Shiloh/lasthourcloud
Shiloh/lasthourcloud
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 4 Wiki Activity

feat: ssh-agent instead of filesystem based ssh keys

Browse Source
This commit is contained in:
Andras Bacsai 2023-09-14 10:12:58 +02:00
parent fe4a0ae166
commit 17c0e91a0d
20 changed files with 61 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/Actions/CoolifyTask/RunRemoteProcess.php
View File

@ -73,7 +73,7 @@ public function __invoke(): ProcessResult
$this->time_start = hrtime(true); $this->time_start = hrtime(true);
$status = ProcessStatus::IN_PROGRESS; $status = ProcessStatus::IN_PROGRESS;
$processResult = Process::forever()->run($this->getCommand(), $this->handleOutput(...)); $processResult = processWithEnv()->forever()->run($this->getCommand(), $this->handleOutput(...));
if ($this->activity->properties->get('status') === ProcessStatus::ERROR->value) { if ($this->activity->properties->get('status') === ProcessStatus::ERROR->value) {
$status = ProcessStatus::ERROR; $status = ProcessStatus::ERROR;
@ -104,11 +104,10 @@ protected function getCommand(): string
{ {
$user = $this->activity->getExtraProperty('user'); $user = $this->activity->getExtraProperty('user');
$server_ip = $this->activity->getExtraProperty('server_ip'); $server_ip = $this->activity->getExtraProperty('server_ip');
$private_key_location = $this->activity->getExtraProperty('private_key_location');
$port = $this->activity->getExtraProperty('port'); $port = $this->activity->getExtraProperty('port');
$command = $this->activity->getExtraProperty('command'); $command = $this->activity->getExtraProperty('command');
return generate_ssh_command($private_key_location, $server_ip, $user, $port, $command); return generateSshCommand($server_ip, $user, $port, $command);
} }
protected function handleOutput(string $type, string $output) protected function handleOutput(string $type, string $output)

1
app/Data/CoolifyTaskArgs.php
View File

@ -13,7 +13,6 @@ class CoolifyTaskArgs extends Data
{ {
public function __construct( public function __construct(
public string $server_ip, public string $server_ip,
public string $private_key_location,
public string $command, public string $command,
public int $port, public int $port,
public string $user, public string $user,

3
app/Http/Livewire/Server/ShowPrivateKey.php
View File

@ -14,6 +14,7 @@ class ShowPrivateKey extends Component
public function setPrivateKey($newPrivateKeyId) public function setPrivateKey($newPrivateKeyId)
{ {
try { try {
refresh_server_connection($this->server->privateKey);
$oldPrivateKeyId = $this->server->private_key_id; $oldPrivateKeyId = $this->server->private_key_id;
$this->server->update([ $this->server->update([
'private_key_id' => $newPrivateKeyId 'private_key_id' => $newPrivateKeyId
@ -26,7 +27,7 @@ public function setPrivateKey($newPrivateKeyId)
'private_key_id' => $oldPrivateKeyId 'private_key_id' => $oldPrivateKeyId
]); ]);
$this->server->refresh(); $this->server->refresh();
refresh_server_connection($this->server->privateKey); refresh_server_connection($this->server->privateKey);
return general_error_handler($e, that: $this); return general_error_handler($e, that: $this);
} }
} }

