Private repos failing to install

[woodpav]

My serverless.yml is:

plugins:
  - serverless-python-requirements
custom:
    pythonRequirements:
        dockerizePip: true
        dockerSsh: true

I have my ssh key in ~/.ssh/id_rsa (it's my only one). Installing the requirements works when I do not use sls deploy.

Permission denied (publickey).
fatal: Could not read from remote repository.

Changing to dockerizePip: false fixes the error. I'd like to use dockerizePip: true.

[dschep]

Hmm that's odd. Could you provide some more environment details? IE OS, sls version, & plugin version.

cc @cgrimal, Any idea why this might be failing?

[woodpav]

I'm on MacOS 10.13.6, serverless-python-requirements: 4.2.4, sls: 1.30.3

[smartinspereira]

I get the same error if my ssh key is password protected, removing the password resolves the error.

There is a mention of the ssh-agent in the README.md:69-70 w.r.t a password protected ssh key @dschep @cgrimal, but I do not really grasp what

If your SSH key is password protected, you can use ssh-agent because $SSH_AUTH_SOCK is also mounted & the env var set.

means in this context, if it only tells me to add the ssh-key prior to sls deploy, what I think it does, that is not changing anything. :-(

edit: MacOS 10.14.1 (18B75), serverless-python-requirements: 4.2.5, sls: 1.33.2

[bsamuel-ui]

Try this:

eval `ssh-agent`           # Don't do this on Mac OS X
ssh-add                    # To add the default .ssh/id_* keys
ssh-add ~/.ssh/foobar.pem  # To add a specific key

The ssh-add command will ask for your password, and after that, the unencrypted ssh key is now living in that agent. You should be able to run the process normally after that point.

Mac OS X manages ssh-agent for you, but on linux the eval command is setting an environment variable (SSH_AUTH_SOCK) corresponding to a domain socket that an agent process is listening to in the background. When you run ssh, it will forward the request through that socket to the agent process which will negotiate the crypto. The point of that dance is so your unencrypted key never leaves the agent.

[smartinspereira]

This is what I did. It is not working. I get the same error as @woodpav but there is a longer stack trace I could post later.

[dschep]

just to clarify, your private package is in your requirements.txt as something like git+ssh://github.com/foo/bar, yes?

[smartinspereira]

@dschep yes, exactly.
See the output of the commands:

• echo "$(less requirements.txt)"
• SLS_DEBUG=* sls deploy
• cd && git clone ssh://[email protected]/foo/bar

$ echo "$(less requirements.txt)"
psycopg2
git+ssh://[email protected]/foo/bar

$ SLS_DEBUG=* sls deploy
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command create
Serverless: Load command install
Serverless: Load command package
Serverless: Load command deploy
Serverless: Load command deploy:function
Serverless: Load command deploy:list
Serverless: Load command deploy:list:functions
Serverless: Load command invoke
Serverless: Load command invoke:local
Serverless: Load command info
Serverless: Load command logs
Serverless: Load command login
Serverless: Load command logout
Serverless: Load command metrics
Serverless: Load command print
Serverless: Load command remove
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command slstats
Serverless: Load command plugin
Serverless: Load command plugin
Serverless: Load command plugin:install
Serverless: Load command plugin
Serverless: Load command plugin:uninstall
Serverless: Load command plugin
Serverless: Load command plugin:list
Serverless: Load command plugin
Serverless: Load command plugin:search
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command requirements
Serverless: Load command requirements:clean
Serverless: Load command requirements:install
Serverless: Load command requirements:cleanCache
Serverless: Invoke deploy
Serverless: Invoke package
Serverless: Invoke aws:common:validate
Serverless: Invoke aws:common:cleanupTempDir
Serverless: Generated requirements from [...]/requirements.txt in [...]/.serverless/requirements.txt...
Serverless: Installing requirements from [...]/.serverless/requirements/requirements.txt ...
Serverless: Docker Image: lambci/lambda:build-python3.6
Collecting git+ssh://[email protected]/foo/bar.git (from -r /var/task/requirements.txt (line 1))
  Cloning ssh://[email protected]/foo/bar.git to /tmp/pip-req-build-r_sjq8dd
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
 
  Error --------------------------------------------------
 
  null
 
     For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.
 
  Stack Trace --------------------------------------------
 
Error: null
    at installRequirements ([...]/node_modules/serverless-python-requirements/lib/pip.js:262:11)
    at installRequirementsIfNeeded ([...]/node_modules/serverless-python-requirements/lib/pip.js:451:3)
    at ServerlessPythonRequirements.installAllRequirements ([...]/node_modules/serverless-python-requirements/lib/pip.js:530:29)
From previous event:
    at PluginManager.invoke (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:391:22)
    at PluginManager.spawn (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:409:17)
    at Deploy.BbPromise.bind.then (/usr/local/lib/node_modules/serverless/lib/plugins/deploy/deploy.js:117:50)
From previous event:
    at Object.before:deploy:deploy [as hook] (/usr/local/lib/node_modules/serverless/lib/plugins/deploy/deploy.js:107:10)
    at BbPromise.reduce (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:391:55)
From previous event:
    at PluginManager.invoke (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:391:22)
    at PluginManager.run (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:422:17)
    at variables.populateService.then.then (/usr/local/lib/node_modules/serverless/lib/Serverless.js:157:33)
    at processImmediate (timers.js:632:19)
    at process.topLevelDomainCallback (domain.js:120:23)
From previous event:
    at Serverless.run (/usr/local/lib/node_modules/serverless/lib/Serverless.js:144:8)
    at serverless.init.then (/usr/local/lib/node_modules/serverless/bin/serverless:44:28)
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information -----------------------------
     OS:                     darwin
     Node Version:           11.2.0
     Serverless Version:     1.34.1

$ cd && git clone ssh://[email protected]/foo/bar
Cloning into 'bar'...
remote: Enumerating objects: ..., done.
remote: Counting objects: ..., done.
remote: Compressing objects: ..., done.
remote: Total ..., reused ..., pack-reused ...
Receiving objects: ..., done.
Resolving deltas: ..., done.

[dschep]

Issue confirmed. I think it's an issue with shell-quote turning /path/to/sock:/tmp/sock:z into /path/to/sock\:/tmp/sock\:z 😢

[smartinspereira]

Oh no 😞.

Just did a little testing, maybe it helps. Using v1.2.0 seem to work, no error on sls package. Starting with v2.0.0, sls package is giving me the same error.

fixing /path/to/sock\:/tmp/sock\:z into /path/to/sock:/tmp/sock:z and fixing all the other escaped / neither helps.

[dschep]

Looks like the typescript plugin is to blame: https://github.com/prisma/serverless-plugin-typescript/search?q=.build&unscoped_q=.build

commented on the wrong pr in the wrong repo

[smartinspereira]

See comment above, but i found:

1. $SSH_AUTH_SOCK is not being forwarded to docker docker/for-mac#410
2. Support for sharing unix sockets docker/for-mac#483

so maybe we can't easily fix that issue?

[dschep]

Hmm. you're right. I removed the quote_single to test and it also fails :(

[bsamuel-ui]

I saw this referenced, it's basically using a TTY channel to forward the socket into the container which is a total hack, but one of the less awful ways I can think of doing it.

[dschep]

good find ben! that is one hell of a hack tho 😂

[nkantar]

Is there a way to specify which key gets used for said ssh access? For me personally it might be acceptable to create a separate deploy key (sans passphrase) to use for this. Alternately, is there a way to get access to the Docker host in a script?

[wviana]

Any news on it?
I'm having the same issue, I'm almot removinng the password from my id_rsa.

