Vendor load-singlesshagent.sh script

[danielhollas]

Couple changes here:

1. I think it is better to vendor the load_singlesshagent.sh script in this repo, rather than downloading it from a super-weird readthedocs URL.
2. Fixed an annoying spurious and confusing message from this script when you first enter the container and the ssh-agent is not yet running. (see third commit)
3. Enabled autocompletion for aiidalab CLI app.

[unkcpz]

@danielhollas Thanks! Fully agree to move the sshagent script here. Just to sure that you didn't change any code in this script correct? Other changes are all good to me.

[danielhollas]

Just to sure that you didn't change any code in this script correct? Other changes are all good to me.

I did actually, sorry for not making that clear. I removed the spurious error message (point 2. in the OP), see the third commit. Also in the last commit a made a small bugfix, substituting $USER to $NB_USER.

[danielhollas]

@unkcpz here's the small change to get rid of spurious errors.. Note that it is okay to redirect error to dev/null here since we check the return value of this ssh-add command below.

[unkcpz]

Also in the last commit a made a small bugfix, substituting $USER to $NB_USER.

Is this means the original downloaded script should not work properly. I'll have a test to see how sshagent is actually working, I guess it is related to when ssh key phrase is not empty.

[unkcpz]

@danielhollas thanks for the change. I read some detailed introductions on ssh-agent, along with the script. I think maybe the correct solution is to

1. remove the eval ssh-agen since the script takes care of starting ssh-agent.
2. Then move the load-singlesshagent.sh source section after the ssh key pairs are generated.

Can you give this a try? Or if you don't mind I can add commits to test it.

[danielhollas]

@unkcpz feel free to add commits with your proposed changes. Thanks!

[danielhollas]

@unkcpz I am wondering: I think we still need the eval ssh-agent, since we want the ssh-agent to be started upon container startup, whereas I think .bashrc gets executed only when you enter the container? (maybe I am wrong on this). In which case, I am wondering if the singlesshagent script should be called directly, and not from .bashrc? I am not sure...

[unkcpz]

Hi @danielhollas, thanks for bringing this up. I was testing exactly what you mentioned as well before lunch.

whereas I think .bashrc gets executed only when you enter the container?

This is true. However, the load_sshagent.sh script also includes this and it already starts the ssh-agent. The script needs to be sourced so it makes sense to put it in .bashrc.
What is missing previously is the ssh-add I think. You can try the new image now and if you go into the container you'll find ssh-add -l will show that the key is added to the list.

docker pull ghcr.io/aiidalab/full-stack:sha-7a773b3
docker run --rm -it -p 8888:8888 ghcr.io/aiidalab/sha-7a773b3

Open the terminal (either from docker exec or from aiidalab terminal) and ssh-add -l to check the key is added.

I personally don't know why this ssh-agent is needed in our AiiDAlab case in the first place. We set the ssh private key with the empty passphrase, thus no need to input the passphrase even without ssh-agent to ssh to the remote once the passfree ssh is set up.
From what I understand, the only benefit is the ssh-agent is helpful when there is a jump server, and then no need to add the private key to the jump server.
I guess @yakutovicha is more exporter on the SSH stuff, maybe he can see the proper way this was used and how it should be put in the container.

[danielhollas]

@unkcpz I would prefer to uncomment this instead of adding it separately.

[unkcpz]

For us, I think yes. Is this you commented out or it was there already?

[unkcpz]

For this use case, I don't know if automatically calling ssh-add works since the user needs to provide the passphrase.

I see, then I think maybe calling it outside explicitly as I did in the last commit is a proper solution.

[danielhollas]

I found this comment from @yakutovicha in #254 (review)

Another thing we should not forget is the ssh-agent to be able to connect to machines that require ssh keys with password

For this use case, I don't know if automatically calling ssh-add works since the user needs to provide the passphrase.

We need more info from @yakutovicha to see how this is actually being used before we can continue here.

[danielhollas]

@yakutovicha can you please clarify what is the current workload for private keys? Do we support private keys that require a passphrase? And if so how does the user provide the passphrase to get the key to ssh-agent?

[unkcpz]

My two cents, see the reply for questions below.

can you please clarify what is the current workload for private keys?

The private key file can be uploaded by the SshComputerWidget and add a section in .ssh/config with the identityFile pointed to the path of the key. You found there are some issue on this when the key file has the same name of the private key existed, and it is fixed in aiidalab/aiidalab-widgets-base#511

Otherwise, only the id_rsa which was generated the first time the container started is used.

Do we support private keys that require a passphrase?

No, I don't think so. But I think it would be a problem, user who has the private key with a passphrase means they generate it without using widget and has security concern about it so it is their duty to add the key to the ssh-agent and they can do it manually in terminal.

Then it comes to the question, if we don't support passphrase, do we still need ssh-agent?
My answer is yes and in the AiiDAlab context we support only non-passphrase ssh key pairs.

The ssh-agent provides the following advantages, 1) if using ssh-add to put the private key to the agent, during the session the passphrase won't be asked anymore and with the passphrase the key is secure even it is stolen. sadly we didn't support passphrase in AiiDAlab. 2) ssh-agent can manage multiple keys, if you have multiple SSH keys for different purposes, ssh-agent can help you manage them without explicitly setting it in the .ssh/config. (we didn't use this feature either but it because necessary when we start to support MFA of CSCS, see the explain below).

The aiidalab-mfa-cscs app will generate cscs-key and cscs-key.pub and the key will expire in 1d. From the ComputationalResourceWidget it has no way to know the name of the private key that will be generated by other tools so it is only responsible for adding minimal information to the .ssh/config which has no IdentityFile option. With ssh-agent, aiidalab-mfc-cscs can do ssh-add to add the key it generated and then the connection is constructed. I have tested it locally and it works in charm.

In summary, we need ssh-agent but we can not support private key with passphrase.

[unkcpz]

@danielhollas I add two comments for what I think it is the proper way to deal with the agent and ssh-add. If you agree, we can apply the changes and then can test the image locally.
Also worth to take a look with aiidalab/aiidalab-mfa-cscs#6

[danielhollas]

@unkcpz thank you for looking into this and a detailed write up! See my comments, I agree with your plan about ssh-add

[danielhollas]

Based on the discussion, I think we should source the load-singlesshagent.sh script here. Otherwise I don't think the ssh-agent will be running when the container starts, since .bashrc is not evaluated AFAIK.

[unkcpz]

Ha! I think the one of the ssh-agent mentioned in aiidalab/aiidalab-mfa-cscs#6 is from here!
I agree to source the load-singlesshagent.sh here. It avoids the duplicate ssh-agent I think.

[danielhollas]

Yeah, interesting. That would mean that it is started somewhere else before we get to this script. Maybe the Jupyter image that we use already starts it somewhere. In any case, source the script here is the right thing to do I think.

[unkcpz]

The error here should not be redirect, to /dev/null, it will cause the exit_code not properly get and the expected condition not triggered (2 is expected to trigger the launch of ssh-agent).

[danielhollas]

Huh, that is really strange, are you sure? I am only redirecting stderr, that should AFAIK not change the exit code.

[unkcpz]

I am not sure 😛 if I don’t remove it the ssh-agent create clause is not hit. I’ll play more to figure out why. But overall everything works fine no matter if the output is redirected or not.

[unkcpz]

I changed it back to ssh-add -l 2> /dev/null and it still works fine. The problem I encountered is not because of this line but the other redirected probably.

Then this PR is ready, please have another look. @danielhollas

[unkcpz]

@danielhollas should all work as expected now. I also added a test to check the ssh-agent is started properly.
Please have a test on the image after it is successfully built.

[danielhollas]

This is looking great, thanks @unkcpz for adding the tests! I didn't have a chance to test this but I trust that you did. Feel free to merge.