dockerSsh option fails to mount non-RSA keys into container #488

jacksgt · 2020-03-09T08:32:27Z

As per the README, "The dockerSsh option will mount your $HOME/.ssh/id_rsa and $HOME/.ssh/known_hosts as a volume in the docker container".

However, also other paths and key formats are used for SSH keys (e.g. specific SSH keys for specific sites, ecdsa or ed25510, etc.).

If no RSA SSH key is present, I get the following error:

Serverless: Using download cache directory /home/jack/.cache/serverless-python-requirements/downloadCacheslspyc
Serverless: Running docker run --rm -v /home/jack/.cache/serverless-python-requirements/413378d9b4915169d34e398a2e96757e42a01b4a91c532d04d36d297c6041eb2_slspyc\:/var/task\:z -v /home/jack/.ssh/id_rsa\:/root/.ssh/id_rsa\:z -v /home/jack/.ssh/known_hosts\:/root/.ssh/known_hosts\:z -v /tmp/ssh-4OmyoDvmZaPi/agent.1416\:/tmp/ssh_sock\:z -e SSH_AUTH_SOCK\=/tmp/ssh_sock -v /home/jack/.cache/serverless-python-requirements/downloadCacheslspyc\:/var/useDownloadCache\:z lambci/lambda\:build-python3.6 /bin/sh -c 'chown -R 0\\:0 /var/useDownloadCache && python3.6 -m pip install -t /var/task/ -r /var/task/requirements.txt --cache-dir /var/useDownloadCache && chown -R 1000\\:1000 /var/task && chown -R 1000\\:1000 /var/useDownloadCache && find /var/task -name \\*.so -exec strip \\{\\} \\;'...
 
  Error --------------------------------------------------
 
  Error: STDOUT: Obtaining repo from ssh@example.com/repo.git@v0.0.3 (from -r /var/task/requirements.txt (line 1))
    Cloning ssh@example.com:repo.git (to revision v0.0.3) to ./src/repo  
    Running command git clone -q ssh@example.com:repo.git /var/task/src/repo
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0755 for '/root/.ssh/id_rsa' are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    Load key "/root/.ssh/id_rsa": bad permissions
    Permission denied (publickey).
    fatal: Could not read from remote repository.

Even if no RSA key is present, the plugin still tries to mount ~/.ssh/id_rsa into the container.
Docker then subsequently creates this path (as a directory), but with standard permissions (hence the above error message).
In the end, the SSH private key (which is in ~/.ssh/id_ed25519) is not present in the container, thus the "permission denied" error for the private repository occurs.

The text was updated successfully, but these errors were encountered:

This enables the user to use an key file format (RSA, ED25519, ...). Additionally, it allows more complex workflows (such as different SSH keys for specfic sites, such as Github or Bitbucket), since the .ssh/config file is also mounted into the container. Fixes serverless#488

jeanbmar · 2022-03-03T11:41:38Z

Here is a work around if you need to use a private repo:

pythonRequirements:
    dockerizePip: true
    dockerImage: mlupin/docker-lambda:python3.9-build
    dockerSsh: true
    dockerRunCmdExtraArgs:
      - '-e'
      - 'GIT_SSH_COMMAND="cp ~/.ssh/id_rsa ~/id_rsa && chmod 600 ~/id_rsa && ssh -i ~/id_rsa"'

jacksgt mentioned this issue Mar 9, 2020

Mount the entire user SSH directory into build container #489

Closed

miketheman added bug Docker labels Mar 9, 2020

martinezpl mentioned this issue Feb 17, 2022

feat: Support dockerPrivateKey to specify path to SSH key #674

Merged

jeanbmar mentioned this issue Mar 3, 2022

fix: fix stdio and tons of windows issues #684

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dockerSsh option fails to mount non-RSA keys into container #488

dockerSsh option fails to mount non-RSA keys into container #488

jacksgt commented Mar 9, 2020

jeanbmar commented Mar 3, 2022

dockerSsh option fails to mount non-RSA keys into container #488

dockerSsh option fails to mount non-RSA keys into container #488

Comments

jacksgt commented Mar 9, 2020

jeanbmar commented Mar 3, 2022