`juju bootstrap|ssh` fails if `~/.ssh/config` uses control sockets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
High
|
Unassigned |
Bug Description
I cannot bootstrap a controller on a remote LXD server because Juju trips on SSH config options not compatible with the snap strict confinement.
$ juju bootstrap --debug juju-lxd overlord
...
20:09:43 INFO cmd bootstrap.go:627 Installing Juju agent on bootstrap instance
20:09:44 DEBUG juju.cloudconfi
Waiting for address
Attempting to connect to 10.76.66.92:22
Attempting to connect to fd42:b2a9:
20:09:54 DEBUG juju.provider.
20:09:54 DEBUG juju.provider.
...
Accompanying Apparmor denials:
Feb 22 20:10:20 sdeziel-lemur kernel: audit: type=1400 audit(167711462
Feb 22 20:10:20 sdeziel-lemur kernel: audit: type=1400 audit(167711462
Feb 22 20:10:20 sdeziel-lemur kernel: audit: type=1400 audit(167711462
In the above, we see that Juju is denied access to the SSH agent. It also tries to create a socket according to the ControlPath directive in ~/.ssh/config:
$ grep -E 'Agent|Control' ~/.ssh/config
ControlPersist 120s
ControlMaster auto
ControlPath /run/user/
ControlPersist 1s
AddKeysToAgent yes
ForwardAgent no
Juju should probably not rely as much on the user's config.
Additional information:
$ snap list juju snapd
Name Version Rev Tracking Publisher Notes
juju 3.1.0 22136 3.1/stable canonical✓ -
snapd 2.58.2 18357 latest/stable canonical✓ snapd
$ uname -a
Linux sdeziel-lemur 5.19.0-32-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Jan 30 17:03:34 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
summary: |
- `juju bootstrap` fails if `~/.ssh/config` uses control sockets + `juju bootstrap|ssh` fails if `~/.ssh/config` uses control sockets |
Changed in juju: | |
milestone: | 3.1.1 → 3.1.2 |
Changed in juju: | |
status: | Incomplete → Triaged |
Changed in juju: | |
milestone: | 3.1.2 → 3.1.3 |
Changed in juju: | |
milestone: | 3.1.3 → 3.1.4 |
Changed in juju: | |
milestone: | 3.1.4 → 3.1.5 |
Changed in juju: | |
milestone: | 3.1.5 → 3.1.6 |
Changed in juju: | |
milestone: | 3.1.6 → 3.1.7 |
Changed in juju: | |
milestone: | 3.1.7 → none |
The only line in the ssh config that the strict juju snap is unhappy with is the control path
ControlPath /run/user/ %i/ssh- %r@%h:% p.sock
which points to a directory that is not accessible from a strict snap.
The fix here is for juju to add a ControlPath override to somewhere under ~/.local/share/juju when invoking ssh.