Create public/private SSH key pair for accessing Docker Container

[ckunki]

Introduction

Currently ITDE uses docker_exec to access the Docker Container, e.g. to analyze the content of some logfiles. With version 8 and higher the format of the Docker Containers might change so that docker_exec is no longer possible. Instead ITDE will then need to use SSH access.

The current ticket therefore requests to enhance ITDE to generate a public/private SSH key pair for SSH key authentication.

Comparing the solution for Java

exasol-testcontainers for Java writes temporary private key file to files

• $TMP/exasol-testcontainers/id_rsa and
• $TMP/exasol-testcontainers/id_rsa.pub

And copies the public key into file /root/.ssh/authorized_keys inside the Docker Container containing the key type, and a a space as prefix, e.g. ssh-rsa.

With $TMP being the os-specific temp folder, read from Java system property java.io.tmpdir

• on Windows maybe C:\Users\<user>\AppData\Local\Temp
• on linux /tmp or /var/tmp.

Reusing Containers

Identical to the Java framework also the python ITDE will try to enable reusing Docker Containers. A Container can only be reused when the content is unchanged. Hence ITDE should try to reuse SSH keys once it created them to avoid unnecessary changes to the content of the Docker Container.

Concurrent processes

When creating the SSH key files in the host file system ITDE should prevent race conditions that could occur when multiple processes are running in parallel.

AC

1. A suitable library for creating the SSH key pair is selected, preferable without additional dependencies
2. ITDE uses the library to create an SSH key pair
3. ITDE prevents race conditions when creating the SSH key file(s)

ITDE will use ilock to ensure only a single process in the current system is accessing the key file(s) concurrently.

[ckunki]

E.g. paramiko? @tkilias recommends https://www.fabfile.org/ e.g. due to better usability. See https://docs.fabfile.org/en/stable/api/transfer.html

[ckunki]

Initial implementation will use fabric based on paramiko.

[ckunki]

See SSH Connection with fabfile and Paramiko API for SSH Keys

For ensuring that the key files are accessed only by a single process at a time we evaluated ilock but since ilock's git repository doesn't contain ci-tests and the last update was 3 years ago we will prefer using ilock's base library portalocker directly.