podman machine ssh handling

add the key used in newly initialized machines to the user's known_hosts file. This ensures that golang will be able to ssh into the machine using
podman-remote. Also, remove the /dev/null redirection for podman machine ssh's known_hosts file.

resolves #15347

Signed-off-by: Charlie Doern <cdoern@redhat.com>
Signed-off-by: cdoern <cbdoer23@g.holycross.edu>

cmd/podman/machine/ssh.go

@@ -101,7 +101,7 @@ func remoteConnectionUsername() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	dest, _, err := cfg.ActiveDestination()
+	dest, _, _, err := cfg.ActiveDestination()
 	if err != nil {
 		return "", err
 	}

cmd/podman/root.go

@@ -176,7 +176,7 @@ func persistentPreRunE(cmd *cobra.Command, args []string) error {
 
 	setupConnection := func() error {
 		var err error
-		cfg.URI, cfg.Identity, err = cfg.ActiveDestination()
+		cfg.URI, cfg.Identity, cfg.MachineMode, err = cfg.ActiveDestination()
 		if err != nil {
 			return fmt.Errorf("failed to resolve active destination: %w", err)
 		}
@@ -368,10 +368,13 @@ func loggingHook() {
 
 func rootFlags(cmd *cobra.Command, opts *entities.PodmanConfig) {
 	cfg := opts.Config
-	srv, uri, ident := resolveDestination()
+	srv, uri, ident, machine := resolveDestination()
 
 	lFlags := cmd.Flags()
 
+	// non configurable option to help ssh dialing
+	opts.MachineMode = machine
+
 	sshFlagName := "ssh"
 	lFlags.StringVar(&opts.SSHMode, sshFlagName, string(ssh.GolangMode), "define the ssh mode")
 	_ = cmd.RegisterFlagCompletionFunc(sshFlagName, common.AutocompleteSSH)
@@ -513,26 +516,26 @@ func rootFlags(cmd *cobra.Command, opts *entities.PodmanConfig) {
 	}
 }
 
-func resolveDestination() (string, string, string) {
+func resolveDestination() (string, string, string, bool) {
 	if uri, found := os.LookupEnv("CONTAINER_HOST"); found {
 		var ident string
 		if v, found := os.LookupEnv("CONTAINER_SSHKEY"); found {
 			ident = v
 		}
-		return "", uri, ident
+		return "", uri, ident, false
 	}
 
 	cfg, err := config.ReadCustomConfig()
 	if err != nil {
 		logrus.Warning(fmt.Errorf("unable to read local containers.conf: %w", err))
-		return "", registry.DefaultAPIAddress(), ""
+		return "", registry.DefaultAPIAddress(), "", false
 	}
 
-	uri, ident, err := cfg.ActiveDestination()
+	uri, ident, machine, err := cfg.ActiveDestination()
 	if err != nil {
-		return "", registry.DefaultAPIAddress(), ""
+		return "", registry.DefaultAPIAddress(), "", false
 	}
-	return cfg.Engine.ActiveService, uri, ident
+	return cfg.Engine.ActiveService, uri, ident, machine
 }
 
 func formatError(err error) string {

cmd/podman/system/connection/list.go

@@ -107,6 +107,7 @@ func inspect(cmd *cobra.Command, args []string) error {
 			Destination: config.Destination{
 				Identity:  v.Identity,
 				URI:       v.URI,
+				IsMachine: v.IsMachine,
 			},
 			Default: def,
 		}

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1
 	github.com/containers/buildah v1.27.1-0.20220921131114-d3064796af36
-	github.com/containers/common v0.49.2-0.20220920205255-8062f81c5497
+	github.com/containers/common v0.49.2-0.20220926195839-590004b80685
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.22.1-0.20220919112403-fe51f7ffca50
 	github.com/containers/ocicrypt v1.1.5