I did create a new key without password just for this, but I've notice that it just mount id_rsa into docker. I saw it at line 197 from https://github.com/UnitedIncome/serverless-python-requirements/blob/c017f718843ce1eb8547bd20d1ef078081c64f47/lib/pip.js

May we could at least add another custom parameter for using another key instead of id_rsa

[wviana]

It worked for me as a workarround, but may be a feature.

Here is it wviana#1

[revmischa]

I am also unable to use docker with SSH_AGENT on macOS 10.14. I added keys and spawned the agent as normal but it isn't picking them up.

Serverless: Running docker run --rm -v /Users/cyber/Library/Caches/serverless-python-requirements/93546f9eec2c9cd50799cbdcf3a464f1_slspyc\:/var/task\:z -v /Users/cyber/.ssh/id_rsa\:/root/.ssh/id_rsa\:z -v /Users/cyber/.ssh/known_hosts\:/root/.ssh/known_hosts\:z -v /var/folders/n8/rmzyc9yx2zvbc978_p6y_by40000gn/T//ssh-JaouMxpaYmZO/agent.87072\:/tmp/ssh_sock\:z -e SSH_AUTH_SOCK\=/tmp/ssh_sock -v /Users/cyber/Library/Caches/serverless-python-requirements/downloadCacheslspyc\:/var/useDownloadCache\:z -u 0 lambci/lambda\:build-python3.7 /bin/sh -c 'python3.7 -m pip install -t /var/task/ -r /var/task/requirements.txt --cache-dir /var/useDownloadCache && find /var/task -name \\*.so -exec strip \\{\\} \\;'...
 
  Error --------------------------------------------------
   Running command git clone -q ssh://[email protected]/......git /tmp/pip-install-1zfu73s_/jb
  Permission denied (publickey).
  fatal: Could not read from remote repository.

[wviana]

The solution I'm using is changing the code to copy my entire .ssh/ into contianer.

[AkA84]

I can confirm the issue. I had to create a new set of key pairs without a passphrase, and following @wviana suggestion I had to manually amend pip.js to make it point to the new private key https://github.com/wviana/serverless-python-requirements/blob/be395cd2a7a36e50994949aaceed747f504efd7b/lib/pip.js#L197

[spawn-guy]

i just made a different approach. it fixes the build-on-windows with private ssh keys problem. the drawback is ssh keys must be without passwords. pulls some git+ssh private repos like a charm 😗

based on https://nickjanetakis.com/blog/docker-tip-56-volume-mounting-ssh-keys-into-a-docker-container

all files are in the same project root folder

serverless.yaml additions

custom:
  pythonRequirements:
    dockerizePip: non-linux
    dockerFile: ./Dockerfile
    dockerRunCmdExtraArgs: [ '-v', "${env:USERPROFILE, ''}${env:HOME, ''}/.ssh:/tmp/.ssh:ro" ]

USERPROFILE is on windows, HOME on linux/mac/???

docker-entrypoint.sh
this script sets the proper permissions for the keys - as you can NOT disable permissions check in any ssh client (SODD FTW). and win-docker absence of filesystem metadata availability (no read/write/owner meta on files)
also fixes problem where not All the keys are named id_rsa... github recommends a different hash algo nowadays so the filename is different

#!/bin/sh
set -e

cp -R /tmp/.ssh /root/.ssh
chmod 700 /root/.ssh
find /root/.ssh/ -type f ! -name "*.*" -exec chmod 600 {} +
find /root/.ssh/ -type f -name "*.pub" -exec chmod 644 {} +

exec "$@"

and the Dockerfile for python 3.8

FROM lambci/lambda:build-python3.8

COPY ./docker-entrypoint.sh /bin/docker-entrypoint.sh

RUN yum install -y dos2unix && \
    dos2unix /bin/docker-entrypoint.sh && \
    yum remove -y dos2unix && \
    yum clean all

RUN chmod +x /bin/docker-entrypoint.sh

ENTRYPOINT ["/bin/docker-entrypoint.sh"]

dos2unix fixes line endings if the file is created on Windows