Bug 1974423

Summary: No equivalent buildah bud argument to docker build --ssh
Product: Red Hat Enterprise Linux 8 Reporter: Alex Groom <agroom>
Component: buildahAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Joy Pu <ypu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.0CC: dwalsh, pthomas, tsweeney, umohnani, ypu
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: buildah-1.26.1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 09:14:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Groom 2021-06-21 16:12:47 UTC 
Description of problem:

I have a developer enquiry about functionality in buildah bud in comparison to docker build use of the —ssh parameter. 

The developer is currently porting their work to OpenShift 4.7 from GCP and therefore have based their toolchain around docker build. Now they are using an OpenShift BuildConfig using buildah via the RHEL8/buildah:latest image. However they currently make use of the docker build —ssh parameter to pass through ssh-agent info to help them dynamically securely git clone from a private repo inside the docker environment.

It appears buildah bud is missing an equivalent argument to docker build --ssh.

Now, yes I’m sure they could re-work their build process so all source is initially fetched from multiple repos, or alternative they could mount ssh keys into the buildah environment and populate ssh-agent via script using mounted data, but they consider the latter to be insecure in comparison to mounting the ssh-agent via socket. 

Their current workaround is to avoid builds in OpenShift and instead use GitHub actions using docker.

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Have discussed this via email wtih Dan Waslh and Ashely Cui, below is an extract of that email:

@Ashely: The RUN mount syntax was implemented (https://github.com/containers/buildah/pull/3177), so it shouldn't be too much of a jump to --mount type=ssh. I'm not too familiar with how ssh actually works; Is this just a matter of mounting $SSH_AUTH_SOCK or a .pem file and setting $SSH_AUTH_SOCK as the target (default  /run/buildkit/ssh_agent.${N}) inside the build container? 

@Me in reply:

In the docker case yes in essence the existing ssh-agent (SSH_AUTH_SOCK) is passed in as a parameter to docker build and this becomes the ssh-agent made available inside the docker execution to authenticate any ssh activity that occurs (in this case git):

Using a customer example that I have truncated to protect the innocent, this is the docker build invocation example:

$docker build --progress plain --ssh default=${SSH_AUTH_SOCK} -t ${IMAGE_ID} -f ./Dockerfile .

The Dockerfile itself would include some ssh setup before mounting the SSH agent socket and performing some processing:

RUN mkdir /root/.ssh/ && \ 
	ssh-keyscan -t rsa github.com > /root/.ssh/known_hosts

ENV MIX_ENV=prod

RUN --mount=type=ssh mix do deps.get --only $MIX_ENV, deps.compile

Finally to indicate the unpredictable nature of embedded execution this shows while the ssh-agent is available (mounted) some jsonnet function performs a git clone for a 
specific private repo library and tag needing ssh keys for access.

defp deps do
    [
      {:floki, ">= 0.27.0", only: :test},
      {:jason, "~> 1.0"},
      {:plug_cowboy, "~> 2.0"},
      {:telemetry_metrics, "~> 0.4"},
      {:telemetry_poller, "~> 0.4"},
      {:telemetry, git: "git:XXXX/telemetry.git", tag: "0.1.2"},
    ]
  end
Comment 1 Tom Sweeney 2021-06-22 15:37:59 UTC 
Assigning to Ashley as she's taken a look at this.

I know we've looked into adding the --ssh option in the recent past, it would be a good addition IMO.  I believe this is part of the functionality that's provided in the Docker buildkit.
Comment 2 Ashley Cui 2021-08-09 13:08:24 UTC 
The PR for this merged: https://github.com/containers/buildah/pull/3409
Comment 6 Joy Pu 2022-05-13 12:01:04 UTC 
Test with buildah-1.26.1-2.module+el8.7.0+15212+703a4fc2.x86_64 and the following cases passed. So this feature looks good. Set the bug to verified.
# bats -t tests/ssh.bats 
1..4
ok 1 bud with ssh key
ok 2 bud with ssh key secret accessed on second RUN
ok 3 bud with containerfile ssh options
ok 4 bud with ssh sock
Comment 8 errata-xmlrpc 2022-11-08 09:14:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7457