go.sum

@@ -419,8 +419,9 @@ github.com/containernetworking/plugins v1.1.1 h1:+AGfFigZ5TiQH00vhR8qPeSatj53eNG
 github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8=
 github.com/containers/buildah v1.27.1-0.20220921131114-d3064796af36 h1:LTSEbPUbs0slJSJ+IH6atAjYDe0IDzA0sPgBLjT1yAo=
 github.com/containers/buildah v1.27.1-0.20220921131114-d3064796af36/go.mod h1:cY3pGPyMmrNp/sEDK8ESoBOf4hoNovptZSI0oyo8eQM=
-github.com/containers/common v0.49.2-0.20220920205255-8062f81c5497 h1:LB9SxcAglqSAHiiHGacN1Abi0ZL9haJpQ1numVlqtxM=
 github.com/containers/common v0.49.2-0.20220920205255-8062f81c5497/go.mod h1:ZnhOPR/07UOkfIg5bezUpBilGjxEUdaeoUpu7gRBGc0=
+github.com/containers/common v0.49.2-0.20220926195839-590004b80685 h1:rutCgIKcew85mTUO0JTnh7XDXQfaTz/qQ3HyQHb0jZE=
+github.com/containers/common v0.49.2-0.20220926195839-590004b80685/go.mod h1:ZnhOPR/07UOkfIg5bezUpBilGjxEUdaeoUpu7gRBGc0=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.22.1-0.20220907162003-651744379993/go.mod h1:/Ruurd87C6Ap45t1PWNOD8+SGwiZbk79XCgs1iUTvYA=

pkg/bindings/connection.go

@@ -59,7 +59,7 @@ func JoinURL(elements ...string) string {
 
 // NewConnection creates a new service connection without an identity
 func NewConnection(ctx context.Context, uri string) (context.Context, error) {
-	return NewConnectionWithIdentity(ctx, uri, "")
+	return NewConnectionWithIdentity(ctx, uri, "", false)
 }
 
 // NewConnectionWithIdentity takes a URI as a string and returns a context with the
@@ -70,7 +70,7 @@ func NewConnection(ctx context.Context, uri string) (context.Context, error) {
 // For example tcp://localhost:<port>
 // or unix:///run/podman/podman.sock
 // or ssh://<user>@<host>[:port]/run/podman/podman.sock?secure=True
-func NewConnectionWithIdentity(ctx context.Context, uri string, identity string) (context.Context, error) {
+func NewConnectionWithIdentity(ctx context.Context, uri string, identity string, machine bool) (context.Context, error) {
 	var (
 		err error
 	)
@@ -100,6 +100,7 @@ func NewConnectionWithIdentity(ctx context.Context, uri string, identity string)
 			Identity:                    identity,
 			User:                        _url.User,
 			Port:                        port,
+			InsecureIsMachineConnection: machine,
 		}, "golang")
 		if err != nil {
 			return nil, err

pkg/domain/entities/engine.go

@@ -54,4 +54,5 @@ type PodmanConfig struct {
 	StorageDriver string
 	StorageOpts   []string
 	SSHMode       string
+	MachineMode   bool
 }

pkg/domain/infra/runtime_abi.go

@@ -21,7 +21,7 @@ func NewContainerEngine(facts *entities.PodmanConfig) (entities.ContainerEngine,
 		r, err := NewLibpodRuntime(facts.FlagSet, facts)
 		return r, err
 	case entities.TunnelMode:
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity)
+		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity, facts.MachineMode)
 		return &tunnel.ContainerEngine{ClientCtx: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)
@@ -35,7 +35,7 @@ func NewImageEngine(facts *entities.PodmanConfig) (entities.ImageEngine, error)
 		return r, err
 	case entities.TunnelMode:
 		// TODO: look at me!
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity)
+		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), facts.URI, facts.Identity, facts.MachineMode)
 		return &tunnel.ImageEngine{ClientCtx: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)

pkg/domain/infra/runtime_tunnel.go

@@ -18,12 +18,12 @@ var (
 	connection      *context.Context
 )
 
-func newConnection(uri string, identity string) (context.Context, error) {
+func newConnection(uri string, identity string, machine bool) (context.Context, error) {
 	connectionMutex.Lock()
 	defer connectionMutex.Unlock()
 
 	if connection == nil {
-		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), uri, identity)
+		ctx, err := bindings.NewConnectionWithIdentity(context.Background(), uri, identity, machine)
 		if err != nil {
 			return ctx, err
 		}
@@ -37,7 +37,7 @@ func NewContainerEngine(facts *entities.PodmanConfig) (entities.ContainerEngine,
 	case entities.ABIMode:
 		return nil, fmt.Errorf("direct runtime not supported")
 	case entities.TunnelMode:
-		ctx, err := newConnection(facts.URI, facts.Identity)
+		ctx, err := newConnection(facts.URI, facts.Identity, facts.MachineMode)
 		return &tunnel.ContainerEngine{ClientCtx: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)
@@ -49,7 +49,7 @@ func NewImageEngine(facts *entities.PodmanConfig) (entities.ImageEngine, error)
 	case entities.ABIMode:
 		return nil, fmt.Errorf("direct image runtime not supported")
 	case entities.TunnelMode:
-		ctx, err := newConnection(facts.URI, facts.Identity)
+		ctx, err := newConnection(facts.URI, facts.Identity, facts.MachineMode)
 		return &tunnel.ImageEngine{ClientCtx: ctx}, err
 	}
 	return nil, fmt.Errorf("runtime mode '%v' is not supported", facts.EngineMode)

