWithIdentity to route between ssh.Dial (the first hop) and ssh.NewClient (all another hops).

and that's it.

Copy link

github-actions bot commented Feb 2, 2024

A friendly reminder that this issue had no activity for 30 days.

@catap
Copy link
Author

catap commented Feb 2, 2024

Just ping as well...

@rhatdan
Copy link
Member

rhatdan commented Feb 3, 2024

@catap Best way to get this fixed would be to open a PR.

@catap
Copy link
Author

catap commented Feb 3, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

3 participants