Podman over SSH in native mode does not use custom config ~/.ssh/config
#23831
Comments
|
This is a known shortcoming, you have to add the basic ssh config to a podman "system connection" A workaround is to set up the ssh tunnel yourself (with the ssh config), and use |
|
Thanks for your fast explanation!
Does this mean that I'd have to unpack my (possibly generated) A workaround would be to extend the |
|
I think it should be possible for podman to parse the basics, but you would lose out on any other ssh features... The same issue exists in Lima, and is worse now when Podman Desktop can parse connections but not forwards... |
It seems to be used a little inconsistently around the podman code base. Some parts are using the "SSHMode", but some are still calling i.e. not using the containers-common wrapper, but golang.org/x/crypto/ssh |
|
I think it has been this way since Podman v2, that is before the connections... e.g. https://boot2podman.github.io/2020/07/22/machine-replacement.html export CONTAINER_HOST=ssh://[email protected]:2222/run/user/1000/podman/podman.sock
export CONTAINER_SSHKEY=$PWD/.vagrant/machines/default/virtualbox/private_keyBut then came Podman Machine v3, and replaced the Fedora and the VirtualBox. |
|
ssh=native was never properly finished AFAIK, it doesn't seem to be tested either. I do agree this should work with native mode as we call the ssh binary which should read you ssh config so yes this seems like a bug to me. |
|
Most of the current systems seem to not be supporting i.e. like Java or JavaScript, or what have you... (interestingly, even Windows supports unix domain sockets these days) |
|
If wanting to support the Docker syntax, then there also needs to be something added for the default path. With the docker client, the $DOCKER_HOST is coming from the environment on the remote side but with podman it is local... So |
|
The patched version looks like this:
Instead of the default podman version:
So the parsing of the ssh config goes OK: commit 59c8f28 (https://github.com/kevinburke/ssh_config) But the connection still fails, due to path. And it is hard to "guess" (need to read env) The remote uid (and thus systemd dir) could be anything. Something similar to this, connect to the remote server and try to find the socket path. https://docs.docker.com/engine/security/rootless/#expose-docker-api-socket-through-ssh I think with Podman, you would call Like so:
And use this value, instead of the empty path in url (if none has been provided by the caller) commit a928ac1 (https://pkg.go.dev/golang.org/x/crypto/ssh) Found another bug with the user being required, similar to the earlier bug with port being required... It tried to authenticate as user "", instead of the current user. The workaround was adding a Will rebase to HEAD |
|
Parsing the basic 4 values and querying for the 5th seems to be working - even with "golang": $ podman-remote --host ssh://lima-podman version
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: dial tcp: lookup lima-podman: no such host
$ ./bin/podman-remote --host ssh://lima-podman version
Client: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.22.3
Git Commit: a928ac1438058eaed6aacc17fd03dea41df8c432
Built: Sun Sep 1 22:29:36 2024
OS/Arch: linux/amd64
Server: Podman Engine
Version: 5.2.2
API Version: 5.2.2
Go Version: go1.22.6
Built: Wed Aug 21 02:00:00 2024
OS/Arch: linux/amd64It doesn't use any of the other features of the ssh_config, so that does need the "native" ssh... The most important one is the * https://docs.docker.com/engine/security/protect-access/#ssh-tips Others include using AES hardware crypto (where available), etc etc Lima handles this automatically, when setting up the port forwarding: portForwards:
- guestSocket: "/run/user/{{.UID}}/podman/podman.sock"
hostSocket: "{{.Dir}}/sock/podman.sock" |
|
Thank you very much for your hard work on this. For anyone stumbling across this issue, above mentioned workaround with the SSH tunnel looks like so: Keep ssh -F ssh_config -L "${PWD}/my.sock:/run/user/1000/podman/podman.sock" my-hostrunning, where Now |
It's not only a workaround, but also an optimization that is used by Podman Desktop (and Lima)
i.e. One remaining issue is how to separate a local unix socket, versus a "remote" tunneled unix socket It might need some kind of UUID for the host, to see if we are still on the same machine - or not. |
|
Another (actual) workaround would be to use And let $ ssh -G lima-podman | grep -E "^(user|hostname|port|identityfile) "
user anders
hostname 127.0.0.1
port 38241
identityfile /home/anders/.lima/_config/userAnd then feed that as input to |
Docker supports `~/.ssh/config` but not custom SSH config files (docker/cli#1301). Podman does not support `~/.ssh/config` but might partially do so soon (containers/podman#23831).
|
A friendly reminder that this issue had no activity for 30 days. |
Issue Description
Connecting to a remote Podman socket over native SSH (e.g.,
podman --host ssh://my-host --ssh native ps) fails, despite the local~/.ssh/configfile containing an entry forHost my-host(i.e.,ssh my-hostsucceeds).Steps to reproduce the issue
Set up:
Run a test VM locally using Vagrant:
Set up SSH access to the VM:
Set up Podman on the VM (with Docker API), running an example container:
Test:
Local Docker can connect to the remote Podman service, showing 1 container:
But local Podman cannot connect to remote Podman – see error below:
Tear down:
Remove Vagrant resources:
Undo changes to
~/.ssh/config.Describe the results you received
Describe the results you expected
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
–
Additional information
Possibly related:
podmantries to lookup hostname which is used for ssh connection. #21113The text was updated successfully, but these errors were encountered: