Skip to content

Commit

Permalink
Expose SSH authorization using client session
Browse files Browse the repository at this point in the history
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
  • Loading branch information
tonistiigi committed Apr 22, 2017
1 parent d13de2e commit a175773
Show file tree
Hide file tree
Showing 8 changed files with 683 additions and 16 deletions.
29 changes: 21 additions & 8 deletions builder/dockerfile/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package dockerfile

import (
"bytes"
"errors"
"fmt"
"io"
"io/ioutil"
Expand All @@ -21,9 +20,10 @@ import (
"github.com/docker/docker/builder"
"github.com/docker/docker/builder/dockerfile/parser"
"github.com/docker/docker/client/session"
"github.com/docker/docker/client/session/ssh"
"github.com/docker/docker/image"
"github.com/docker/docker/pkg/stringid"
perrors "github.com/pkg/errors"
"github.com/pkg/errors"
"golang.org/x/net/context"
)

Expand Down Expand Up @@ -72,6 +72,7 @@ type Builder struct {
fsCache *FSCache
sessionGetter SessionGetter
auth AuthConfigProvider
sshAuthSock string

dockerfile *parser.Node
runConfig *container.Config // runconfig for cmd, run, entrypoint etc.
Expand Down Expand Up @@ -119,14 +120,14 @@ func NewBuildManager(b builder.Backend, sg SessionGetter) (*BuildManager, error)

tmpdir, err := ioutil.TempDir("", "fscache")
if err != nil {
return nil, perrors.Wrap(err, "failed to create tmp directory")
return nil, errors.Wrap(err, "failed to create tmp directory")
}

fsCache, err := NewFSCache(FSCacheOpt{
Backend: &tmpCacheBackend{tmpdir},
})
if err != nil {
return nil, perrors.Wrap(err, "failed to create fscache")
return nil, errors.Wrap(err, "failed to create fscache")
}
bm.fsCache = fsCache
fsCache.RegisterTransport(ClientSessionTransportName, NewClientSessionTransport())
Expand Down Expand Up @@ -292,7 +293,7 @@ func (b *Builder) build(stdout io.Writer, stderr io.Writer, out io.Writer) (stri
defer cancel()
_, caller, err := b.sessionGetter.GetSession(ctx, b.options.SessionId)
if err != nil {
return "", perrors.Wrapf(err, "failed to get session for %s", b.options.SessionId)
return "", errors.Wrapf(err, "failed to get session for %s", b.options.SessionId)
}

if b.options.RemoteContext == "client-session" {
Expand All @@ -310,6 +311,18 @@ func (b *Builder) build(stdout io.Writer, stderr io.Writer, out io.Writer) (stri
}

b.auth = NewAuthConfigProvider(b.options.AuthConfigs, caller)
sshProvider, err := ssh.NewSSHAuthProvider("_main", caller)
if err != nil && errors.Cause(err) != ssh.ErrNotSupported {
return "", err
}
// TODO: lazy create
sock, release, err := sshProvider.CreateListenSocket()
if err != nil {
return "", err
}
defer release()
b.sshAuthSock = sock

logrus.Debugf("sync-time: %v", time.Since(st))
} else {
b.auth = NewAuthConfigProvider(b.options.AuthConfigs, nil)
Expand All @@ -326,7 +339,7 @@ func (b *Builder) build(stdout io.Writer, stderr io.Writer, out io.Writer) (stri
total := len(b.dockerfile.Children)
for _, n := range b.dockerfile.Children {
if err := b.checkDispatch(n, false); err != nil {
return "", perrors.Wrapf(err, "Dockerfile parse error line %d", n.StartLine)
return "", errors.Wrapf(err, "Dockerfile parse error line %d", n.StartLine)
}
}

Expand Down Expand Up @@ -367,7 +380,7 @@ func (b *Builder) build(stdout io.Writer, stderr io.Writer, out io.Writer) (stri
}
b.image, err = b.docker.SquashImage(b.image, fromID)
if err != nil {
return "", perrors.Wrap(err, "error squashing image")
return "", errors.Wrap(err, "error squashing image")
}
}

Expand Down Expand Up @@ -459,7 +472,7 @@ type tmpCacheBackend struct {
func (tcb *tmpCacheBackend) Get(id string) (string, error) {
d := filepath.Join(tcb.root, id)
if err := os.MkdirAll(d, 0700); err != nil {
return "", perrors.Wrapf(err, "failed to create tmp dir for %s", d)
return "", errors.Wrapf(err, "failed to create tmp dir for %s", d)
}
return d, nil
}
Expand Down
14 changes: 14 additions & 0 deletions builder/dockerfile/internals.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/mount"
"github.com/docker/docker/api/types/strslice"
"github.com/docker/docker/builder"
"github.com/docker/docker/builder/dockerfile/parser"
Expand Down Expand Up @@ -539,8 +540,21 @@ func (b *Builder) create() (string, error) {
ExtraHosts: b.options.ExtraHosts,
}

sockPath := "/run/.ssh_auth_sock"

if b.sshAuthSock != "" {
m := mount.Mount{
Type: mount.TypeBind,
Source: b.sshAuthSock,
Target: sockPath,
}
hostConfig.Mounts = []mount.Mount{m}
}

config := *b.runConfig

b.runConfig.Env = append(b.runConfig.Env, "SSH_AUTH_SOCK="+sockPath)

// Create the container
c, err := b.docker.ContainerCreate(types.ContainerCreateConfig{
Config: b.runConfig,
Expand Down
14 changes: 14 additions & 0 deletions cli/command/image/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (
"github.com/docker/docker/client/session/authsession"
"github.com/docker/docker/client/session/fssession"
"github.com/docker/docker/client/session/grpctransport"
"github.com/docker/docker/client/session/ssh"
"github.com/docker/docker/opts"
"github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/fileutils"
Expand Down Expand Up @@ -79,6 +80,7 @@ type buildOptions struct {
networkMode string
squash bool
stream bool
enableSSH bool
}

// NewBuildCommand creates a new `docker build` command
Expand Down Expand Up @@ -131,6 +133,8 @@ func NewBuildCommand(dockerCli *command.DockerCli) *cobra.Command {
flags.SetAnnotation("network", "version", []string{"1.25"})
flags.Var(&options.extraHosts, "add-host", "Add a custom host-to-IP mapping (host:ip)")

flags.BoolVar(&options.enableSSH, "ssh", false, "Expose ssh-agent to the builder")

command.AddTrustVerificationFlags(flags)

flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
Expand Down Expand Up @@ -443,11 +447,21 @@ func runBuild(dockerCli *command.DockerCli, options buildOptions) error {
var authConfigs map[string]types.AuthConfig
if grpcSession == nil {
authConfigs, _ = dockerCli.GetAllCredentials()
if options.enableSSH {
return errors.Errorf("SSH can't be enabled in this daemon")
}
} else {
authHandler := authsession.NewAuthconfigHandler("_main", &authCfgProvider{dockerCli}, func(registry string) {
progressOutput.WriteProgress(progress.Progress{Action: "Authenticating to " + registry, LastUpdate: true})
})
grpcSession.Allow(authHandler)
if options.enableSSH {
sshHandler, err := ssh.NewSSHHandler("_main", ssh.SSHOpt{})
if err != nil {
return err
}
grpcSession.Allow(sshHandler)
}
}

if grpcSession != nil {
Expand Down
3 changes: 3 additions & 0 deletions client/session/ssh/generate.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
package ssh

//go:generate protoc --gogoslick_out=. wire.proto
Loading

0 comments on commit a175773

Please sign in to comment.