vagrant/plugins/communicators/ssh/communicator.rb

740 lines
26 KiB
Ruby

require 'etc'
require 'logger'
require 'pathname'
require 'stringio'
require 'thread'
require 'timeout'
require 'log4r'
require 'net/ssh'
require 'net/ssh/proxy/command'
require 'net/scp'
require 'vagrant/util/ansi_escape_code_remover'
require 'vagrant/util/file_mode'
require 'vagrant/util/keypair'
require 'vagrant/util/platform'
require 'vagrant/util/retryable'
module VagrantPlugins
module CommunicatorSSH
# This class provides communication with the VM via SSH.
class Communicator < Vagrant.plugin("2", :communicator)
# Marker for start of PTY enabled command output
PTY_DELIM_START = "bccbb768c119429488cfd109aacea6b5-pty"
# Marker for end of PTY enabled command output
PTY_DELIM_END = "bccbb768c119429488cfd109aacea6b5-pty"
# Marker for start of regular command output
CMD_GARBAGE_MARKER = "41e57d38-b4f7-4e46-9c38-13873d338b86-vagrant-ssh"
# These are the exceptions that we retry because they represent
# errors that are generally fixed from a retry and don't
# necessarily represent immediate failure cases.
SSH_RETRY_EXCEPTIONS = [
Errno::EACCES,
Errno::EADDRINUSE,
Errno::ECONNABORTED,
Errno::ECONNREFUSED,
Errno::ECONNRESET,
Errno::ENETUNREACH,
Errno::EHOSTUNREACH,
Errno::EPIPE,
Net::SSH::Disconnect,
Timeout::Error
]
include Vagrant::Util::ANSIEscapeCodeRemover
include Vagrant::Util::Retryable
def self.match?(machine)
# All machines are currently expected to have SSH.
true
end
def initialize(machine)
@lock = Mutex.new
@machine = machine
@logger = Log4r::Logger.new("vagrant::communication::ssh")
@connection = nil
@inserted_key = false
end
def wait_for_ready(timeout)
Timeout.timeout(timeout) do
# Wait for ssh_info to be ready
ssh_info = nil
while true
ssh_info = @machine.ssh_info
break if ssh_info
sleep 0.5
end
# Got it! Let the user know what we're connecting to.
if !@ssh_info_notification
@machine.ui.detail("SSH address: #{ssh_info[:host]}:#{ssh_info[:port]}")
@machine.ui.detail("SSH username: #{ssh_info[:username]}")
ssh_auth_type = "private key"
ssh_auth_type = "password" if ssh_info[:password]
@machine.ui.detail("SSH auth method: #{ssh_auth_type}")
@ssh_info_notification = true
end
previous_messages = {}
while true
message = nil
begin
begin
connect(retries: 1)
return true if ready?
rescue Vagrant::Errors::VagrantError => e
@logger.info("SSH not ready: #{e.inspect}")
raise
end
rescue Vagrant::Errors::SSHConnectionTimeout
message = "Connection timeout."
rescue Vagrant::Errors::SSHAuthenticationFailed
message = "Authentication failure."
rescue Vagrant::Errors::SSHDisconnected
message = "Remote connection disconnect."
rescue Vagrant::Errors::SSHConnectionRefused
message = "Connection refused."
rescue Vagrant::Errors::SSHConnectionReset
message = "Connection reset."
rescue Vagrant::Errors::SSHConnectionAborted
message = "Connection aborted."
rescue Vagrant::Errors::SSHHostDown
message = "Host appears down."
rescue Vagrant::Errors::SSHNoRoute
message = "Host unreachable."
rescue Vagrant::Errors::SSHInvalidShell
raise
rescue Vagrant::Errors::SSHKeyTypeNotSupported
raise
rescue Vagrant::Errors::SSHKeyBadOwner
raise
rescue Vagrant::Errors::SSHKeyBadPermissions
raise
rescue Vagrant::Errors::SSHInsertKeyUnsupported
raise
rescue Vagrant::Errors::VagrantError => e
# Ignore it, SSH is not ready, some other error.
end
# If we have a message to show, then show it. We don't show
# repeated messages unless they've been repeating longer than
# 10 seconds.
if message
message_at = Time.now.to_f
show_message = true
if previous_messages[message]
show_message = (message_at - previous_messages[message]) > 10.0
end
if show_message
@machine.ui.detail("Warning: #{message} Retrying...")
previous_messages[message] = message_at
end
end
end
end
rescue Timeout::Error
return false
end
def ready?
@logger.debug("Checking whether SSH is ready...")
# Attempt to connect. This will raise an exception if it fails.
begin
connect
@logger.info("SSH is ready!")
rescue Vagrant::Errors::VagrantError => e
# We catch a `VagrantError` which would signal that something went
# wrong expectedly in the `connect`, which means we didn't connect.
@logger.info("SSH not up: #{e.inspect}")
return false
end
# Verify the shell is valid
if execute("", error_check: false) != 0
raise Vagrant::Errors::SSHInvalidShell
end
# If we're already attempting to switch out the SSH key, then
# just return that we're ready (for Machine#guest).
@lock.synchronize do
return true if @inserted_key || !machine_config_ssh.insert_key
@inserted_key = true
end
# If we used a password, then insert the insecure key
ssh_info = @machine.ssh_info
insert = ssh_info[:password] && ssh_info[:private_key_path].empty?
ssh_info[:private_key_path].each do |pk|
if insecure_key?(pk)
insert = true
@machine.ui.detail("\n"+I18n.t("vagrant.inserting_insecure_detected"))
break
end
end
if insert
# If we don't have the power to insert/remove keys, then its an error
cap = @machine.guest.capability?(:insert_public_key) &&
@machine.guest.capability?(:remove_public_key)
raise Vagrant::Errors::SSHInsertKeyUnsupported if !cap
_pub, priv, openssh = Vagrant::Util::Keypair.create
@logger.info("Inserting key to avoid password: #{openssh}")
@machine.ui.detail("\n"+I18n.t("vagrant.inserting_random_key"))
@machine.guest.capability(:insert_public_key, openssh)
# Write out the private key in the data dir so that the
# machine automatically picks it up.
@machine.data_dir.join("private_key").open("w+") do |f|
f.write(priv)
end
# Adjust private key file permissions if host provides capability
if @machine.env.host.capability?(:set_ssh_key_permissions)
@machine.env.host.capability(:set_ssh_key_permissions, @machine.data_dir.join("private_key"))
end
# Remove the old key if it exists
@machine.ui.detail(I18n.t("vagrant.inserting_remove_key"))
@machine.guest.capability(
:remove_public_key,
Vagrant.source_root.join("keys", "vagrant.pub").read.chomp)
# Done, restart.
@machine.ui.detail(I18n.t("vagrant.inserted_key"))
@connection.close
@connection = nil
return ready?
end
# If we reached this point then we successfully connected
true
end
def execute(command, opts=nil, &block)
opts = {
error_check: true,
error_class: Vagrant::Errors::VagrantError,
error_key: :ssh_bad_exit_status,
good_exit: 0,
command: command,
shell: nil,
sudo: false,
}.merge(opts || {})
opts[:good_exit] = Array(opts[:good_exit])
# Connect via SSH and execute the command in the shell.
stdout = ""
stderr = ""
exit_status = connect do |connection|
shell_opts = {
sudo: opts[:sudo],
shell: opts[:shell],
}
shell_execute(connection, command, **shell_opts) do |type, data|
if type == :stdout
stdout += data
elsif type == :stderr
stderr += data
end
block.call(type, data) if block
end
end
# Check for any errors
if opts[:error_check] && !opts[:good_exit].include?(exit_status)
# The error classes expect the translation key to be _key,
# but that makes for an ugly configuration parameter, so we
# set it here from `error_key`
error_opts = opts.merge(
_key: opts[:error_key],
stdout: stdout,
stderr: stderr
)
raise opts[:error_class], error_opts
end
# Return the exit status
exit_status
end
def sudo(command, opts=nil, &block)
