search

webfactory / ssh-agent

GitHub Action to setup `ssh-agent` with a private key
MIT License
1.19k stars 246 forks source link

Load key "/root/.ssh/key: error in libcrypto #179

Open longtt2705 opened 1 year ago

longtt2705 commented 1 year ago

I am trying to install a private repository in Dockerfile via ssh. But when the runner trying to install the package, I got the error Load key "/root/.ssh/key-801a24afcf65bdde333b552f2805263d9fe735a5977559ff47216d0f58d02aa5": error in libcrypto.

Here are what I have done:

// package.json

    "repo": "git+ssh://git@github.com:xxx/repo.git",

// build.yml

name: Build & push image

on:
  workflow_call:
    inputs:
      GITHUB_PACKAGE_REPO_NAME:
        required: true
        type: string

jobs:
  build-push-image:
    runs-on: ubuntu-latest
    steps:
      - name: Set up SSH agent
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Collect Git and SSH config files in a directory that is part of the Docker build context
        run: |
          mkdir root-config
          cp -r ~/.gitconfig  ~/.ssh root-config/

      - name: Log in to the Github Packages
        uses: docker/login-action@xxx
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Add VERSION_LABEL with commit short sha
        run: echo "VERSION_LABEL=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV

      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: ghcr.io/xxx/${{ inputs.GITHUB_PACKAGE_REPO_NAME }}:${{ env.VERSION_LABEL }}
          ssh: |
            default=${{ env.SSH_AUTH_SOCK }}

// Dockerfile:

FROM node:18-alpine

USER root

# Copy the two files in place and fix different path/locations inside the Docker image
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config

# Install Git
RUN apk update && apk add git
RUN apk add --no-cache openssh-client
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
RUN --mount=type=ssh ssh -q -T git@github.com 2>&1 | echo "Welcome to Github"

WORKDIR /app/

COPY package.json ./
COPY yarn.lock ./
COPY tsconfig.json ./
COPY ./ ./

# RUN yarn add @nestjs/cli
RUN yarn install --no-cache
RUN yarn prisma generate
RUN yarn build

EXPOSE 8100

CMD yarn start

Whenever the workflow ran into RUN yarn install --no-cache and tried to install the git@github.com:xxx/repo.git via SSH, I got the error: Load key "/root/.ssh/key-801a24afcf65bdde333b552f2805263d9fe735a5977559ff47216d0f58d02aa5. Can you tell me where I did wrong or what I am missing?

EusGoed commented 1 year ago

Make sure you didn't switch the private and public keys!

jerbaroo commented 1 year ago

Make sure you didn't switch the private and public keys!

We had the same issue, and it was not because of accidentally switching keys.

It was related to webfactory/ssh-agent not doing post-action cleanup, which affected subsequent runs (of a different workflow from another repo in our case).

The following was our fix:

    - run: rm $HOME/.gitconfig $HOME/.ssh/key-* || true
    - name: Add SSH private keys for submodules
      uses: webfactory/ssh-agent@v0.8.0

Possibly related to: https://github.com/webfactory/ssh-agent/issues/178 https://github.com/webfactory/ssh-agent/issues/184

fre171csiro commented 1 year ago

Make sure you didn't switch the private and public keys!

We had the same issue, and it was not because of accidentally switching keys.

It was related to webfactory/ssh-agent not doing post-action cleanup, which affected subsequent runs (of a different workflow from another repo in our case).

The following was our fix:

    - run: rm $HOME/.gitconfig $HOME/.ssh/key-* || true
    - name: Add SSH private keys for submodules
      uses: webfactory/ssh-agent@v0.8.0

Possibly related to: #178 #184

Tried this without luck :-(

dk-teknologisk-lag commented 9 months ago

@mpdude It seems that the public key is saved here (output of ssh-add -L gives the public keys) ?: https://github.com/webfactory/ssh-agent/blob/fd34b8dee206fe74b288a5e61bc95fba2f1911eb/index.js#L69

Should that have been the private key? as its set to permission 600, which is that for the private key part?

At least I get the same: error in libcrypto, when trying to use the key-file saved using this agent.

If I cat the Secret input(ie. private key) directly to a file and copy that to the docker, I can get ssh / git working.

I'm no way a linux ssh key guru, so I might have misunderstood things.

Lastly, shouldn't 

        with:
          ssh: |
            default=${{ env.SSH_AUTH_SOCK }}

allow the docker instances to use ssh which the ssh-agent from the github action runner?

dk-teknologisk-lag commented 9 months ago

I realized that this makes the private key end up in the built docker images, which it shouldn't.

An alternative is that you should mount a folder with the private key in.

But actually I wanted to use the the "host" ssh agent, so I looked at some more examples how to get that to work and figured that I need to add:

--mount=type=ssh

in front of the git clone commands.

Now it seems to work with the ssh-agent being passed to the docker build, thanks for sharing this tool.

dhanimay commented 5 months ago

@longtt2705 did you find any resolution to this issue? I'm currently facing the same.

jpcarlino commented 3 months ago

I've the same issue. I've validated that I can clone the repo using the keys without issues but it fails inside the docker build process. In my case I'm using poetry to fetch the internal dependencies via ssh.