Comments (22)
Hi Are there any updates on this? I'm about to roll out github actions to ~20 packages so it would be nice if I can skip the mkdir -p /root/.ssh; ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts
part. Thanks!
from ssh-agent.
Does it work if we put the keys into /etc/ssh/known_hosts
?
That should be the system (not user specific) file and we could get around all attempts to detect the user and/or HOME
.
from ssh-agent.
Correction: That file might be /etc/ssh/ssh_known_hosts
, we might need to check both.
from ssh-agent.
Right, it also works if I try /etc/ssh/ssh_known_hosts
but we'd also have to check if the user is root or has write permission on that file.
from ssh-agent.
No progress, I’m afraid. This is open source, so we place the utmost reliance upon the zealous cooperation of the public.
If, however, you can provide a pull request, I’d be happy to review it!
What if we try to write to both known_hosts file locations, ignoring errors?
Would that solve it?
from ssh-agent.
I am experiencing the same issue but not when running in a container.
name: Test
on:
[push, pull_request]
jobs:
build:
name: Test ssh
runs-on: ubuntu-latest
steps:
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- run: ssh-keyscan -t rsa github.com >> /etc/ssh/ssh_known_hosts
- run: ssh -T [email protected]
from ssh-agent.
It took me forever to figure out, why this action doesn't work if I run the whole workflow inside a container.
The problem is that the Github Action somehow changes/sets theHOME
variable inside the container so that the~/.ssh/known_hosts
file is at a wrong location.
This action puts the Github PubKeys inside~/.ssh/known_hosts
which is in the home path of the runner. But the running container normally runs asroot
so ssh looks for/root/.ssh/known_hosts
which doesn't exist.
Copying theknown_hosts
to this location if the workflow is running inside Docker solves the problem. As I am a total Node noob I just played around with thedist/index.js
file, but putting the following snippet after creating theknown_hosts
file the SSH agent also works inside docker:if(fs.existsSync('/.dockerenv') && child_process.execFileSync('id', ['-u']).toString().trim() === '0') { fs.mkdirSync('/root/.ssh', { recursive: true}); fs.copyFileSync(`${homeSsh}/known_hosts`, '/root/.ssh/known_hosts'); }
I'm not sure if that somehow breaks running the action in Windows because in Windows there is no
id
command. But that shouldn't be a problem because Github Actions currently doesn't allow running non-Linux containers. Also, I don't know if theroot
check is even necessary because probably all containers run as root.Would it be possible to add this snippet to your action so Docker users can also use it? :)
I should have read this more carefully as I spent the same time trying to track this down one run after another 😄
from ssh-agent.
I am trying to use Packer:
uses: docker://hashicorp/packer:1.6.5
but it doesn't have access to the SSH keys.
Is there a way to achieve this?
from ssh-agent.
Thank you @rieschl for your suggestion and working on this, and thanks to @mwik for creating #58 for it!
The code change suggested in the opening comment here looks like some specialized edge case logic... I wonder if we could find a more general, cleaner way of dealing with this?
I understand that /etc/ssh/ssh_known_hosts
might work inside a container, but not in the regular runner environment, since that file is probably read-only or could be changed only be the root
user, but Actions use a dedicated runner UID.
So, what does HOME
point to in the containerized action run? To my understanding, HOME
is what the ~
resolves to, so why doesn't ssh
pick up $HOME/.ssh/known_hosts
?
from ssh-agent.
Oh, and does it make a difference inside the container when we're using os.homedir()
instead of the HOME
env var?
from ssh-agent.
So, what does HOME point to in the containerized action run? To my understanding, HOME is what the ~ resolves to, so why doesn't ssh pick up $HOME/.ssh/known_hosts?
That's the question. $HOME points to /github/home, but ssh nevertheless looks in /root/.ssh so figuring out why is key. #58 is only a workaround. Unfortunately it is a PITA to debug stuff in github actions. However it seems that ssh does not like changing HOME, it still uses the old value somehow. I don't think it will matter whether we use os.homedir() or HOME since its set to the same thing.
from ssh-agent.
Come to think of it, ssh probably uses getent or something similar to get the home directory of the current user. Probably that is not changed in the container.
from ssh-agent.
After inspecting the ssh source code I can confirm that it uses the passwd entry. I also found that we can actually use os.homedir()
if we unset the HOME environment variable first. So something like this should work
delete process.env['HOME'];
const homeSsh = os.homedir() + '/.ssh';
I'll test this when I have an opportunity.
from ssh-agent.
@mwik please try #17 just by using @try-windows
as the action version in your Docker container. It uses os.homedir()
. Would be great if we'd not need to fiddle around with HOME
...
from ssh-agent.
Unfortunately HOME needs to be undefined in order for os.homedir()
to take it from /etc/passwd. See nodejs doc. But if you are worried about removing HOME, we can always restore it after os.homedir()
has been called.
from ssh-agent.
I haven’t found good „official“ documentation or even source code in this, but it seems ssh
uses a getpwent
system call instead of relying on $HOME
, possibly for security reasons?
So, maybe we should use os.userinfo()
?
https://nodejs.org/api/os.html#os_os_userinfo_options
from ssh-agent.
@mwik please give #17 another try.
Also, could you help me to fix the workflow file over there to make it run on Docker?
from ssh-agent.
Great! os.userInfo()
is definitely the way to go. And yes, @try-windows works for my docker build. I'll take a look at the workflow file.
from ssh-agent.
Out of curiosity, how is the action run inside the container – is it a requirement for such containers to contain the node
interpreter, or is that copied/mounted into the container?
from ssh-agent.
It works 🎉, @mwik thank you for the support!
https://github.com/webfactory/ssh-agent/runs/1893563200?check_suite_focus=true
from ssh-agent.
Out of curiosity, how is the action run inside the container – is it a requirement for such containers to contain the
node
interpreter, or is that copied/mounted into the container?
Very good question. Node is not installed in my build docker image, so I assume its mounted somewhere. Strangely enough I can not find any documentation about how its done.
from ssh-agent.
Maybe they do some tricks like mounting a statically-linked version somewhere...
from ssh-agent.
Related Issues (20)
- Public Key Printed Out Even With log-public-key set to false HOT 4
- ERROR: stat "": no such file or directory
- Enable custom github server HOT 1
- Can't get it to work – Permission denied HOT 1
- Update to node20 HOT 2
- Windows workflow fails with "Could not read from remote repository" HOT 5
- `no such identity` on self-hosted Linux Github runner HOT 2
- After update to 0.9.0: The ssh-private-key argument is empty ... HOT 9
- Post cleanup fails HOT 2
- Error: Command failed: ssh-add - HOT 1
- Error: does not match GitHub URL pattern. Not treating it as a GitHub deploy key on version 0.9.0 HOT 6
- changelog out of date HOT 1
- Documentation about how to set up self-hosted runners HOT 4
- When upgrading from 0.7.0 to 0.8.0, functionality breaks HOT 2
- add ssh key for host?
- Is there a way to setup this without having a key specified?
- 'Support for GitHub deploy keys' breaks local CI for repositories which are submodules of other repositories which use ssh-agent with local CI
- The "file" argument must be of type string. Received undefined - in Post job HOT 1
- README needs to be updated (SSH keys should no longer be made in PEM format)
- Host key verification failed on Windows on 0.9.0 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh-agent.