search

canonical / jhack

Chock-full of Juju hackery.
Apache License 2.0
51 stars 24 forks source link

Permission denied to load pubkey #46

Closed Maharacha closed 1 year ago

Maharacha commented 1 year ago

Using the snap I got permission denied for operation that needs ssh access to the instances. Adding this plug to snapcraft and run sudo snap connect jhack:ssh-read snapd fixed it. Why do I have this problem and not others? Because I run LXC? Anyway, I don't know much about Snap and if this is a good solution or not but at least I can use this amazing tool now :smiley: 

$ jhack imatrix view
load pubkey "/home/joakim/.ssh/id_rsa": Permission denied
Load key "/home/joakim/.ssh/id_rsa": Permission denied
ubuntu@192.168.211.45: Permission denied (publickey).
Traceback (most recent call last):
  File "/snap/jhack/x1/lib/python3.8/site-packages/jhack/helpers.py", line 226, in fetch_file
    raw = check_output(cmd.split())
  File "/usr/lib/python3.8/subprocess.py", line 415, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.8/subprocess.py", line 516, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['juju', 'ssh', 'ubuntu/0', 'cat', '/var/lib/juju/agents/unit-ubuntu-0/charm/metadata.yaml']' returned non-zero exit status 255.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/snap/jhack/x1/bin/jhack", line 8, in <module>
    sys.exit(main())
  File "/snap/jhack/x1/lib/python3.8/site-packages/jhack/main.py", line 152, in main
    app()
  File "/snap/jhack/x1/lib/python3.8/site-packages/typer/main.py", line 214, in __call__
    return get_command(self)(*args, **kwargs)
  File "/snap/jhack/x1/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/snap/jhack/x1/lib/python3.8/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/snap/jhack/x1/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/snap/jhack/x1/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/snap/jhack/x1/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/snap/jhack/x1/lib/python3.8/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/snap/jhack/x1/lib/python3.8/site-packages/typer/main.py", line 500, in wrapper
    return callback(**use_params)  # type: ignore
  File "/snap/jhack/x1/lib/python3.8/site-packages/jhack/utils/integrate.py", line 366, in show
    mtrx = IntegrationMatrix(apps=apps, model=model, color=color)
  File "/snap/jhack/x1/lib/python3.8/site-packages/jhack/utils/integrate.py", line 78, in __init__
    self._endpoints = _gather_endpoints(model, apps)
  File "/snap/jhack/x1/lib/python3.8/site-packages/jhack/utils/integrate.py", line 54, in _gather_endpoints
    metadata = fetch_file(unit, "metadata.yaml", model=model)
  File "/snap/jhack/x1/lib/python3.8/site-packages/jhack/helpers.py", line 228, in fetch_file
    raise RuntimeError(
RuntimeError: Failed to fetch metadata.yaml from ubuntu-0.
PietroPasotti commented 1 year ago

Fantastic! Thanks for figuring out a fix :) And yeah, I think juju ssh needs to proxy through lxc and it uses the ssh-read interface to get access to your keys

PietroPasotti commented 1 year ago

I guess you also needed to add ssh-read to your apps.jhack.plugs spec in snapcraft.yaml?

apps:
  jhack:
    command: bin/jhack
    plugs:
      - network
      - network-bind
      - dot-local-share-juju
      - dot-config-jhack
      - ssh-read
Maharacha commented 1 year ago

I guess you also needed to add ssh-read to your apps.jhack.plugs spec in snapcraft.yaml?

apps:
  jhack:
    command: bin/jhack
    plugs:
      - network
      - network-bind
      - dot-local-share-juju
      - dot-config-jhack
      - ssh-read

Nope, I did not. I did exactly as in the commit. Why it worked anyway and what the implications are I don't know..

PietroPasotti commented 1 year ago

ok, found something: there seems to be a ssh-keys interface: https://snapcraft.io/docs/ssh-keys-interface

which is what the juju snap itself uses. So it should be enough to add ssh-keys to the app definition:

apps:
  jhack:
    command: bin/jhack
    plugs:
      - network
      - network-bind
      - dot-local-share-juju
      - dot-config-jhack
      - ssh-read

and the command should work even without adding the personal-files plug as you did. Could you try and verify? That'd spare me asking a new manual-review plug

Maharacha commented 1 year ago

- ssh-keys works super! Good find!

PietroPasotti commented 1 year ago

Cool, I'll include it in the next batch of changes