7
app/Traits/ExecuteRemoteCommand.php
View File

@ -28,9 +28,8 @@ public function execute_remote_command(...$commands)
$ip = data_get($this->server, 'ip'); $ip = data_get($this->server, 'ip');
$user = data_get($this->server, 'user'); $user = data_get($this->server, 'user');
$port = data_get($this->server, 'port'); $port = data_get($this->server, 'port');
$private_key_location = get_private_key_for_server($this->server);
$commandsText->each(function ($single_command) use ($private_key_location, $ip, $user, $port) { $commandsText->each(function ($single_command) use ($ip, $user, $port) {
$command = data_get($single_command, 'command') ?? $single_command[0] ?? null; $command = data_get($single_command, 'command') ?? $single_command[0] ?? null;
if ($command === null) { if ($command === null) {
throw new \RuntimeException('Command is not set'); throw new \RuntimeException('Command is not set');
@ -39,8 +38,8 @@ public function execute_remote_command(...$commands)
$ignore_errors = data_get($single_command, 'ignore_errors', false); $ignore_errors = data_get($single_command, 'ignore_errors', false);
$this->save = data_get($single_command, 'save'); $this->save = data_get($single_command, 'save');
$remote_command = generate_ssh_command($private_key_location, $ip, $user, $port, $command); $remote_command = generateSshCommand( $ip, $user, $port, $command);
$process = Process::timeout(3600)->idleTimeout(3600)->start($remote_command, function (string $type, string $output) use ($command, $hidden) { $process = processWithEnv()->timeout(3600)->idleTimeout(3600)->start($remote_command, function (string $type, string $output) use ($command, $hidden) {
$output = Str::of($output)->trim(); $output = Str::of($output)->trim();
$new_log_entry = [ $new_log_entry = [
'command' => $command, 'command' => $command,