pkg/machine/connection.go

@@ -26,6 +26,7 @@ func AddConnection(uri fmt.Stringer, name, identity string, isDefault bool) erro
 	}
 	dst := config.Destination{
 		URI:       uri.String(),
+		IsMachine: true,
 	}
 	dst.Identity = identity
 	if cfg.Engine.ServiceDestinations == nil {

pkg/machine/e2e/basic_test.go

@@ -1,8 +1,6 @@
 package e2e_test
 
 import (
-	"os"
-
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gexec"
@@ -24,10 +22,6 @@ var _ = Describe("run basic podman commands", func() {
 	It("Basic ops", func() {
 		// golangci-lint has trouble with actually skipping tests marked Skip
 		// so skip it on cirrus envs and where CIRRUS_CI isn't set.
-		if os.Getenv("CIRRUS_CI") != "false" {
-			Skip("FIXME: #15347 - ssh know hosts broken - fails on PR runs and on x86_64")
-		}
-
 		name := randomString()
 		i := new(initMachine)
 		session, err := mb.setName(name).setCmd(i.withImagePath(mb.imagePath).withNow()).run()

pkg/machine/qemu/machine.go

@@ -405,6 +405,7 @@ func (v *MachineVM) Init(opts machine.InitOptions) (bool, error) {
 		WritePath: v.getIgnitionFile(),
 		UID:       v.UID,
 	}
+
 	err = machine.NewIgnitionFile(ign)
 	return err == nil, err
 }
@@ -1033,7 +1034,7 @@ func (v *MachineVM) SSH(_ string, opts machine.SSHOptions) error {
 	sshDestination := username + "@localhost"
 	port := strconv.Itoa(v.Port)
 
-	args := []string{"-i", v.IdentityPath, "-p", port, sshDestination, "-o", "UserKnownHostsFile=/dev/null",
+	args := []string{"-i", v.IdentityPath, "-p", port, sshDestination,
 		"-o", "StrictHostKeyChecking=no", "-o", "LogLevel=ERROR", "-o", "SetEnv=LC_ALL="}
 	if len(opts.Args) > 0 {
 		args = append(args, opts.Args...)

vendor/github.com/containers/common/libimage/platform.go

@@ -63,6 +63,9 @@ func toPlatformString(os, arch, variant string) string {
 //  * 2) a bool indicating whether architecture, os or variant were set (some callers need that to decide whether they need to throw an error)
 //  * 3) a fatal error that occurred prior to check for matches (e.g., storage errors etc.)
 func (i *Image) matchesPlatform(ctx context.Context, os, arch, variant string) (error, bool, error) {
+	if err := i.isCorrupted(""); err != nil {
+		return err, false, nil
+	}
 	inspectInfo, err := i.inspectInfo(ctx)
 	if err != nil {
 		return nil, false, fmt.Errorf("inspecting image: %w", err)

vendor/github.com/containers/common/pkg/config/config.go

@@ -613,6 +613,9 @@ type Destination struct {
 
 	// Identity file with ssh key, optional
 	Identity string `toml:"identity,omitempty"`
+
+	// isMachine describes if the remote destination is a machine.
+	IsMachine bool `toml:"is_machine,omitempty"`
 }
 
 // NewConfig creates a new Config. It starts with an empty config and, if
@@ -1235,32 +1238,32 @@ func Reload() (*Config, error) {
 	return defConfig()
 }
 
