Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Feature request: change ssh user on agent

See original GitHub issue

I have a git repository whose’s SSH credentials do not begin with the usual ssh://git@.... Instead, it is ssh://root@git..... It seems like the agent’s behavior to clone repositories using SSH credentials is hardcoded to use git@.....

More specifically, doing git clone ssh://git@git.myorg.net/repo/repo.git results in permision denied, whereas doing git clone ssh://root@git.myorg.net/repo/repo.git works just fine.

Can you please add a way to modify the SSH user for the agent?

Thanks.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
sgassecommented, Jul 27, 2021

OK I found two workarounds, both rather hacky. If you need a solution, you can use it, but I personally would prefer a cleaner way.

Both rely on having a ~/.ssh/config file like the one below:

Host git.mycompany.com
  HostName 123.123.123.123
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes
  User git
  Port 2022

One gotcha is that you need to spell out the domain as in the ssh url. People often use abbreviations like Host gitserver and then state the domain as HostName. However in this case, you need the full domain as in the url as Host and the IP of the server (might work with DNS, have not tested) as HostName.

You can test it outside of the docker container by running e.g. git clone ssh://git.mycompany.com:2022/myuser/repo.git. This should work outside of the container.

For making this available in the docker container, we have two options.

Option 1: Own config/key with root, mount it manually The docker containers executed by the clearML agent run as root. Without any changes, ssh will complain about a bad owner of the config file, even when file permissions are 600. To circumvent this, you can own the config and key as root. Outside of the docker container:

sudo chown root:root ~/.ssh/config && sudo chown root:root ~/.ssh/id_rsa

Though now you will get an error (when running the clearML agent with --foreground) because your user can no longer copy the whole .ssh folder:

Failed creating temporary copy of ~/.ssh for git credential

So in your clearml.conf, you need to mount the credentials manually:

agent: {
    ...
    extra_docker_arguments: ["-v", "/home/datapipelineuser/.ssh:/root/.ssh"]
    ...
}

Option 2: Own the ssh credentials in the container Instead of owning the credentials outside and mounting them manually, you can add a command to own the credentials in the container. Adding

agent: {
    ...
    extra_docker_shell_script: ["chown -R root:root /root/.ssh"]
    ...
}

to your clearml.conf should do the trick. I prefer the second solution, but overall, the best would be if we could either have a user set when creating the task or overriding the user even when a ssh:// domain is given.

1reaction
sgassecommented, Jul 26, 2021

Sry if I misunderstand - I am still new to ClearML 🙂 . Though is the commit you referenced @bmartinn really addressing the issue that @milongo mentioned?

If I see correctly, the referenced commit rewrites how https git repo urls are translated into ssh repo urls. But the issue raised by you @milongo is about ‘userless’ ssh clone links, right?

At least we have the issue that running ClearML in our git repo creates links like:

ssh://my_server_url:<ssh_port>/<user>/<repo>.git

and we do not want to fix them all by hand. Alternative solutions could be changing what repo url is written when a Task is initialized, but solving this ‘agent-side’ would be better.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Feature Request: SSH agent forward key settings #1508
I would like to request an option on the host to enable Agent forwarding by default with the key already added to it....
Read more >
ssh-agent - How to configure, forwarding, protocol
The ssh-agent is a helper program that keeps track of user's identity keys and their passphrases. The agent can then use the keys...
Read more >
Feature request: Make the SSH agent work with any vault
Currently, the 1Password SSH agent only works with keys in the Personal or Private vaults. It would be great to expand this feature...
Read more >
SSH agent restriction - OpenSSH
Most interactions with the agent are through the ssh-add tool for adding, deleting and listing keys and ssh, which can use keys held...
Read more >
SSH Essentials: Working with SSH Servers, Clients, and Keys
To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Feature request: Allow to modify SSH forwarding for docker daemon

Next page

Node metrics not showing