RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1974423 - No equivalent buildah bud argument to docker build --ssh
Summary: No equivalent buildah bud argument to docker build --ssh
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: buildah
Version: 8.0
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: beta
: ---
Assignee: Jindrich Novy
QA Contact: Joy Pu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-21 16:12 UTC by Alex Groom
Modified: 2022-11-08 09:29 UTC (History)
5 users (show)

Fixed In Version: buildah-1.26.1-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-08 09:14:53 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github containers buildah issues 2835 0 None open SSH agent socket mount support while building images 2021-06-21 16:12:46 UTC
Red Hat Product Errata RHSA-2022:7457 0 None None None 2022-11-08 09:15:31 UTC

Description Alex Groom 2021-06-21 16:12:47 UTC 
Description of problem:

I have a developer enquiry about functionality in buildah bud in comparison to docker build use of the —ssh parameter. 

The developer is currently porting their work to OpenShift 4.7 from GCP and therefore have based their toolchain around docker build. Now they are using an OpenShift BuildConfig using buildah via the RHEL8/buildah:latest image. However they currently make use of the docker build —ssh parameter to pass through ssh-agent info to help them dynamically securely git clone from a private repo inside the docker environment.

It appears buildah bud is missing an equivalent argument to docker build --ssh.

Now, yes I’m sure they could re-work their build process so all source is initially fetched from multiple repos, or alternative they could mount ssh keys into the buildah environment and populate ssh-agent via script using mounted data, but they consider the latter to be insecure in comparison to mounting the ssh-agent via socket. 

Their current workaround is to avoid builds in OpenShift and instead use GitHub actions using docker.

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Have discussed this via email wtih Dan Waslh and Ashely Cui, below is an extract of that email:

@Ashely: The RUN mount syntax was implemented (https://github.com/containers/buildah/pull/3177), so it shouldn't be too much of a jump to --mount type=ssh. I'm not too familiar with how ssh actually works; Is this just a matter of mounting $SSH_AUTH_SOCK or a .pem file and setting $SSH_AUTH_SOCK as the target (default  /run/buildkit/ssh_agent.${N}) inside the build container? 

@Me in reply:

In the docker case yes in essence the existing ssh-agent (SSH_AUTH_SOCK) is passed in as a parameter to docker build and this becomes the ssh-agent made available inside the docker execution to authenticate any ssh activity that occurs (in this case git):

Using a customer example that I have truncated to protect the innocent, this is the docker build invocation example:

$docker build --progress plain --ssh default=${SSH_AUTH_SOCK} -t ${IMAGE_ID} -f ./Dockerfile .

The Dockerfile itself would include some ssh setup before mounting the SSH agent socket and performing some processing:

RUN mkdir /root/.ssh/ && \ 
	ssh-keyscan -t rsa github.com > /root/.ssh/known_hosts

ENV MIX_ENV=prod

RUN --mount=type=ssh mix do deps.get --only $MIX_ENV, deps.compile

Finally to indicate the unpredictable nature of embedded execution this shows while the ssh-agent is available (mounted) some jsonnet function performs a git clone for a 
specific private repo library and tag needing ssh keys for access.

defp deps do
    [
      {:floki, ">= 0.27.0", only: :test},
      {:jason, "~> 1.0"},
      {:plug_cowboy, "~> 2.0"},
      {:telemetry_metrics, "~> 0.4"},
      {:telemetry_poller, "~> 0.4"},
      {:telemetry, git: "git:XXXX/telemetry.git", tag: "0.1.2"},
    ]
  end
Comment 1 Tom Sweeney 2021-06-22 15:37:59 UTC 
Assigning to Ashley as she's taken a look at this.

I know we've looked into adding the --ssh option in the recent past, it would be a good addition IMO.  I believe this is part of the functionality that's provided in the Docker buildkit.
Comment 2 Ashley Cui 2021-08-09 13:08:24 UTC 
The PR for this merged: https://github.com/containers/buildah/pull/3409
Comment 6 Joy Pu 2022-05-13 12:01:04 UTC 
Test with buildah-1.26.1-2.module+el8.7.0+15212+703a4fc2.x86_64 and the following cases passed. So this feature looks good. Set the bug to verified.
# bats -t tests/ssh.bats 
1..4
ok 1 bud with ssh key
ok 2 bud with ssh key secret accessed on second RUN
ok 3 bud with containerfile ssh options
ok 4 bud with ssh sock
Comment 8 errata-xmlrpc 2022-11-08 09:14:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7457
Note You need to log in before you can comment on or make changes to this bug.