-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connhelper: use ssh multiplexing #2132
Conversation
SGTM, but IIRC we intentionally avoided having socket files, for security purpose |
That's why we are using stdio instead of ssh -L |
return nil | ||
} | ||
} | ||
args := []string{"-o", "ControlMaster=auto", "-o", "ControlPath=" + config.Dir() + "/%r@%h:%p"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if .ssh/config already has this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It overwrites afaik. This is the main reason I left a way to opt-out. If we want to be conservative about it, one way would be to use a different helper prefix.
return nil | ||
} | ||
} | ||
if err := os.MkdirAll(config.Dir(), 0700); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably we should create a new directory, because when ~/.docker
already exists with other permission bits, we can't guarantee the sockets are created under a directory with 0700.
On my Macintosh, ~/.docker
was somehow created with 0755.
But it is more likely to hit UNIX_PATH_MAX
(108)... 😢
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably we can let commandconn
change working directory for avoiding 108 limit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The socket itself is created with 0600
. This mkdir is to avoid the case where .docker
does not exist.
@justincormack PTAL? |
} | ||
args := []string{"-o", "ControlMaster=auto", "-o", "ControlPath=" + config.Dir() + "/%r@%h:%p"} | ||
if v := os.Getenv("DOCKER_SSH_MUX_PERSIST"); v != "" { | ||
args = append(args, "-o", "ControlPersist="+v) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason not to have a Docker config option for this as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you would ever set them they would probably be more dependent on the actual DOCKER_HOST
value, not a global client config. I'm not even sure we even want to document these, it should be very advanced usage if you want to set them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping @justincormack pal ^
ping @tonistiigi |
@AkihiroSuda ^ looking good for you, or still concerns / changes needed? |
@@ -53,3 +56,19 @@ func GetCommandConnectionHelper(cmd string, flags ...string) (*ConnectionHelper, | |||
Host: "http://docker", | |||
}, nil | |||
} | |||
|
|||
func multiplexingArgs() []string { | |||
if v := os.Getenv("DOCKER_SSH_NO_MUX"); v != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you document the new environment variables in https://github.com/docker/cli/blob/master/docs/reference/commandline/cli.md#environment-variables ?
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add multiplexing to ssh connection helper so commands that do multiple requests share the connection. Environment variables for opting out and controlling the persist time for even better connection sharing.
Before:
After
@AkihiroSuda @cpuguy83 @tiborvass
Signed-off-by: Tonis Tiigi [email protected]