Hostkeys not added for the user code runs as

[vitch]

When I create a node dokku app the code runs as a user u2079 (but the name of the user seems to vary with each deployment). When node calls a script which tries to git push it doesn't work because the user in question hasn't accepted the host keys

[vitch]

Coming back to this a while later it looks like the issues are possibly related to changes in buildstep to support apps running as non-root user.

Looking at the code for this plugin (and dokku-hostkeys-plugin) it doesn't seem to take this into account in the pre-build script.

I'm not sure but #8 and #10 may be down to the same thing?

[michaelshobbs]

I think the assumption here is that the build phase is run as root and thus you want these keys setup for the root user.

https://github.com/progrium/dokku/blob/0bfa25f73e8a44dd32fb6ff8443b632ea055b827/plugins/00_dokku-standard/commands#L26

[vitch]

My use case for adding the keys is so that my application code can access git repositories from GitHub.

Do you think this is a valid use case or an abuse of this plugin?

[michaelshobbs]

Meaning your app, at runtime, attempts to access GH repos via SSH?

[vitch]

Yes.

It is granted read access to some private repositories (via adding it's public key generated via dokku-deployment-keys to a member of a team).

It needs this access so it can clone those repositories. Does that make sense?

[cedricziel]

That's what i created those for in the first place - hostkeys for pure trusted connections to specific hosts (which you need for ssh) and deplyoment-keys for the key management.

[michaelshobbs]

Actually this should work. The plugin places the keys in /app/.ssh and depending on your version of buildstep, herokuish or /start will chown the app path for you.

herokuish:
https://github.com/gliderlabs/herokuish/blob/1d75eba54272ad81a31f1463fdfc5222885569e0/include/procfile.bash#L69

buildstep:
https://github.com/progrium/buildstep/blob/16e3f3c2fbd221a14efb3d13fe04eca5e1d68d4e/builder/builder#L31-L35

[vitch]

The plugin seems to put the keys in /etc/ssh/ssh_known_hosts and adds this as the UserKnownHostsFile to the global:

https://github.com/cedricziel/dokku-hostkeys-plugin/blob/master/pre-build#L46

I gues sit should be putting it in /app/.ssh and adding that path instead?

I am just trying to reproduce the issue on a fresh VM with the latest versions of dokku and all plugins and I'll update the ticket when I've had a chance to do so...

[michaelshobbs]

Sorry I was looking at the deployment keys plugin as you were mentioning the app attempting to access private github repos. Now re-reading your original issue I see what your talking about.

This plugin seems to create the known hosts file with the correct perms. I'm interested to hear what you find. Maybe it's an issue with the top-level config file?

[vitch]

Everything seems to be working fine now!

Embarrassingly I think the main problem was on my side... I misunderstood how hostkeys:app:add worked and thought it was like hostkeys:app:autoadd in that it accepted the hostname.

Since the key hadn't been added properly then it was prompting to add the real hostkey which got me looking at why that was failing.

Sorry for the noise and thanks for the help and the plugin!

[michaelshobbs]

👍