53
bootstrap/helpers/remoteProcess.php
View File

@ -33,12 +33,9 @@ function remote_process(
} }
} }
$private_key_location = save_private_key_for_server($server);
return resolve(PrepareCoolifyTask::class, [ return resolve(PrepareCoolifyTask::class, [
'remoteProcessArgs' => new CoolifyTaskArgs( 'remoteProcessArgs' => new CoolifyTaskArgs(
server_ip: $server->ip, server_ip: $server->ip,
private_key_location: $private_key_location,
command: <<<EOT command: <<<EOT
{$command_string} {$command_string}
EOT, EOT,
@ -52,25 +49,29 @@ function remote_process(
])(); ])();
} }
function get_private_key_for_server(Server $server) function removePrivateKeyFromSshAgent(Server $server)
{
$temp_file = "id.root@{$server->ip}";
return '/var/www/html/storage/app/ssh/keys/' . $temp_file;
}
function save_private_key_for_server(Server $server)
{ {
if (data_get($server, 'privateKey.private_key') === null) { if (data_get($server, 'privateKey.private_key') === null) {
throw new \Exception("Server {$server->name} does not have a private key"); throw new \Exception("Server {$server->name} does not have a private key");
} }
$temp_file = "id.root@{$server->ip}"; Process::run("echo '{$server->privateKey->private_key}' | ssh-add -d -");
Storage::disk('ssh-keys')->put($temp_file, $server->privateKey->private_key); }
Storage::disk('ssh-mux')->makeDirectory('.'); function addPrivateKeyToSshAgent(Server $server, bool $onlyRemove = false)
return '/var/www/html/storage/app/ssh/keys/' . $temp_file; {
if (data_get($server, 'privateKey.private_key') === null) {
throw new \Exception("Server {$server->name} does not have a private key");
}
// ray('adding key', $server->privateKey->private_key);
Process::run("echo '{$server->privateKey->private_key}' | ssh-add -q -");
} }
function generate_ssh_command(string $private_key_location, string $server_ip, string $user, string $port, string $command, bool $isMux = true) function generateSshCommand(string $server_ip, string $user, string $port, string $command, bool $isMux = true)
{ {
$server = Server::where('ip', $server_ip)->first();
if (!$server) {
throw new \Exception("Server with ip {$server_ip} not found");
}
addPrivateKeyToSshAgent($server);
$timeout = config('constants.ssh.command_timeout'); $timeout = config('constants.ssh.command_timeout');
$connectionTimeout = config('constants.ssh.connection_timeout'); $connectionTimeout = config('constants.ssh.connection_timeout');
$serverInterval = config('constants.ssh.server_interval'); $serverInterval = config('constants.ssh.server_interval');
@ -82,8 +83,7 @@ function generate_ssh_command(string $private_key_location, string $server_ip, s
$ssh_command .= '-o ControlMaster=auto -o ControlPersist=1m -o ControlPath=/var/www/html/storage/app/ssh/mux/%h_%p_%r '; $ssh_command .= '-o ControlMaster=auto -o ControlPersist=1m -o ControlPath=/var/www/html/storage/app/ssh/mux/%h_%p_%r ';
} }
$command = "PATH=\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/host/usr/local/sbin:/host/usr/local/bin:/host/usr/sbin:/host/usr/bin:/host/sbin:/host/bin && $command"; $command = "PATH=\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/host/usr/local/sbin:/host/usr/local/bin:/host/usr/sbin:/host/usr/bin:/host/sbin:/host/bin && $command";
$ssh_command .= "-i {$private_key_location} " $ssh_command .= '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null '
. '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null '
. '-o PasswordAuthentication=no ' . '-o PasswordAuthentication=no '
. "-o ConnectTimeout=$connectionTimeout " . "-o ConnectTimeout=$connectionTimeout "
. "-o ServerAliveInterval=$serverInterval " . "-o ServerAliveInterval=$serverInterval "
@ -94,11 +94,16 @@ function generate_ssh_command(string $private_key_location, string $server_ip, s
. " 'bash -se' << \\$delimiter" . PHP_EOL . " 'bash -se' << \\$delimiter" . PHP_EOL
. $command . PHP_EOL . $command . PHP_EOL
. $delimiter; . $delimiter;
ray($ssh_command); // ray($ssh_command);
return $ssh_command; return $ssh_command;
} }
function instantCommand(string $command, $throwError = true) { function processWithEnv()
$process = Process::run($command); {
return Process::env(['SSH_AUTH_SOCK' => config('coolify.ssh_auth_sock')]);
}
function instantCommand(string $command, $throwError = true)
{
$process = processWithEnv()->run($command);
$output = trim($process->output()); $output = trim($process->output());
$exitCode = $process->exitCode(); $exitCode = $process->exitCode();
if ($exitCode !== 0) { if ($exitCode !== 0) {
@ -112,9 +117,8 @@ function instantCommand(string $command, $throwError = true) {
function instant_remote_process(array $command, Server $server, $throwError = true, $repeat = 1) function instant_remote_process(array $command, Server $server, $throwError = true, $repeat = 1)
{ {
$command_string = implode("\n", $command); $command_string = implode("\n", $command);
$private_key_location = save_private_key_for_server($server); $ssh_command = generateSshCommand($server->ip, $server->user, $server->port, $command_string);
$ssh_command = generate_ssh_command($private_key_location, $server->ip, $server->user, $server->port, $command_string); $process = processWithEnv()->run($ssh_command);
$process = Process::run($ssh_command);
$output = trim($process->output()); $output = trim($process->output());
$exitCode = $process->exitCode(); $exitCode = $process->exitCode();
if ($exitCode !== 0) { if ($exitCode !== 0) {
@ -172,6 +176,7 @@ function refresh_server_connection(PrivateKey $private_key)
// currentTeam()->privateKeys = PrivateKey::where('team_id', currentTeam()->id)->get(); // currentTeam()->privateKeys = PrivateKey::where('team_id', currentTeam()->id)->get();
// } // }
} }
removePrivateKeyFromSshAgent($server);
} }
function validateServer(Server $server) function validateServer(Server $server)
@ -212,7 +217,7 @@ function validateServer(Server $server)
$server->settings->is_usable = false; $server->settings->is_usable = false;
throw $e; throw $e;
} finally { } finally {
if(data_get($server,'settings')) $server->settings->save(); if (data_get($server, 'settings')) $server->settings->save();
} }
} }

1
config/coolify.php
View File

@ -8,4 +8,5 @@
'dev_webhook' => env('SERVEO_URL'), 'dev_webhook' => env('SERVEO_URL'),
'base_config_path' => env('BASE_CONFIG_PATH', '/data/coolify'), 'base_config_path' => env('BASE_CONFIG_PATH', '/data/coolify'),
'helper_image' => env('HELPER_IMAGE', 'ghcr.io/coollabsio/coolify-helper:latest'), 'helper_image' => env('HELPER_IMAGE', 'ghcr.io/coollabsio/coolify-helper:latest'),
'ssh_auth_sock' => env('SSH_AUTH_SOCK', '/tmp/coolify-ssh-agent.sock'),
]; ];

