search

robur-coop / unipi

Serving content from a git repository via HTTPS (including let's encrypt provisioning) as MirageOS unikernel
63 stars 7 forks source link

Difficult to setup Unipy #21

Closed Tim-ats-d closed 1 year ago

Tim-ats-d commented 1 year ago

Hi, I'm trying to setup unipi to serve content pull from a sourcehut repo. I follow instructions located at section "Securing the git access with ssh" of this blog post https://hannes.robur.coop/Posts/DnsServer:

$ ssh-keyscan git.sr.ht > /tmp/git-server-public-keys
$ ssh-keygen -l -E sha256 -f /tmp/git-server-public-keys | grep RSA
2048 SHA256:rvz/I0S1T/9If9+/CU0HDTF8AV4MPu5Gkkxsb7vUTH4 git.sr.ht (RSA)
$ awa_gen_key
seed is UhVhqxpkI7xsr5DbP8eRKw3SwC+PFMahXZ3jFOqe
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/4vb7o2/62U26n7aBF8a4A5+COzfgL1NM0h1oUXeXiItGYwTSonIKLqNwqVOrP68BNhS3d4U3NMEmGXq9kya3ceUn0BcVAfZp9Wghhaqxl/dlnu2pRelPDtJrfBoXW0Y34Ud48zmn/YnZLevt5mOeC2jmW95wU2MFcOOoDnu7bzD1PDmi/xqLSjUKodeos8cammDuCph96GnVKT+tOA9esWCJqBIowtzPbwrf346TgAg8d5WjfrE1wD5An7L9OEtrkhECkQZiakykDe/mt8icigNS/4LmeFyWuoKVGwJ3RXfSWAZQxXf9GvliGf21V5hm7IP/x+aV4q7GBLBPp4ltOu97oYNa85USS0PiHWSZ04/2rJf+gB+3evs07q/qAunLDXE0AaGFNXPu6YyMIj7XxjrovxLyhqxV80aIAwDaiX7zmH4acpLvHmt5Tgjj/zYEJAlK7f4BySvRh+mMB7Wp9P+Fni4tWO7mesCwP8Lb16v85Z0Dvu5tbEh/iYJZfnS/AhiDAhx84/Tibt7v5/vVDNcr7+uYiKQL9pnIwqu2gihsiEYNXqVZWZA67WG2SVg//Sk8x5y4nnGohlfnxddqydeaf9T35I3OktS1IGE2wx4rhesaloV0+ZSk8jDt7SH6d2OZphOUQbL2EXtqWSTk4sU9g3yjvcNE+dVVtRsP6Q== awa@awa.local
# ^ Sample values

And I have associated the public key generated by awa (ssh-rsa ...) with my sr.ht account (it is possible to have several public keys associated so I did not create another account).

On my unikernel side, I have the following config.ml:

open Mirage

let remote =
  let doc = Key.Arg.info [ "remote" ] in
  Key.(create "remote" Arg.(required string doc))

let ssh_key =
  let doc = Key.Arg.info [ "ssh-key" ] in
  Key.(create "ssh-key" Arg.(opt (some string) None doc))

let ssh_authenticator =
  let doc = Key.Arg.info ~doc:"SSH host key authenticator." [ "ssh-authenticator" ] in
  Key.(create "ssh_authenticator" Arg.(opt (some string) None doc))

let keys =
  Key.[ v remote; v ssh_key; v ssh_authenticator ]

let main =
  foreign
    ~packages:[ package "git-kv" ]
    ~keys "Unikernel.Main"
    (git_client @-> pclock @-> stackv4v6 @-> time @-> job)

let stack = generic_stackv4v6 default_network

let git_client =
  let dns = generic_dns_client stack in
  let git = git_happy_eyeballs stack dns (generic_happy_eyeballs stack dns) in
  let tcp = tcpv4v6_of_stackv4v6 stack in
  merge_git_clients (git_tcp tcp git)
    (git_ssh ~key:ssh_key ~authenticator:ssh_authenticator tcp git)

let () =
  register "main" [ main $ git_client $ default_posix_clock $ stack $ default_time ]

and unikernel.ml:

module Main
  (_ : sig end)
  (Pclock : Mirage_clock.PCLOCK)
  (Stack : Tcpip.Stack.V4V6)
  (Time : Mirage_time.S) =
struct
  module Store = Git_kv.Make (Pclock)
  open Lwt.Infix

  let start git_ctx _clock stack _default_time =
    Git_kv.connect git_ctx (Key_gen.remote ()) >>= fun store ->
    ...
end

I configure unikernel as follows:

unikernel mirage configure -t unix --remote "git@git.sr.ht:~tim-ats-d/Quotes#master" --ssh-key "rsa:UhVhqxpkI7xsr5DbP8eRKw3SwC+PFMahXZ3jFOqe" --ssh-authenticator "SHA256:rvz/I0S1T/9If9+/CU0HDTF8AV4MPu5Gkkxsb7vUTH4"

but every time I run I got this message:

$ dist/main
2023-02-17 14:39:34 +01:00: INF [tcpip-stack-socket] Dual IPv4 and IPv6 socket stack: connect
2023-02-17 14:39:35 +01:00: INF [awa.client] negotiated: kex curve25519-sha256 host key alg rsa-sha2-256
enc ctos chacha20-poly1305@openssh.com stoc chacha20-poly1305@openssh.com
mac ctos none stoc none
compression ctos none stoc none
2023-02-17 14:39:36 +01:00: APP [awa.authenticator] authenticating server fingerprint SHA256:rvz/I0S1T/9If9+/CU0HDTF8AV4MPu5Gkkxsb7vUTH4
2023-02-17 14:39:36 +01:00: APP [awa.authenticator] host fingerprint verification successful!
2023-02-17 14:39:36 +01:00: INF [awa.client] verified kexdh_reply!
2023-02-17 14:39:38 +01:00: INF [dns_client_mirage] end of file reading from resolver
2023-02-17 14:39:38 +01:00: ERR [git-fetch] The Git peer is not reachable.
Fatal error: exception Invalid_argument("error fetching: No connection found")
Raised at Stdlib.invalid_arg in file "stdlib.ml", line 30, characters 20-45
Called from Git_kv.connect.(fun) in file "duniverse/git-kv/src/git_kv.ml", line 107, characters 11-23
Called from Lwt.Sequential_composition.bind.create_result_promise_and_callback_if_deferred.callback in file "duniverse/lwt/src/core/lwt.ml", line 1849, characters 23-26
Re-raised at Lwt.Miscellaneous.poll in file "duniverse/lwt/src/core/lwt.ml", line 3077, characters 20-29
Called from Unix_os__Main.run in file "duniverse/mirage-unix/lib/main.ml", line 5, characters 8-18
Called from Dune__exe__Main.run in file "main.ml", line 3, characters 12-30
Called from Dune__exe__Main in file "main.ml", line 234, characters 5-10

Do you have any idea how to solve this problem?

dinosaure commented 1 year ago

Can you re-run the unikernel with -l debug to be more explicit about what is going on? It seems that the unikernel can not find a solution to clone the Git repository.

Tim-ats-d commented 1 year ago

Here is it:

2023-02-17 15:00:10 +01:00: DBG [awa.client] <<< (Msg_disconnect
 (DISCONNECT_PROTOCOL_ERROR "Too many authentication failures" ""))
2023-02-17 15:00:10 +01:00: DBG [awa.client] unexpected (Msg_disconnect
 (DISCONNECT_PROTOCOL_ERROR "Too many authentication failures" ""))
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate mimic-happy-eyeballs.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate mimic-happy-eyeballs.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-mirage-ssh-authenticator.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-mirage-ssh-key.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-http-headers.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-ssh-user.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-hostname.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-path.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-scheme.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-capabilities.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate git-transmission.
2023-02-17 15:00:10 +01:00: DBG [mimic] Try to instantiate ssh-endpoint.
2023-02-17 15:00:10 +01:00: ERR [git-fetch] The Git peer is not reachable.
Fatal error: exception Invalid_argument("error fetching: No connection found")
Raised at Stdlib.invalid_arg in file "stdlib.ml", line 30, characters 20-45
Called from Git_kv.connect.(fun) in file "duniverse/git-kv/src/git_kv.ml", line 107, characters 11-23
Called from Lwt.Sequential_composition.bind.create_result_promise_and_callback_if_deferred.callback in file "duniverse/lwt/src/core/lwt.ml", line 1849, characters 23-26
Re-raised at Lwt.Miscellaneous.poll in file "duniverse/lwt/src/core/lwt.ml", line 3077, characters 20-29
Called from Unix_os__Main.run in file "duniverse/mirage-unix/lib/main.ml", line 5, characters 8-18
Called from Dune__exe__Main.run in file "main.ml", line 3, characters 12-30
Called from Dune__exe__Main in file "main.ml", line 234, characters 5-10
hannesm commented 1 year ago

Thanks for trying unipi. So, from your log:

2023-02-17 14:39:36 +01:00: INF [awa.client] verified kexdh_reply!

It seems the DNS resolution and ssh session setup worked nicely (server fingerprint verified successfully).

But from your other log, it looks like the authentication failed. Could you maybe try with "awa_gen_key --keytype ed25519"?

hannesm commented 1 year ago

From your extended log, some more lines would be useful (it starts with debug messages about authentication failure).

Also, we should adjust in awa-ssh the log level of authentication failures.... and report failure

Tim-ats-d commented 1 year ago

But from your other log, it looks like the authentication failed. Could you maybe try with "awa_gen_key --keytype ed25519"?

Thank you very much, I tried this and it works well :slightly_smiling_face: