rke/hosts/tunnel.go

package hosts

import (
	"context"
	"fmt"
	"io/ioutil"
	"net"
	"os"
	"path/filepath"

	"github.com/docker/docker/client"
	"github.com/rancher/rke/docker"
	"github.com/rancher/rke/log"
	"github.com/rancher/rke/metadata"
	"github.com/rancher/rke/util"
	"github.com/sirupsen/logrus"
	"golang.org/x/crypto/ssh"
	"golang.org/x/crypto/ssh/agent"
)

func (h *Host) TunnelUp(ctx context.Context, dialerFactory DialerFactory, clusterPrefixPath string, clusterVersion string) error {
	if h.DClient != nil {
		return nil
	}
	log.Infof(ctx, "[dialer] Setup tunnel for host [%s]", h.Address)
	httpClient, err := h.newHTTPClient(dialerFactory)
	if err != nil {
		return fmt.Errorf("Can't establish dialer connection: %v", err)
	}
	// set Docker client
	logrus.Debugf("Connecting to Docker API for host [%s]", h.Address)
	h.DClient, err = client.NewClientWithOpts(
		client.WithAPIVersionNegotiation(),
		client.WithHTTPClient(httpClient))
	if err != nil {
		return fmt.Errorf("Can't initiate NewClient: %v", err)
	}
	if err := checkDockerVersion(ctx, h, clusterVersion); err != nil {
		return err
	}
	h.SetPrefixPath(clusterPrefixPath)
	return nil
}

func (h *Host) TunnelUpLocal(ctx context.Context, clusterVersion string) error {
	var err error
	if h.DClient != nil {
		return nil
	}
	// set Docker client
	logrus.Debugf("Connecting to Docker API for host [%s]", h.Address)
	h.DClient, err = client.NewEnvClient()
	if err != nil {
		return fmt.Errorf("Can't initiate NewClient: %v", err)
	}
	return checkDockerVersion(ctx, h, clusterVersion)
}

func checkDockerVersion(ctx context.Context, h *Host, clusterVersion string) error {
	info, err := h.DClient.Info(ctx)
	if err != nil {
		return fmt.Errorf("Can't retrieve Docker Info: %v", err)
	}
	logrus.Debugf("Docker Info found for host [%s]: %#v", h.Address, info)
	h.DockerInfo = info
	if h.IgnoreDockerVersion {
		return nil
	}
	K8sSemVer, err := util.StrToSemVer(clusterVersion)
	if err != nil {
		return fmt.Errorf("Error while parsing cluster version [%s]: %v", clusterVersion, err)
	}
	K8sVersion := fmt.Sprintf("%d.%d", K8sSemVer.Major, K8sSemVer.Minor)
	isvalid, err := docker.IsSupportedDockerVersion(info, K8sVersion)
	if err != nil {
		return fmt.Errorf("Error while determining supported Docker version [%s]: %v", info.ServerVersion, err)
	}

	if !isvalid {
		return fmt.Errorf("Unsupported Docker version found [%s] on host [%s], supported versions are %v", info.ServerVersion, h.Address, metadata.K8sVersionToDockerVersions[K8sVersion])
	}
	return nil
}

func parsePrivateKey(keyBuff string) (ssh.Signer, error) {
	return ssh.ParsePrivateKey([]byte(keyBuff))
}

func getSSHConfig(username, sshPrivateKeyString string, sshCertificateString string, useAgentAuth bool) (*ssh.ClientConfig, error) {
	config := &ssh.ClientConfig{
		User:            username,
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	// Kind of a double check now.
	if useAgentAuth {
		if sshAgentSock := os.Getenv("SSH_AUTH_SOCK"); sshAgentSock != "" {
			sshAgent, err := net.Dial("unix", sshAgentSock)
			if err != nil {
				return config, fmt.Errorf("Cannot connect to SSH Auth socket %q: %s", sshAgentSock, err)
			}

			config.Auth = append(config.Auth, ssh.PublicKeysCallback(agent.NewClient(sshAgent).Signers))

			logrus.Debugf("using %q SSH_AUTH_SOCK", sshAgentSock)
			return config, nil
		}
	}

	signer, err := parsePrivateKey(sshPrivateKeyString)
	if err != nil {
		return config, err
	}

	if len(sshCertificateString) > 0 {
		key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(sshCertificateString))
		if err != nil {
			return config, fmt.Errorf("Unable to parse SSH certificate: %v", err)
		}

