Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

relevant ssh-agent variables not passable to _run.sh, causing difficulty with private repository authentication #11790

Closed
vputz opened this issue Mar 24, 2021 · 4 comments · Fixed by #11791
Closed

relevant ssh-agent variables not passable to _run.sh, causing difficulty with private repository authentication #11790

vputz opened this issue Mar 24, 2021 · 4 comments · Fixed by #11791

Comments

@vputz
Copy link

vputz commented Mar 24, 2021 

❯ ./pants --version
/home/vputz/.cache/pants/setup/bootstrap-Linux-x86_64/2.3.0_py38
2.3.0

Using a private repository in a requirements.txt file of the form documented in the pants documentation, ie

target@ git+ssh://[email protected]:/myorg/myrepo.git@myhash

the .pants commands fail to build requirements, because the SSH authentication is not being passed to the shell. This results in an inability to proceed; running the command with -ldebug gives the log messages

 Complete output (5 lines):
  [email protected]: Permission denied (publickey).
  fatal: Could not read from remote repository.
  Please make sure you have the correct access rights
  and the repository exists.
  ----------------------------------------

Running the generated _run.sh script within an existing user shell worked correctly.

Via conversations on slack, the problem could be due to the SSH_AUTH_SOCK environment variable (or possibly the SSH_AGENT_PID variable) not being passed to the chrooted _run.sh script. @stuhood noted that the --subprocess-environment-env-vars flag should pass the variable, but that this flag had hard-coded limits which were recently removed. Indeed, running the command as

./pants test mytarget --subprocess-environment-env-vars=SSH_AUTH_SOCK

resulted in the exception

Exception message: 1 Exception encountered:

  ValueError: SSH_AUTH_SOCK is not in the list of variable names that are allowed to be set. Must be one of ALL_PROXY,FTP_PROXY,HTTPS_PROXY,HTTP_PROXY,LANG,LC_ALL,LC_CTYPE,NO_PROXY,REQUESTS_CA_BUNDLE,all_proxy,ftp_proxy,http_proxy,https_proxy,no_proxy.

This particular issue has been fixed, and the command can be run with

PANTS_SHA=d46197d033958ffda7d434aaf9b95148c96138d7 ./pants ... --subprocess-environment-env-vars=SSH_AUTH_SOCK

The command then completes.

So the process of accessing private repos can work by managing the SSH_AUTH_SOCK environment variable on future releases; this should perhaps be noted in the documentation on third-party requirements from source (https://www.pantsbuild.org/docs/python-third-party-dependencies#using-custom-repositories, under "Installing from Version Control and Local Files"), and it would be nice if there was a way to set this permanently in pants.toml so that the flag did not need to be passed every time.
@stuhood
Copy link
Member

stuhood commented Mar 24, 2021

Thank you for the report! As mentioned, #11743 landed during the 2.4.x series, and allows for passing through environment variables to allow this to work.

I've opened #11791 to backport this to 2.3.x.

@stuhood stuhood mentioned this issue Mar 24, 2021
Merged
@stuhood stuhood linked a pull request Mar 24, 2021 that will close this issue
Kill SETTABLE_ENV_VARS allow list. (cherrypick of #11743) #11791
Merged
stuhood added a commit that referenced this issue Mar 24, 2021
@stuhood
Kill SETTABLE_ENV_VARS allow list. (#11743) (#11791)
e8c4585 
Kill SETTABLE_ENV_VARS allow list.

Fixes #11790.

[ci skip-rust]
[ci skip-build-wheels]
@stuhood
Copy link
Member

stuhood commented Mar 24, 2021
edited
Loading

The cherrypick has landed in the 2.3.x branch: we'll do another release candidate of 2.3.1 tomorrow most likely. This fix will also be in the 2.4.0rc0 that we'll cut in the next few days.

So the process of accessing private repos can work by managing the SSH_AUTH_SOCK environment variable on future releases; this should perhaps be noted in the documentation on third-party requirements from source (https://www.pantsbuild.org/docs/python-third-party-dependencies#using-custom-repositories, under "Installing from Version Control and Local Files")...

@vputz : If you have time to submit an edit to the 2.4 version of the site here: https://www.pantsbuild.org/v2.4/docs/python-third-party-dependencies#using-custom-repositories (click "Suggest Edits" at the top right), that would be really awesome.

and it would be nice if there was a way to set this permanently in pants.toml so that the flag did not need to be passed every time.

All pants options can be specified in three different places: see Setting options. In this case you'd put it in pants.toml like:

[subprocess-environment]
env_vars = [
  "SSH_AUTH_SOCK",
]

@stuhood stuhood closed this as completed Mar 24, 2021
@stuhood
Copy link
Member

stuhood commented Mar 25, 2021

@vputz : The fix to enable passing these environment variables is now in 2.3.1rc1: https://groups.google.com/g/pants-devel/c/Z5rSKAzz5cg/m/9WcQslWiAgAJ .. thanks again for the report!

@stuhood
Copy link
Member

stuhood commented Mar 26, 2021

@vputz : I've updated the v2.4 docs to make the version controlled section more prominent, and include a tip for SSH: https://www.pantsbuild.org/v2.4/docs/python-third-party-dependencies#version-control-or-local-requirements

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Kill SETTABLE_ENV_VARS allow list. (cherrypick of #11743) stuhood/pants
2 participants
@stuhood @vputz