Vendor load-singlesshagent.sh script #409
Conversation
There was a problem hiding this comment.
@danielhollas Thanks! Fully agree to move the sshagent script here. Just to sure that you didn't change any code in this script correct? Other changes are all good to me.
I did actually, sorry for not making that clear. I removed the spurious error message (point 2. in the OP), see the third commit. Also in the last commit a made a small bugfix, substituting |
| @@ -32,7 +32,7 @@ load_singlesshagent() { | |||
| [ "$VERBOSE" == "true" ] && echo "- no existing environment to source" >&2 | |||
| fi | |||
|
|
|||
| SSH_ADD_OUTPUT=`ssh-add -l` | |||
| SSH_ADD_OUTPUT=`ssh-add -l 2> /dev/null` | |||
There was a problem hiding this comment.
@unkcpz here's the small change to get rid of spurious errors.. Note that it is okay to redirect error to dev/null here since we check the return value of this ssh-add command below.
Is this means the original downloaded script should not work properly. I'll have a test to see how sshagent is actually working, I guess it is related to when ssh key phrase is not empty. |
|
@danielhollas thanks for the change. I read some detailed introductions on ssh-agent, along with the script. I think maybe the correct solution is to
Can you give this a try? Or if you don't mind I can add commits to test it. |
|
@unkcpz feel free to add commits with your proposed changes. Thanks! |
unkcpz
force-pushed
the
vendor-ssh-script
branch
from
0a15973
to
ded39f9
Compare
|
@unkcpz I am wondering: I think we still need the |
|
Hi @danielhollas, thanks for bringing this up. I was testing exactly what you mentioned as well before lunch.
This is true. However, the docker pull ghcr.io/aiidalab/full-stack:sha-7a773b3
docker run --rm -it -p 8888:8888 ghcr.io/aiidalab/sha-7a773b3Open the terminal (either from I personally don't know why this |
stack/base/load-singlesshagent.sh
Outdated
| then | ||
| [ "$VERBOSE" == "true" ] && echo " - ssh-agent found (${SSH_AGENT_PID}), no keys (I might want to add keys here)" >&2 | ||
| # Maybe the user wants to do it by himself? | ||
| #ssh-add |
There was a problem hiding this comment.
@unkcpz I would prefer to uncomment this instead of adding it separately.
There was a problem hiding this comment.
For us, I think yes. Is this you commented out or it was there already?
There was a problem hiding this comment.
For this use case, I don't know if automatically calling ssh-add works since the user needs to provide the passphrase.
I see, then I think maybe calling it outside explicitly as I did in the last commit is a proper solution.
|
I found this comment from @yakutovicha in #254 (review)
For this use case, I don't know if automatically calling We need more info from @yakutovicha to see how this is actually being used before we can continue here. |
unkcpz
force-pushed
the
vendor-ssh-script
branch
from
06a2b0b
to
ded39f9
Compare
|
@yakutovicha can you please clarify what is the current workload for private keys? Do we support private keys that require a passphrase? And if so how does the user provide the passphrase to get the key to ssh-agent? |
|
My two cents, see the reply for questions below.
The private key file can be uploaded by the Otherwise, only the
No, I don't think so. But I think it would be a problem, user who has the private key with a passphrase means they generate it without using widget and has security concern about it so it is their duty to add the key to the ssh-agent and they can do it manually in terminal. Then it comes to the question, if we don't support passphrase, do we still need The The In summary, we need |
|
@danielhollas I add two comments for what I think it is the proper way to deal with the agent and |
There was a problem hiding this comment.
@unkcpz thank you for looking into this and a detailed write up! See my comments, I agree with your plan about ssh-add
| if [[ ! -f /home/${NB_USER}/.ssh/id_rsa ]]; then | ||
| # Generate ssh key that works with `paramiko` | ||
| # See: https://aiida.readthedocs.io/projects/aiida-core/en/latest/get_started/computers.html#remote-computer-requirements | ||
| ssh-keygen -f /home/${NB_USER}/.ssh/id_rsa -t rsa -b 4096 -m PEM -N '' | ||
| fi | ||
|
|
||
| # Start the ssh-agent. | ||
| eval `ssh-agent` |
There was a problem hiding this comment.
Based on the discussion, I think we should source the load-singlesshagent.sh script here. Otherwise I don't think the ssh-agent will be running when the container starts, since .bashrc is not evaluated AFAIK.
There was a problem hiding this comment.
Ha! I think the one of the ssh-agent mentioned in aiidalab/aiidalab-mfa-cscs#6 is from here!
I agree to source the load-singlesshagent.sh here. It avoids the duplicate ssh-agent I think.
There was a problem hiding this comment.
Yeah, interesting. That would mean that it is started somewhere else before we get to this script. Maybe the Jupyter image that we use already starts it somewhere. In any case, source the script here is the right thing to do I think.
unkcpz
force-pushed
the
vendor-ssh-script
branch
3 times, most recently
from
1ca249f
to
a2d9261
Compare
unkcpz
force-pushed
the
vendor-ssh-script
branch
2 times, most recently
from
e5a05cd
to
e27b168
Compare
stack/base/load-singlesshagent.sh
Outdated
| [ "$VERBOSE" == "true" ] && echo "- no existing environment to source" >&2 | ||
| fi | ||
|
|
||
| SSH_ADD_OUTPUT=`ssh-add -l` |
There was a problem hiding this comment.
The error here should not be redirect, to /dev/null, it will cause the exit_code not properly get and the expected condition not triggered (2 is expected to trigger the launch of ssh-agent).
There was a problem hiding this comment.
Huh, that is really strange, are you sure? I am only redirecting stderr, that should AFAIK not change the exit code.
There was a problem hiding this comment.
I am not sure 😛 if I don’t remove it the ssh-agent create clause is not hit. I’ll play more to figure out why. But overall everything works fine no matter if the output is redirected or not.
There was a problem hiding this comment.
I changed it back to ssh-add -l 2> /dev/null and it still works fine. The problem I encountered is not because of this line but the other redirected probably.
Then this PR is ready, please have another look. @danielhollas
|
@danielhollas should all work as expected now. I also added a test to check the ssh-agent is started properly. |
unkcpz
force-pushed
the
vendor-ssh-script
branch
from
e27b168
to
dad0f82
Compare
|
This is looking great, thanks @unkcpz for adding the tests! I didn't have a chance to test this but I trust that you did. Feel free to merge. |
Couple changes here:
load_singlesshagent.shscript in this repo, rather than downloading it from a super-weird readthedocs URL.ssh-agentis not yet running. (see third commit)aiidalabCLI app.