SSH-based auth for llb.Git operations #1782
Conversation
alexcb
force-pushed
the
acb-other-git-user
branch
from
22df3dd
to
72730c2
Compare
alexcb
force-pushed
the
acb-other-git-user
branch
2 times, most recently
from
7378134
to
e186e4a
Compare
- fixes assumption that ssh git clones must be via the `git` user. - allows passing the SSH_AUTH_SOCK from the client to GitSource - allows passing a known_host entry for ssh Signed-off-by: Alex Couture-Beil <alex@earthly.dev>
alexcb
force-pushed
the
acb-other-git-user
branch
from
e186e4a
to
f2c8eb1
Compare
alexcb
changed the title
client/llb/source.go
Outdated
| @@ -201,7 +201,7 @@ func Git(remote, ref string, opts ...GitOption) State { | |||
| url := "" | |||
|
|
|||
| for _, prefix := range []string{ | |||
| "http://", "https://", "git://", "git@", | |||
There was a problem hiding this comment.
Without this change, when I do
llb.Git("git@github.com:earthly/earthly.git", "main")
it causes the string to get trimmed into github.com:earthly/earthly.git, which then causes buildkit to attempt to parse the string as if it were a URL (in https://github.com/moby/buildkit/pull/1782/files#diff-dc3734c7af40d455fbd22d64b372bf572aa7314209bafc3d5f1f809203186d6eL27 )
which ultimately gives me the error: failed to load cache key: parse https://github.com:earthly/earthly.git: invalid port ":earthly" after host.
I wonder if there's a way we could reproduce this error via an integration test to show that this fixes the issue? I don't know enough about buildkit's integrating testing to add one (but would be keen on learning with some help).
There was a problem hiding this comment.
This is the reason why AttrFullRemoteURL was added I believe that should be used instead to get this info.
There was a problem hiding this comment.
I'll back out this change, and try using AttrFullRemoteURL in a follow up PR.
Signed-off-by: Alex Couture-Beil <alex@earthly.dev>
alexcb
force-pushed
the
acb-other-git-user
branch
from
2b69307
to
486c5fd
Compare
source/gitidentifier.go
Outdated
| "strings" | ||
|
|
||
| "github.com/pkg/errors" | ||
| ) | ||
|
|
||
| // sshGitRegexp is used to detect if the git repo uses ssh | ||
| // e.g. git@... or otheruser@nonstandardgithost.com:my/really/strange/repo.git | ||
| var sshGitRegexp, _ = regexp.Compile("[a-z0-9_]+@[^/]+:.+") |
There was a problem hiding this comment.
Not sure if these changes are related to the rest of the PR. The identifier logic is copied from Docker description https://github.com/moby/moby/blob/master/pkg/urlutil/urlutil.go#L21 and need to be aware of the ambiguity concerns (eg. @ could be valid for HTTP as well) and maybe change docs. I'd rather handle that separately. @thaJeztah
There was a problem hiding this comment.
That's correct that it's not related to mounting the ssh socket, i'll back this change out in this PR, then open a new one to tackle the issue of using a non-git username for ssh cloning.
client/llb/source.go
Outdated
|
|
||
| func MountSSHSock() GitOption { | ||
| return gitOptionFunc(func(gi *GitInfo) { | ||
| gi.MountSSHSock = true |
There was a problem hiding this comment.
This should be the ssh id, not a bool. If identifier is SSH based it should be set automatically.
There was a problem hiding this comment.
great point, changed this to a string which is now passed from the client.
There was a problem hiding this comment.
If identifier is SSH based it should be set automatically.
That part does not look addressed yet.
There was a problem hiding this comment.
I missed that part, i'm working on implementing it as well as a ssh keyscan for when no keys are supplied.
client/llb/source.go
Outdated
| @@ -201,7 +201,7 @@ func Git(remote, ref string, opts ...GitOption) State { | |||
| url := "" | |||
|
|
|||
| for _, prefix := range []string{ | |||
| "http://", "https://", "git://", "git@", | |||
There was a problem hiding this comment.
This is the reason why AttrFullRemoteURL was added I believe that should be used instead to get this info.
- back out changes to changing the git url - fix gid - ignore global ssh config option when specifying known hosts Signed-off-by: Alex Couture-Beil <alex@earthly.dev>
alexcb
force-pushed
the
acb-other-git-user
branch
4 times, most recently
from
402307a
to
2596b6f
Compare
Signed-off-by: Alex Couture-Beil <alex@earthly.dev>
alexcb
force-pushed
the
acb-other-git-user
branch
from
2596b6f
to
985bd6e
Compare
This PR implements ssh-based authentication for git operations and fixes #1564
It provides the ability to make use of the sshforwarding from the client, and introduces the ability to specify known_host entries.
Here's an example client to illustrate how to use the new Git source options: