Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support use of SSH agent without requiring a key path to be set #142

Closed
ghost opened this issue Jul 13, 2017 · 8 comments
Closed

Support use of SSH agent without requiring a key path to be set #142

ghost opened this issue Jul 13, 2017 · 8 comments
Labels
Type: Enhancement Adds new functionality.

Comments

@ghost
Copy link

ghost commented Jul 13, 2017
edited by ghost
Loading

So, I have a setup that can work, but it weirdly requires the transport.ssh_key parameter in the .kitchen.yml file to be defined. I have an SSH agent set up, but without this directive set (and to a correct, alreadly-loaded value) the inspec verification fails, even though it works manually:

> chef --version
Chef Development Kit Version: 2.0.26
chef-client version: 13.2.20
delivery version: master (17c1b0fed9be4c70f69091a6d21a4cbf0df60a23)
berks version: 6.2.0
kitchen version: 1.16.0
inspec version: 1.31.1

> chef exec kitchen test
-----> Starting Kitchen (v1.16.0)
-----> Cleaning up any prior instances of <default-amazon-201703>
-----> Destroying <default-amazon-201703>...
       EC2 instance <i-0e99abbd661ab395b> destroyed.
       Finished destroying <default-amazon-201703> (0m0.62s).
-----> Testing <default-amazon-201703>
-----> Creating <default-amazon-201703>...
<snip>
       EC2 instance <i-0917f1602ac136ddc> ready.
       Waiting for SSH service on 54.193.44.60:22, retrying in 3 seconds
<snip>
-----> Verifying <default-amazon-201703>...
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Failed to complete #verify action: [Transport error, can't connect to 'ssh' backend: SSH session could not be established] on default-amazon-201703
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

> chef exec inspec exec -t 'ssh://[email protected]:22' test/smoke/default/

Profile: Tests for the default cookbook (default)
Version: 1.0.0
Target:  ssh://[email protected]:22


  Command yum
     ✔  check-update -q exit_status should eq 0

Test Summary: 1 successful, 0 failures, 0 skipped

chec exec kitchen verify succeeds if I specify the path to a key I have already loaded. For portability, and separation of access, I don't want to create a shared SSH key, figure out how to distribute it, etc. if the tools can just use an ssh-agent connection instead.

Attaching my kitchen.yml file.

kitchen.yml.txt
@adamleff
Copy link
Contributor

Train is successfully able to use the SSH agent and kitchen-inspec should likely be modified accordingly (if necessary) to not require a path to a key. Sounds like a good enhancement to me.

@adamleff adamleff changed the title Does not use default SSH auth Support use of SSH agent without requiring a key path to be set Sep 20, 2017
@Kapenaar
Copy link

Kapenaar commented Dec 6, 2017

I agree, all other kitchen functions work well with the agent, it is just kitchen verify. This is a huge pain in the neck, as we use the ssh-agent for pretty much everything in our organization.

@adamleff
Copy link
Contributor

adamleff commented Dec 7, 2017

Hey folks, I just tested this and am no longer able to reproduce this. I fixed this in #140, but unfortunately didn't release it in a gem until 24 days ago. This fix is in kitchen-inspec v0.20.0.

Here's my sample .kitchen.yml, without any keys specified:

---
driver:
  name: ec2
  region: us-west-2

transport:
  username: centos

provisioner:
  name: chef_zero
  always_update_cookbooks: true

verifier:
  name: inspec

platforms:
  - name: centos

suites:
  - name: default
    run_list:
      - recipe[ssh_agent_test::default]
    verifier:
      inspec_tests:
        - test/smoke/default
    attributes:

... and when I run kitchen verify:

  Directory /tmp
     ✔  should exist

Test Summary: 1 successful, 0 failures, 0 skipped
       Finished verifying <default-centos> (0m5.49s).

When I run ssh-add -D to delete all keys from my agent, and then kitchen verify again:

>>>>>>     Failed to complete #verify action: [Client error, can't connect to 'ssh' backend: Your SSH Agent has no keys added, and you have not specified a password or a key file] on default-centos

So, I do believe this is fixed. If you find that kitchen-inspec 0.20.0 does not fix this for you, please leave us a note with additional repro steps and I'll be happy to reopen this issue.

Thanks!
~Adam

@adamleff adamleff closed this as completed Dec 7, 2017
@juju4
Copy link

juju4 commented Sep 1, 2018

I'm getting this error in travis testing while switching from kitchen/docker to kitchen/lxd

https://travis-ci.org/juju4/puppet-meta-harden-linux/jobs/423403594#L3223

>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Failed to complete #verify action: [Client error, can't connect to 'ssh' backend: Your SSH Agent has no keys added, and you have not specified a password or a key file] on default-ubuntu-1604
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
D      ------Exception-------
D      Class: Kitchen::ActionFailed
D      Message: 1 actions failed.
>>>>>>     Failed to complete #verify action: [Client error, can't connect to 'ssh' backend: Your SSH Agent has no keys added, and you have not specified a password or a key file] on default-ubuntu-1604
D      ----------------------
D      ------Backtrace-------
D      /home/travis/.rvm/gems/ruby-2.5.1/gems/test-kitchen-1.23.2/lib/kitchen/command.rb:183:in `report_errors'
D      /home/travis/.rvm/gems/ruby-2.5.1/gems/test-kitchen-1.23.2/lib/kitchen/command.rb:174:in `run_action'
D      /home/travis/.rvm/gems/ruby-2.5.1/gems/test-kitchen-1.23.2/lib/kitchen/command/action.rb:36:in `block in call'

ssh-add at the end does not list any loaded keys and seems failing to reaching ssh-agent even if started at beginning.

it seems same for ansible
https://travis-ci.org/juju4/ansible-harden/jobs/423424189
(and trying to use inexistant busser-inspec)

any step that I miss?

Thanks

@chris-rock
Copy link
Collaborator

@juju4 I am not familiar with the kitchen-lxc but it seems that we would need to add special handling to pass in the credentials from lxc to kitchen-inspec similar to what we've done for kitchen ssh plugin https://github.com/inspec/kitchen-inspec/blob/master/lib/kitchen/verifier/inspec.rb#L224-L249

@juju4
Copy link

juju4 commented Sep 3, 2018

Probably need to pass public_key_path argument to whatever value is needed
https://github.com/bradenwright/kitchen-lxd_cli/blob/4b0abe49c3c5ef20f3b6e8c5ff0b9730b87b0e9d/lib/kitchen/driver/lxd_cli.rb#L32

@chris-rock
Copy link
Collaborator

@juju4 Should we open a specific issue to support kitchen-lxc because I assume that is different from the pure ssh one?

@juju4 juju4 mentioned this issue Sep 5, 2018
Open
@juju4
Copy link

juju4 commented Sep 5, 2018

Done

@tas50 tas50 added Type: Enhancement Adds new functionality. and removed enhancement labels Jan 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Enhancement Adds new functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tas50 @chris-rock @juju4 @adamleff @Kapenaar