-func (c *Config) ActiveDestination() (uri, identity string, err error) {
+func (c *Config) ActiveDestination() (uri, identity string, machine bool, err error) {
 	if uri, found := os.LookupEnv("CONTAINER_HOST"); found {
 		if v, found := os.LookupEnv("CONTAINER_SSHKEY"); found {
 			identity = v
 		}
-		return uri, identity, nil
+		return uri, identity, false, nil
 	}
 	connEnv := os.Getenv("CONTAINER_CONNECTION")
 	switch {
 	case connEnv != "":
 		d, found := c.Engine.ServiceDestinations[connEnv]
 		if !found {
-			return "", "", fmt.Errorf("environment variable CONTAINER_CONNECTION=%q service destination not found", connEnv)
+			return "", "", false, fmt.Errorf("environment variable CONTAINER_CONNECTION=%q service destination not found", connEnv)
 		}
-		return d.URI, d.Identity, nil
+		return d.URI, d.Identity, d.IsMachine, nil
 
 	case c.Engine.ActiveService != "":
 		d, found := c.Engine.ServiceDestinations[c.Engine.ActiveService]
 		if !found {
-			return "", "", fmt.Errorf("%q service destination not found", c.Engine.ActiveService)
+			return "", "", false, fmt.Errorf("%q service destination not found", c.Engine.ActiveService)
 		}
-		return d.URI, d.Identity, nil
+		return d.URI, d.Identity, d.IsMachine, nil
 	case c.Engine.RemoteURI != "":
-		return c.Engine.RemoteURI, c.Engine.RemoteIdentity, nil
+		return c.Engine.RemoteURI, c.Engine.RemoteIdentity, false, nil
 	}
-	return "", "", errors.New("no service destination configured")
+	return "", "", false, errors.New("no service destination configured")
 }
 
 var (

vendor/github.com/containers/common/pkg/ssh/connection_golang.go

@@ -3,6 +3,7 @@ package ssh
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -70,7 +71,7 @@ func golangConnectionDial(options ConnectionDialOptions) (*ConnectionDialReport,
 	if err != nil {
 		return nil, err
 	}
-	cfg, err := ValidateAndConfigure(uri, options.Identity)
+	cfg, err := ValidateAndConfigure(uri, options.Identity, options.InsecureIsMachineConnection)
 	if err != nil {
 		return nil, err
 	}
@@ -84,12 +85,15 @@ func golangConnectionDial(options ConnectionDialOptions) (*ConnectionDialReport,
 }
 
 func golangConnectionExec(options ConnectionExecOptions) (*ConnectionExecReport, error) {
+	if !strings.HasPrefix(options.Host, "ssh://") {
+		options.Host = "ssh://" + options.Host
+	}
 	_, uri, err := Validate(options.User, options.Host, options.Port, options.Identity)
 	if err != nil {
 		return nil, err
 	}
 
-	cfg, err := ValidateAndConfigure(uri, options.Identity)
+	cfg, err := ValidateAndConfigure(uri, options.Identity, false)
 	if err != nil {
 		return nil, err
 	}
@@ -111,11 +115,15 @@ func golangConnectionScp(options ConnectionScpOptions) (*ConnectionScpReport, er
 		return nil, err
 	}
 
+	// removed for parsing
+	if !strings.HasPrefix(host, "ssh://") {
+		host = "ssh://" + host
+	}
 	_, uri, err := Validate(options.User, host, options.Port, options.Identity)
 	if err != nil {
 		return nil, err
 	}
-	cfg, err := ValidateAndConfigure(uri, options.Identity)
+	cfg, err := ValidateAndConfigure(uri, options.Identity, false)
 	if err != nil {
 		return nil, err
 	}
@@ -209,7 +217,7 @@ func GetUserInfo(uri *url.URL) (*url.Userinfo, error) {
 // ValidateAndConfigure will take a ssh url and an identity key (rsa and the like) and ensure the information given is valid
 // iden iden can be blank to mean no identity key
 // once the function validates the information it creates and returns an ssh.ClientConfig.
-func ValidateAndConfigure(uri *url.URL, iden string) (*ssh.ClientConfig, error) {
+func ValidateAndConfigure(uri *url.URL, iden string, insecureIsMachineConnection bool) (*ssh.ClientConfig, error) {
 	var signers []ssh.Signer
 	passwd, passwdSet := uri.User.Password()
 	if iden != "" { // iden might be blank if coming from image scp or if no validation is needed
@@ -272,23 +280,61 @@ func ValidateAndConfigure(uri *url.URL, iden string) (*ssh.ClientConfig, error)
 	if err != nil {
 		return nil, err
 	}
+
+	var callback ssh.HostKeyCallback
+	if insecureIsMachineConnection {
+		callback = ssh.InsecureIgnoreHostKey()
+	} else {
+		callback = ssh.HostKeyCallback(func(host string, remote net.Addr, pubKey ssh.PublicKey) error {
 			keyFilePath := filepath.Join(homedir.Get(), ".ssh", "known_hosts")
 			known, err := knownhosts.New(keyFilePath)
 			if err != nil {
-		return nil, fmt.Errorf("creating host key callback function for %s: %w", keyFilePath, err)
+				if errors.Is(err, os.ErrNotExist) {
+					logrus.Warn("please create a known_hosts file. The next time this host is connected to, podman will add it to known_hosts")
+					return nil
+				}
+				return err
+			}
+			// we need to check if there is an error from reading known hosts for this public key and if there is an error, what is it, and why is it happening?
+			// if it is a key mismatch we want to error since we know the host using another key
+			// however, if it is a general error not because of a known key, we want to add our key to the known_hosts file
+			hErr := known(host, remote, pubKey)
+			var keyErr *knownhosts.KeyError
+			// if keyErr.Want is not empty, we are receiving a different key meaning the host is known but we are using the wrong key
+			as := errors.As(hErr, &keyErr)
+			switch {
+			case as && len(keyErr.Want) > 0:
+				logrus.Warnf("ssh host key mismatch for host %s, got key %s of type %s", host, ssh.FingerprintSHA256(pubKey), pubKey.Type())
+				return keyErr
+			// if keyErr.Want is empty that just means we do not know this host yet, add it.
+			case as && len(keyErr.Want) == 0:
+				// write to known_hosts
+				err := addKnownHostsEntry(host, pubKey)
+				if err != nil {
+					if os.IsNotExist(err) {
+						logrus.Warn("podman will soon require a known_hosts file to function properly.")
+						return nil
+					}
+					return err
+				}
+			case hErr != nil:
+				return hErr
+			}
+			return nil
+		})
 	}
 
 	cfg := &ssh.ClientConfig{
 		User:            uri.User.Username(),
 		Auth:            authMethods,
-		HostKeyCallback: known,
+		HostKeyCallback: callback,
 		Timeout:         tick,
 	}
 	return cfg, nil
 }
 
 func getUDS(uri *url.URL, iden string) (string, error) {
-	cfg, err := ValidateAndConfigure(uri, iden)
+	cfg, err := ValidateAndConfigure(uri, iden, false)
 	if err != nil {
 		return "", fmt.Errorf("failed to validate: %w", err)
 	}
@@ -324,3 +370,20 @@ func getUDS(uri *url.URL, iden string) (string, error) {
 	}
 	return info.Host.RemoteSocket.Path, nil
 }
+
+// addKnownHostsEntry adds (host, pubKey) to user’s known_hosts.
+func addKnownHostsEntry(host string, pubKey ssh.PublicKey) error {
+	hd := homedir.Get()
+	known := filepath.Join(hd, ".ssh", "known_hosts")
+	f, err := os.OpenFile(known, os.O_APPEND|os.O_WRONLY, 0o600)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	l := knownhosts.Line([]string{host}, pubKey)
+	if _, err = f.WriteString("\n" + l + "\n"); err != nil {
+		return err
+	}
+	logrus.Infof("key %s added to %s", ssh.FingerprintSHA256(pubKey), known)
+	return nil
+}

vendor/github.com/containers/common/pkg/ssh/types.go

@@ -33,6 +33,7 @@ type ConnectionDialOptions struct {
 	Port                        int
 	Auth                        []string
 	Timeout                     time.Duration
+	InsecureIsMachineConnection bool
 }
 
 type ConnectionDialReport struct {

vendor/github.com/containers/common/pkg/ssh/utils.go

@@ -21,6 +21,7 @@ func Validate(user *url.Userinfo, path string, port int, identity string) (*conf
 	if strings.Contains(path, "/run") {
 		sock = strings.Split(path, "/run")[1]
 	}
+	// url.Parse NEEDS ssh://, if this ever fails or returns some nonsense, that is why.
 	uri, err := url.Parse(path)
 	if err != nil {
 		return nil, nil, err
@@ -33,9 +34,9 @@ func Validate(user *url.Userinfo, path string, port int, identity string) (*conf
 
 	if uri.Port() == "" {
 		if port != 0 {
-			uri.Host = net.JoinHostPort(uri.Hostname(), strconv.Itoa(port))
+			uri.Host = net.JoinHostPort(uri.Host, strconv.Itoa(port))
 		} else {
-			uri.Host = net.JoinHostPort(uri.Hostname(), "22")
+			uri.Host = net.JoinHostPort(uri.Host, "22")
 		}
 	}
 

vendor/modules.txt

@@ -120,7 +120,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.49.2-0.20220920205255-8062f81c5497
+# github.com/containers/common v0.49.2-0.20220926195839-590004b80685
 ## explicit; go 1.17
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define