Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connhelper: use ssh multiplexing #2132

Merged
merged 2 commits into from
Jan 9, 2020
Merged

connhelper: use ssh multiplexing #2132

merged 2 commits into from
Jan 9, 2020

Conversation

tonistiigi
Copy link
Member

Add multiplexing to ssh connection helper so commands that do multiple requests share the connection. Environment variables for opting out and controlling the persist time for even better connection sharing.

Before:

 # time docker run alpine true
docker run alpine true  0.04s user 0.03s system 1% cpu 4.373 total
 # time docker build . 2>/dev/null
docker build . 2> /dev/null  0.05s user 0.03s system 3% cpu 2.312 total

After

 # time docker run alpine true
docker run alpine true  0.04s user 0.03s system 2% cpu 2.376 total
 # time docker build . 2>/dev/null
docker build . 2> /dev/null  0.04s user 0.03s system 5% cpu 1.295 total

@AkihiroSuda @cpuguy83 @tiborvass

Signed-off-by: Tonis Tiigi tonistiigi@gmail.com

@AkihiroSuda
Copy link
Collaborator

SGTM, but IIRC we intentionally avoided having socket files, for security purpose

@AkihiroSuda
Copy link
Collaborator

AkihiroSuda commented Oct 10, 2019
edited
Loading

That's why we are using stdio instead of ssh -L

AkihiroSuda
AkihiroSuda reviewed Oct 10, 2019
View reviewed changes
cli/connhelper/connhelper.go
return nil
}
}
args := []string{"-o", "ControlMaster=auto", "-o", "ControlPath=" + config.Dir() + "/%r@%h:%p"}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if .ssh/config already has this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It overwrites afaik. This is the main reason I left a way to opt-out. If we want to be conservative about it, one way would be to use a different helper prefix.

AkihiroSuda
AkihiroSuda reviewed Oct 11, 2019
View reviewed changes
cli/connhelper/connhelper.go
return nil
}
}
if err := os.MkdirAll(config.Dir(), 0700); err != nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably we should create a new directory, because when ~/.docker already exists with other permission bits, we can't guarantee the sockets are created under a directory with 0700.
On my Macintosh, ~/.docker was somehow created with 0755.

But it is more likely to hit UNIX_PATH_MAX (108)... 😢

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably we can let commandconn change working directory for avoiding 108 limit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The socket itself is created with 0600. This mkdir is to avoid the case where .docker does not exist.

@AkihiroSuda
Copy link
Collaborator

@justincormack PTAL?

justincormack
justincormack reviewed Oct 29, 2019
View reviewed changes
cli/connhelper/connhelper.go
}
args := []string{"-o", "ControlMaster=auto", "-o", "ControlPath=" + config.Dir() + "/%r@%h:%p"}
if v := os.Getenv("DOCKER_SSH_MUX_PERSIST"); v != "" {
args = append(args, "-o", "ControlPersist="+v)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason not to have a Docker config option for this as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you would ever set them they would probably be more dependent on the actual DOCKER_HOST value, not a global client config. I'm not even sure we even want to document these, it should be very advanced usage if you want to set them.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ping @justincormack pal ^

@AkihiroSuda
Copy link
Collaborator

ping @tonistiigi

@thaJeztah
Copy link
Member

@AkihiroSuda ^ looking good for you, or still concerns / changes needed?

thaJeztah
thaJeztah requested changes Jan 9, 2020
View reviewed changes
cli/connhelper/connhelper.go
@@ -53,3 +56,19 @@ func GetCommandConnectionHelper(cmd string, flags ...string) (*ConnectionHelper,
Host: "http://docker",
}, nil
}

func multiplexingArgs() []string {
if v := os.Getenv("DOCKER_SSH_NO_MUX"); v != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you document the new environment variables in https://github.com/docker/cli/blob/master/docs/reference/commandline/cli.md#environment-variables ?

@tonistiigi
connhelper: add ssh multiplexing
c04dd6e 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
docs: document ssh multiplexing env
4ecbef4 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
thaJeztah
thaJeztah approved these changes Jan 9, 2020
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit a4f6016 into docker:master Jan 9, 2020
@thaJeztah thaJeztah mentioned this pull request Jan 15, 2020
Closed
@thaJeztah thaJeztah mentioned this pull request Jan 30, 2020
Merged
@thaJeztah thaJeztah modified the milestones: 19.03.6, next Feb 5, 2020
@silvin-lubecki silvin-lubecki mentioned this pull request Feb 13, 2020
Open
@thaJeztah thaJeztah mentioned this pull request Dec 5, 2022
Merged
@ndeloof ndeloof mentioned this pull request Dec 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@justincormack justincormack justincormack approved these changes

Assignees
No one assigned
Labels
impact/changelog status/2-code-review
Projects
None yet
Milestone
20.10.0
Development

Successfully merging this pull request may close these issues.
5 participants
@tonistiigi @AkihiroSuda @thaJeztah @justincormack @GordonTheTurtle