		if _, ok := key.(*ssh.Certificate); !ok {
			return config, fmt.Errorf("Unable to cast public key to SSH Certificate")
		}
		signer, err = ssh.NewCertSigner(key.(*ssh.Certificate), signer)
		if err != nil {
			return config, err
		}
	}

	config.Auth = append(config.Auth, ssh.PublicKeys(signer))

	return config, nil
}

func privateKeyPath(sshKeyPath string) (string, error) {
	if sshKeyPath[:2] == "~/" {
		sshKeyPath = filepath.Join(userHome(), sshKeyPath[2:])
	}
	buff, err := ioutil.ReadFile(sshKeyPath)
	if err != nil {
		return "", fmt.Errorf("Error while reading SSH key file: %v", err)
	}
	return string(buff), nil
}

func certificatePath(sshCertPath string) (string, error) {
	if sshCertPath[:2] == "~/" {
		sshCertPath = filepath.Join(userHome(), sshCertPath[2:])
	}
	buff, err := ioutil.ReadFile(sshCertPath)
	if err != nil {
		return "", fmt.Errorf("Error while reading SSH certificate file: %v", err)
	}
	return string(buff), nil
}

func userHome() string {
	if home := os.Getenv("HOME"); home != "" {
		return home
	}
	homeDrive := os.Getenv("HOMEDRIVE")
	homePath := os.Getenv("HOMEPATH")
	if homeDrive != "" && homePath != "" {
		return homeDrive + homePath
	}
	return os.Getenv("USERPROFILE")
}
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`package hosts`

			`import (`
			`"context"`
			`"fmt"`
			`"io/ioutil"`
add win_ params for prefix path, env, args and binds Problem: When building a hybrid cluster with windows nodes there is only a single set of overrides you can use per service. This limits configuring the node as service args and prefix_path sometimes need to be specific for the different OS. Solution: Add support for `win_` prefixed parameters for cluster level `path_prefix` and service level `extra_args`, `extra_env` and `extra_binds`. Params will work as before, passing in the non `win_` prefixed params, IF you set the `win_` prefixed params it willy only use those meaning you will need to duplicate the params in both config sections of your rke cluster yaml. 2020-07-21 20:35:36 +00:00			`"net"`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`"os"`
			`"path/filepath"`

			`"github.com/docker/docker/client"`
			`"github.com/rancher/rke/docker"`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"github.com/rancher/rke/log"`
add win_ params for prefix path, env, args and binds Problem: When building a hybrid cluster with windows nodes there is only a single set of overrides you can use per service. This limits configuring the node as service args and prefix_path sometimes need to be specific for the different OS. Solution: Add support for `win_` prefixed parameters for cluster level `path_prefix` and service level `extra_args`, `extra_env` and `extra_binds`. Params will work as before, passing in the non `win_` prefixed params, IF you set the `win_` prefixed params it willy only use those meaning you will need to duplicate the params in both config sections of your rke cluster yaml. 2020-07-21 20:35:36 +00:00			`"github.com/rancher/rke/metadata"`
Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`"github.com/rancher/rke/util"`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`"github.com/sirupsen/logrus"`
			`"golang.org/x/crypto/ssh"`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`"golang.org/x/crypto/ssh/agent"`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`)`

Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`func (h *Host) TunnelUp(ctx context.Context, dialerFactory DialerFactory, clusterPrefixPath string, clusterVersion string) error {`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`if h.DClient != nil {`
			`return nil`
			`}`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[dialer] Setup tunnel for host [%s]", h.Address)`
Add Dialer Factory 2017-12-16 03:38:15 +00:00			`httpClient, err := h.newHTTPClient(dialerFactory)`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`if err != nil {`
Add Dialer Factory 2017-12-16 03:38:15 +00:00			`return fmt.Errorf("Can't establish dialer connection: %v", err)`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
			`// set Docker client`
			`logrus.Debugf("Connecting to Docker API for host [%s]", h.Address)`
Handle etcd changing its public IP address 2019-08-19 22:53:51 +00:00			`h.DClient, err = client.NewClientWithOpts(`
use docker client with api negotiation 2021-05-27 18:20:11 +00:00			`client.WithAPIVersionNegotiation(),`
Handle etcd changing its public IP address 2019-08-19 22:53:51 +00:00			`client.WithHTTPClient(httpClient))`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`if err != nil {`
			`return fmt.Errorf("Can't initiate NewClient: %v", err)`
			`}`
Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`if err := checkDockerVersion(ctx, h, clusterVersion); err != nil {`
Fix reconcile for ros prefix 2018-06-25 22:50:45 +00:00			`return err`
			`}`
add win_ params for prefix path, env, args and binds Problem: When building a hybrid cluster with windows nodes there is only a single set of overrides you can use per service. This limits configuring the node as service args and prefix_path sometimes need to be specific for the different OS. Solution: Add support for `win_` prefixed parameters for cluster level `path_prefix` and service level `extra_args`, `extra_env` and `extra_binds`. Params will work as before, passing in the non `win_` prefixed params, IF you set the `win_` prefixed params it willy only use those meaning you will need to duplicate the params in both config sections of your rke cluster yaml. 2020-07-21 20:35:36 +00:00			`h.SetPrefixPath(clusterPrefixPath)`
Fix reconcile for ros prefix 2018-06-25 22:50:45 +00:00			`return nil`
Add local option to deploy/remove kubernetes on local machine Remove insecure port from kube-api Use cluster.yml config Pass config dir to cluster up/remove 2017-12-22 01:01:53 +00:00			`}`

Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`func (h *Host) TunnelUpLocal(ctx context.Context, clusterVersion string) error {`
Add local option to deploy/remove kubernetes on local machine Remove insecure port from kube-api Use cluster.yml config Pass config dir to cluster up/remove 2017-12-22 01:01:53 +00:00			`var err error`
			`if h.DClient != nil {`
			`return nil`
			`}`
			`// set Docker client`
			`logrus.Debugf("Connecting to Docker API for host [%s]", h.Address)`
			`h.DClient, err = client.NewEnvClient()`
			`if err != nil {`
			`return fmt.Errorf("Can't initiate NewClient: %v", err)`
			`}`
Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`return checkDockerVersion(ctx, h, clusterVersion)`
Add local option to deploy/remove kubernetes on local machine Remove insecure port from kube-api Use cluster.yml config Pass config dir to cluster up/remove 2017-12-22 01:01:53 +00:00			`}`

Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`func checkDockerVersion(ctx context.Context, h *Host, clusterVersion string) error {`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`info, err := h.DClient.Info(ctx)`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`if err != nil {`
			`return fmt.Errorf("Can't retrieve Docker Info: %v", err)`
			`}`
Add host to logging for Docker 2020-03-03 23:07:24 +00:00			`logrus.Debugf("Docker Info found for host [%s]: %#v", h.Address, info)`
Remove redundant if branch and make sure that docker info populated 2019-09-04 10:05:38 +00:00			`h.DockerInfo = info`
Do not parse docker version when validation is disabled When IgnoreDockerVersion is set, do not try to parse its version number Still retrieve docker info to check check fi docker is reachable closes #1502 2019-07-25 11:13:24 +00:00			`if h.IgnoreDockerVersion {`
			`return nil`
			`}`
Use clusterversion to check supported Docker versions 2018-10-04 08:54:04 +00:00			`K8sSemVer, err := util.StrToSemVer(clusterVersion)`
			`if err != nil {`
			`return fmt.Errorf("Error while parsing cluster version [%s]: %v", clusterVersion, err)`
			`}`
			`K8sVersion := fmt.Sprintf("%d.%d", K8sSemVer.Major, K8sSemVer.Minor)`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`isvalid, err := docker.IsSupportedDockerVersion(info, K8sVersion)`
			`if err != nil {`
			`return fmt.Errorf("Error while determining supported Docker version [%s]: %v", info.ServerVersion, err)`
			`}`

Do not parse docker version when validation is disabled When IgnoreDockerVersion is set, do not try to parse its version number Still retrieve docker info to check check fi docker is reachable closes #1502 2019-07-25 11:13:24 +00:00			`if !isvalid {`
Add host to logging for Docker 2020-03-03 23:07:24 +00:00			`return fmt.Errorf("Unsupported Docker version found [%s] on host [%s], supported versions are %v", info.ServerVersion, h.Address, metadata.K8sVersionToDockerVersions[K8sVersion])`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
			`return nil`
			`}`

			`func parsePrivateKey(keyBuff string) (ssh.Signer, error) {`
			`return ssh.ParsePrivateKey([]byte(keyBuff))`
			`}`

Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`func getSSHConfig(username, sshPrivateKeyString string, sshCertificateString string, useAgentAuth bool) (*ssh.ClientConfig, error) {`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`config := &ssh.ClientConfig{`
			`User: username,`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`HostKeyCallback: ssh.InsecureIgnoreHostKey(),`
			`}`

Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`// Kind of a double check now.`
			`if useAgentAuth {`
			`if sshAgentSock := os.Getenv("SSH_AUTH_SOCK"); sshAgentSock != "" {`
			`sshAgent, err := net.Dial("unix", sshAgentSock)`
			`if err != nil {`
			`return config, fmt.Errorf("Cannot connect to SSH Auth socket %q: %s", sshAgentSock, err)`
			`}`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00
Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`config.Auth = append(config.Auth, ssh.PublicKeysCallback(agent.NewClient(sshAgent).Signers))`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00
Leverage global SSHAgentAuth setting This addresses users issues in being unable to use RKE command line using SSH_AUTH_SOCK. On OSX the socket env var is set, but nothing is listening. Also, Linux users have reported issues. To address this the default mode is to not use SSH Agent Auth. A user must set it explicitly in either the config file or on the CLI. The only way to use a passphrase protected key file is with a properly configured SSH Agent and using SSH Agent Auth. 2018-03-06 00:52:43 +00:00			`logrus.Debugf("using %q SSH_AUTH_SOCK", sshAgentSock)`
			`return config, nil`
			`}`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00
Bastion host 2018-05-08 22:30:50 +00:00			`signer, err := parsePrivateKey(sshPrivateKeyString)`
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`if err != nil {`
			`return config, err`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00
			`if len(sshCertificateString) > 0 {`
			`key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(sshCertificateString))`
			`if err != nil {`
			`return config, fmt.Errorf("Unable to parse SSH certificate: %v", err)`
			`}`

			`if _, ok := key.(*ssh.Certificate); !ok {`
			`return config, fmt.Errorf("Unable to cast public key to SSH Certificate")`
			`}`
			`signer, err = ssh.NewCertSigner(key.(*ssh.Certificate), signer)`
			`if err != nil {`
			`return config, err`
			`}`
			`}`

Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`config.Auth = append(config.Auth, ssh.PublicKeys(signer))`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00
Use SSH Agent This defaults to using the SSH Agent or a passwordless key file. It also refactors the Dialer methods a bit to simplify and decouple the host object from the dialer. 2018-02-26 21:27:51 +00:00			`return config, nil`
			`}`
Fix regression with passphrased keys 2018-01-09 19:50:10 +00:00
Better error when ssh_key_path can't be opened 2018-06-25 19:01:02 +00:00			`func privateKeyPath(sshKeyPath string) (string, error) {`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`if sshKeyPath[:2] == "~/" {`
Fall back to HOMEDRIVE+HOMEPATH or USERPROFILE 2018-05-23 09:34:57 +00:00			`sshKeyPath = filepath.Join(userHome(), sshKeyPath[2:])`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
Better error when ssh_key_path can't be opened 2018-06-25 19:01:02 +00:00			`buff, err := ioutil.ReadFile(sshKeyPath)`
			`if err != nil {`
			`return "", fmt.Errorf("Error while reading SSH key file: %v", err)`
			`}`
			`return string(buff), nil`
Using a custom dialer for cluster hosts 2017-12-11 18:28:08 +00:00			`}`
Fall back to HOMEDRIVE+HOMEPATH or USERPROFILE 2018-05-23 09:34:57 +00:00
Add support for SSH certificate authentication 2019-01-28 13:54:00 +00:00			`func certificatePath(sshCertPath string) (string, error) {`
			`if sshCertPath[:2] == "~/" {`
			`sshCertPath = filepath.Join(userHome(), sshCertPath[2:])`
			`}`
			`buff, err := ioutil.ReadFile(sshCertPath)`
			`if err != nil {`
			`return "", fmt.Errorf("Error while reading SSH certificate file: %v", err)`
			`}`
			`return string(buff), nil`
			`}`

Fall back to HOMEDRIVE+HOMEPATH or USERPROFILE 2018-05-23 09:34:57 +00:00			`func userHome() string {`
			`if home := os.Getenv("HOME"); home != "" {`
			`return home`
			`}`
			`homeDrive := os.Getenv("HOMEDRIVE")`
			`homePath := os.Getenv("HOMEPATH")`
			`if homeDrive != "" && homePath != "" {`
			`return homeDrive + homePath`
			`}`
			`return os.Getenv("USERPROFILE")`
			`}`