search

test-kitchen / test-kitchen

Test Kitchen is an integration tool for developing and testing infrastructure code and software on isolated target platforms
Other
1.87k stars 583 forks source link

Support independent SSH gateway and instances keys #1226

Open aogail opened 7 years ago

aogail commented 7 years ago

Description

I am using kitchen-vagrant with a libvirt box to provision Test Kitchen VMs on a remote KVM hypervisor. To do this, I used the SSH gateway support that was added in #1091.

It appears that there is no way to configure the SSH key used to log in to the gateway. Kitchen::Transport::Ssh::Connection#establish_connection_via_gateway() passes the same options hash to the Net::SSH::Gateway and to the tunneled connection to the VM. The options hash sets the SSH key to the Vagrant insecure key.

I confirmed that the error is caused by trying to use the Vagrant insecure key to log in to the hypervisor by monkey patching the Connection class in my .kitchen.yml. With this change, Test Kitchen successfully connects to the VM.

require 'kitchen/transport/ssh'

GATEWAY_KEYS = ["#{ENV['HOME']}/.ssh/id_rsa"]

class Kitchen::Transport::Ssh::Connection
  # Replace this method in TK core with a version that uses the logged in user's key to access the SSH gateway.
  def establish_connection_via_gateway(opts)
    retry_connection(opts) do
      Net::SSH::Gateway.new(ssh_gateway, ssh_gateway_username, options.merge(keys: GATEWAY_KEYS))
        .ssh(hostname, username, options)
    end
  end
end

Before I start working on a PR to add a configuration setting for the key to use when connecting to the SSH gateway, I thought I would double check: Is there a way to tell TK which key to use for the SSH gateway, that I have missed?

Kitchen Version

Tell us which version of test-kitchen you are using (kitchen --version). 

Test Kitchen version 1.16.0

Ruby Version

If you are not using test-kitchen via ChefDK, please provide the output of ruby --version.

ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-darwin15]

Platform Version

Mac OS 10.11.6

Replication Case

Configure TK to create the VM on a remote hypervisor (e.g., using vagrant-libvirt) where the hypervisor system does not trust the Vagrant insecure key.

Kitchen Output

Output from when TK tries to log in to the VM after Vagrant sets it up. This repeats every three seconds:

D      [SSH] opening connection to vagrant@192.168.121.133<{:user_known_hosts_file=>"/dev/null", :paranoid=>false, :port=>"22", :compression=>false, :compression_level=>0, :keepalive=>true, :keepalive_interval=>60, :timeout=>15, :keys_only=>true, :keys=>["/Users/bjansen/.vagrant.d/insecure_private_key"], :auth_methods=>["publickey"], :logger=>#<Logger:0x007fb7cc318db0 @progname=nil, @level=4, @default_formatter=#<Logger::Formatter:0x007fb7cc318d88 @datetime_format=nil>, @formatter=nil, @logdev=#<Logger::LogDevice:0x007fb7cc318cc0 @shift_size=nil, @shift_age=nil, @filename=nil, @dev=#<IO:<STDERR>>, @mon_owner=nil, @mon_count=0, @mon_mutex=#<Thread::Mutex:0x007fb7cc318c48>>>, :password_prompt=>#<Net::SSH::Prompt:0x007fb7cc318c20>, :user=>"bjansen"}> via bjansen@ord12-v-sec-vm-14.sss.pp1.oraclecloud.com
D      [SSH] connection failed (#<Net::SSH::AuthenticationFailed: Authentication failed for user bjansen@ord12-v-sec-vm-14.sss.pp1.oraclecloud.com>)
       Waiting for SSH service on 192.168.121.133:22, retrying in 3 seconds

Kitchen Diagnose

https://gist.github.com/aogail/dbe77deeabcdfedefd282764128034fd

aidda commented 7 years ago

I had the same issue today! I just destroy kitchen and create again.

dfairhurst commented 7 years ago

I have this issue as well. Please can you explain how you monkey patch the connection class? Where do I put the code, and how do I reference it in my .kitchen.yml?

aogail commented 7 years ago

@dfairhurst You put that block of code directly in your .kitchen.yml, inside ERB tags, like this:

<%
# Hack to fix a bug in TK. TK supports using an SSH gateway in its SSH transport, but appears not to support configuring
# separate keys for the gateway and the destination.
require 'kitchen/transport/ssh'

GATEWAY_KEYS = ["#{ENV['HOME']}/.ssh/id_rsa"]

class Kitchen::Transport::Ssh::Connection
  # Replace this method in TK core with a version that uses the logged in user's key to access the SSH gateway.
  def establish_connection_via_gateway(opts)
    retry_connection(opts) do
      Net::SSH::Gateway.new(ssh_gateway, ssh_gateway_username, options.merge(keys: GATEWAY_KEYS))
        .ssh(hostname, username, options)
    end
  end
end
%>

driver:
  # etc.
cheeseplus commented 7 years ago

There really isn't any way at present to configure these separately based on how the code was written but a PR would be welcome.