CHE-14398: Copy SSH keys with proper permissions

[vinokurig]

What does this PR do?

The OpenSSH daemon requires 600 file mode access permissions for private keys.
Mounted keys have 640 permissions despite setting DefaultMode to 600.
As a workaround add an init container and set a command that copies the SSH keys to mounted to all workspace pod containers and manually set them needed permissions.

What issues does this PR fix or reference?

#14398

Release Notes

Docs PR

[che-bot]

✅ E2E Happy path tests succeed 🎉

See Details

• Jenkins job

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

[vzhukovs]

LGTM, didn't test it, though

[che-bot]

E2E tests of Eclipse Che Multiuser on OCP has failed:

• Build details
• Test report
• docker image: eclipseche/che-server:15167
  https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.
  Use command "ci-test" to rerun the test.

[vinokurig]

ci-test

[che-bot]

E2E tests of Eclipse Che Multiuser on OCP has failed:

• Build details
• Test report
• docker image: eclipseche/che-server:15167
  https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.
  Use command "ci-test" to rerun the test.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[vinokurig]

crw-ci-test

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[che-bot]

E2E tests of Eclipse Che Multiuser on OCP has been successful:

• Build details
• Test report
• docker image: eclipseche/che-server:15167

[vinokurig]

crw-ci-test

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[vinokurig]

crw-ci-test

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[amisevsk]

I'm leaning towards -1 on this PR, do we really need to add yet another init container to pods? If we do have to, it should at least be handled in the same way as all other containers in workspaces and be provisioned using the existing flow. The current PR looks like a hack.

Also, has this been tested on a (non-minishift) OpenShift deployment? From what I understand, the arbitrary user ID default will mean that the key is not readable by anyone.

[amisevsk]

This is bad practice and will be a nightmare for airgap users.

[vinokurig]

Used a property

[davidwindell]

Please don't abandon this, it is the only way we can use Che on Kubernetes/Rancher because at the moment there are many issues preventing running Che as a non-root user in this environment.

[vinokurig]

crw-ci-test

[vinokurig]

@amisevsk

If we do have to, it should at least be handled in the same way as all other containers

We cannot override command in a common container, so I used init container.

Also, has this been tested on a (non-minishift) OpenShift deployment?

no

From what I understand, the arbitrary user ID default will mean that the key is not readable by anyone.

Do you mean the case when the workspace is shared?

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[che-bot]

❌ E2E Happy path tests failed ❗

See Details

• Jenkins job

• test report

• logs and configs

• Happy path tests DevFile

• image: maxura/che-server:15167

Tested with Eclipse Che Single User on K8S (minikube v1.1.1)

⚠️ https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

ℹ️ Use comment "crw-ci-test" to rerun happy path E2E test.

[che-bot]

E2E tests of Eclipse Che Multiuser on OCP has been successful:

• Build details
• Test report
• docker image: eclipseche/che-server:15167

[amisevsk]

If we do have to, it should at least be handled in the same way as all other containers

We cannot override command in a common container, so I used init container.

Using an init container is fine, but hard-coding it in this way is not, IMO. To be clear, this will break offline/airgap.

From what I understand, the arbitrary user ID default will mean that the key is not readable by anyone.

Do you mean the case when the workspace is shared?

I haven't looked into this deeply and checked whether it causes issues, but containers running on OpenShift a) do not have root privileges, and b) start with a semi-randomly assigned user ID. Will the init container copy the ssh keys in with the correct owner?

[vinokurig]

@amisevsk

Using an init container is fine, but hard-coding it in this way is not, IMO. To be clear, this will break offline/airgap.

I have reworked it to use a property

I haven't looked into this deeply and checked whether it causes issues, but containers running on OpenShift a) do not have root privileges, and b) start with a semi-randomly assigned user ID. Will the init container copy the ssh keys in with the correct owner?

Basically this workaround is designed to work only when the che assembly is set up to have a root user @davidwindell Am I correct?

[l0rd]

@vinokurig @vparfonov I am in agreement with @amisevsk here. This look like a hack whereas we had a solution for @davidwindell problem and potentially for any permission related problem: Add a wsmaster property to specify workspaces default security context · Issue #15138 · eclipse/che.

[vparfonov]

@amisevsk, sorry but I don't follow what problem we will have in case offline/airgap, @vinokurig replace hard coded image id with property that already in use. (see commit)

@l0rd so should we close this PR and wait on proper fixes from #15138?

BTW issue #15138 has P2 priority

[l0rd]

@vparfonov I think that it makes more sense to work on #15138 yes! I made it P1

[davidwindell]

If you do abandon, this please note that it means we won't be able to use Che at all until #14330 is fixed also.

[l0rd]

If you do abandon, this please note that it means we won't be able to use Che at all until #14330 is fixed also.

@davidwindell but #15138 would fix this as well right? You will be able to run containers as root user or any user id you would like and that should fix the permissions problem.

[vinokurig]

@l0rd #15138 will not fix the problem with SSH keys, we still would need to copy them.

[l0rd]

@l0rd #15138 will not fix the problem with SSH keys, we still would need to copy them.

It doesn't look like we will need the copy, mounting should be enough kubernetes/kubernetes#81089 (comment)

[vinokurig]

@l0rd

It doesn't look like we will need the copy, mounting should be enough kubernetes/kubernetes#81089 (comment)

I don't understand why mounting should be enough. I have setup my minikube with:

CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP: 0
CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER: 0

and it worked as usual (the mounted key still has 640 permissions instead of 600)
BTW, from kubernetes/kubernetes#81089 (comment)

So in this scenario (which is not uncommon I would guess), there is little to no use for the defaultMode

[amisevsk]

@vparfonov

sorry but I don't follow what problem we will have in case offline/airgap, @vinokurig replace hard coded image id with property that already in use. (see commit)

I hadn't seen this commit and it hadn't been mentioned when I made my second comment -- apologies. While that removes the hard blocker for merging, IMO this PR is still a hack. Either way, I won't block merging if it's a hard requirement for some.

[vinokurig]

Is not actual any more