Custom SSH Credentials
See original GitHub issueI can’t rely on an ssh agent to provide a private key. Sometimes I need to provide a password, sometimes I need to manually load the key file. But the docker-py code only connects with this in SSHHTTPAdapter:
self.ssh_client.connect(
parsed.hostname, parsed.port, parsed.username,
)
There is no flexibility here. How am I supposed to connect with a custom key or password? I thought I might hack my way in by reassigning APIClient._custom_adapter to my own subclass of SSHHTTPAdapter, but then I realized the APIClient.__init__ is a huge mess that does way too much. That method would always raise an exception so I would also have to totally reimplement that method in a subclass. This is too much maintenance overhead for my deployment script that I would like to keep as simple as possible.
It should be exposed in SSHHTTPAdapter. I might even recommend doing both of these:
- Add optional key and password parameters to SSHHTTPAdapter so you don’t have to write your own subclass of it just to use custom credentials
- Add optional ssh_client parameter to SSHHTTPAdapter to be used instead of instantiating one in __init__.
It should also be exposed somehow in APIClient.__init__, for example:
- Expose password and private key with… a. Explicit parameters (a bit messy considering this is not an SSH specific class) b. General purpose configuration object (dict or better yet custom configuration class)
- Enable programmer to provide their own SSHClient to APIClient. This is not ideal for the same reason as 1a.
- Enable programmer to provide their own instance of a BaseHTTPAdapter to be used as self._custom_adapter. I think this is the best solution but there are some open questions. Like what’s the best way to handle all the usages of base_url when it is no longer required to establish a connection.
I’m happy to take the lead on this and submit a PR, but I would like to get some feedback first.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:4
- Comments:10
Top GitHub Comments
Hey, thanks for your reply, but there are some issues with your recommendations.
What does this mean?
Password in URL
This is not right. I get the following exception:
Also as you can see in the source I quoted in my original comment, there is no way that the password would be used for the ssh connection, even if the url were valid.
Setting a Custom Adapter
So regardless of whether you want to use a password or a custom key file, you would definitely need to provide a custom Adapter class. And your recommended code to do so does not work because it will try to connect to a host called “bogus” on line two. If you leave out base_url, it changes it to http+unix and tries to connect to the local docker daemon. If there is no local docker daemon, it fails here.
There’s no way to instantiate an APIClient without it trying to connect to a docker daemon. This is what I was talking about with __init__ doing too much and was the whole reason why I made this ticket.
A better design would be that APIClient does not even try to connect unless you explicitly call a method that needs a connection. There needs to be a way to provide a custom adapter or at least ssh credentials. APIClient.__init__ should really be broken up into several methods and SSHHTTPAdapter needs some changes too.
Does SSH work at all?
I actually tried using a hostname that my ssh agent can provide a key for and I got a valid SSH connection. But then I saw this error whenever I tried to do anything. It looks like it’s treating the ssh connection like it can make GET requests directly over that connection which doesn’t seem right.
Got the same issue here. I am using this sdk but, I had to shift to the CLI option since it was not clear to me whether authenticating with SSH credentials was an option for the sdk.
The answer provided by @cmcga1125 helps, but a slightly more elaborated step-by-step would really be super nice! 😃