1
docker-compose.dev.yml
View File

@ -21,6 +21,7 @@ services:
SSL_MODE: "off" SSL_MODE: "off"
AUTORUN_LARAVEL_STORAGE_LINK: "false" AUTORUN_LARAVEL_STORAGE_LINK: "false"
AUTORUN_LARAVEL_MIGRATION: "false" AUTORUN_LARAVEL_MIGRATION: "false"
SSH_AUTH_SOCK: "/tmp/coolify-ssh-agent.sock"
volumes: volumes:
- .:/var/www/html/:cached - .:/var/www/html/:cached
postgres: postgres:

1
docker-compose.prod.yml
View File

@ -64,6 +64,7 @@ services:
- LEMON_SQUEEZY_BASIC_PLAN_IDS - LEMON_SQUEEZY_BASIC_PLAN_IDS
- LEMON_SQUEEZY_PRO_PLAN_IDS - LEMON_SQUEEZY_PRO_PLAN_IDS
- LEMON_SQUEEZY_ULTIMATE_PLAN_IDS - LEMON_SQUEEZY_ULTIMATE_PLAN_IDS
- SSH_AUTH_SOCK="/tmp/coolify-ssh-agent.sock"
ports: ports:
- "${APP_PORT:-8000}:80" - "${APP_PORT:-8000}:80"
expose: expose:

2
docker/dev-ssu/Dockerfile
View File

@ -24,4 +24,4 @@ RUN echo "alias mfs='php artisan migrate:fresh --seed'" >>/etc/bash.bashrc
RUN echo "alias cda='composer dump-autoload'" >>/etc/bash.bashrc RUN echo "alias cda='composer dump-autoload'" >>/etc/bash.bashrc
RUN echo "alias run='./scripts/run'" >>/etc/bash.bashrc RUN echo "alias run='./scripts/run'" >>/etc/bash.bashrc
# COPY --chmod=755 docker/dev-ssu/etc/s6-overlay/ /etc/s6-overlay/ COPY --chmod=755 docker/dev-ssu/etc/s6-overlay/ /etc/s6-overlay/

5
docker/dev-ssu/etc/s6-overlay/s6-rc.d/horizon/run Normal file
View File

@ -0,0 +1,5 @@
#!/command/execlineb -P
foreground {
s6-sleep 5
su - webuser -c "php /var/www/html/artisan horizon"
}

0
docker/dev-ssu/etc/s6-overlay/s6-rc.d/queue-worker/type → docker/dev-ssu/etc/s6-overlay/s6-rc.d/horizon/type
View File

2
docker/dev-ssu/etc/s6-overlay/s6-rc.d/queue-worker/run
View File

@ -1,2 +0,0 @@
#!/command/execlineb -P
su - webuser -c "php /var/www/html/artisan queue:listen"

5
docker/dev-ssu/etc/s6-overlay/s6-rc.d/scheduler-worker/run
View File

@ -1,2 +1,5 @@
#!/command/execlineb -P #!/command/execlineb -P
su - webuser -c "php /var/www/html/artisan schedule:work" foreground {
s6-sleep 5
su - webuser -c "php /var/www/html/artisan schedule:work"
}

1
docker/dev-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/type Normal file
View File

@ -0,0 +1 @@
oneshot

5
docker/dev-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/up Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/execlineb -P
foreground {
s6-sleep 5
su - webuser -c "ssh-agent -a /tmp/coolify-ssh-agent.sock"
}

0
docker/dev-ssu/etc/s6-overlay/s6-rc.d/user/contents.d/queue-worker → docker/dev-ssu/etc/s6-overlay/s6-rc.d/user/contents.d/horizon
View File

0
docker/dev-ssu/etc/s6-overlay/s6-rc.d/user/contents.d/ssh-agent Normal file
View File

1
docker/prod-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/type Normal file
View File

@ -0,0 +1 @@
oneshot

5
docker/prod-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/up Normal file
View File

@ -0,0 +1,5 @@
#!/usr/bin/execlineb -P
foreground {
s6-sleep 5
su - webuser -c "ssh-agent -a /tmp/coolify-ssh-agent.sock"
}

0
docker/prod-ssu/etc/s6-overlay/s6-rc.d/user/contents.d/ssh-agent Normal file
View File