# Run `execute` but with the `sudo` option.
opts = { sudo: true }.merge(opts || {})
execute(command, opts, &block)
end
def download(from, to=nil)
@logger.debug("Downloading: #{from} to #{to}")
scp_connect do |scp|
scp.download!(from, to)
end
end
def test(command, opts=nil)
opts = { error_check: false }.merge(opts || {})
execute(command, opts) == 0
end
def upload(from, to)
@logger.debug("Uploading: #{from} to #{to}")
scp_connect do |scp|
if File.directory?(from)
# Recursively upload directories
scp.upload!(from, to, recursive: true)
else
# Open file read only to fix issue [GH-1036]
scp.upload!(File.open(from, "r"), to)
end
end
rescue RuntimeError => e
# Net::SCP raises a runtime error for this so the only way we have
# to really catch this exception is to check the message to see if
# it is something we care about. If it isn't, we re-raise.
raise if e.message !~ /Permission denied/
# Otherwise, it is a permission denied, so let's raise a proper
# exception
raise Vagrant::Errors::SCPPermissionDenied,
from: from.to_s,
to: to.to_s
end
def reset!
if @connection
@connection.close
@connection = nil
end
@ssh_info_notification = true # suppress ssh info output
wait_for_ready(5)
end
protected
# Opens an SSH connection and yields it to a block.
def connect(**opts)
if @connection && !@connection.closed?
# There is a chance that the socket is closed despite us checking
# 'closed?' above. To test this we need to send data through the
# socket.
#
# We wrap the check itself in a 5 second timeout because there
# are some cases where this will just hang.
begin
Timeout.timeout(5) do
@connection.exec!("")
end
rescue Exception => e
@logger.info("Connection errored, not re-using. Will reconnect.")
@logger.debug(e.inspect)
@connection = nil
end
# If the @connection is still around, then it is valid,
# and we use it.
if @connection
@logger.debug("Re-using SSH connection.")
return yield @connection if block_given?
return
end
end
# Get the SSH info for the machine, raise an exception if the
# provider is saying that SSH is not ready.
ssh_info = @machine.ssh_info
raise Vagrant::Errors::SSHNotReady if ssh_info.nil?
# Default some options
opts[:retries] = 5 if !opts.key?(:retries)
# Set some valid auth methods. We disable the auth methods that
# we're not using if we don't have the right auth info.
auth_methods = ["none", "hostbased"]
auth_methods << "publickey" if ssh_info[:private_key_path]
auth_methods << "password" if ssh_info[:password]
# yanked directly from ruby's Net::SSH, but with `none` last
# TODO: Remove this once Vagrant has updated its dependency on Net:SSH
# to be > 4.1.0, which should include this fix.
cipher_array = Net::SSH::Transport::Algorithms::ALGORITHMS[:encryption].dup
if cipher_array.delete("none")
cipher_array.push("none")
end
# Build the options we'll use to initiate the connection via Net::SSH
common_connect_opts = {
auth_methods: auth_methods,
config: false,
forward_agent: ssh_info[:forward_agent],
send_env: ssh_info[:forward_env],
keys_only: ssh_info[:keys_only],
verify_host_key: ssh_info[:verify_host_key],
password: ssh_info[:password],
port: ssh_info[:port],
timeout: 15,
user_known_hosts_file: [],
verbose: :debug,
encryption: cipher_array,
}
# Connect to SSH, giving it a few tries
connection = nil
begin
timeout = 60
@logger.info("Attempting SSH connection...")
connection = retryable(tries: opts[:retries], on: SSH_RETRY_EXCEPTIONS) do
Timeout.timeout(timeout) do
begin
# This logger will get the Net-SSH log data for us.
ssh_logger_io = StringIO.new
ssh_logger = Logger.new(ssh_logger_io)
# Setup logging for connections
connect_opts = common_connect_opts.dup
connect_opts[:logger] = ssh_logger
if ssh_info[:private_key_path]
connect_opts[:keys] = ssh_info[:private_key_path]
end
if ssh_info[:proxy_command]
connect_opts[:proxy] = Net::SSH::Proxy::Command.new(ssh_info[:proxy_command])
end
if ssh_info[:config]
connect_opts[:config] = ssh_info[:config]
end
if ssh_info[:remote_user]
connect_opts[:remote_user] = ssh_info[:remote_user]
end
@logger.info("Attempting to connect to SSH...")
@logger.info(" - Host: #{ssh_info[:host]}")
@logger.info(" - Port: #{ssh_info[:port]}")
@logger.info(" - Username: #{ssh_info[:username]}")
@logger.info(" - Password? #{!!ssh_info[:password]}")
@logger.info(" - Key Path: #{ssh_info[:private_key_path]}")
@logger.debug(" - connect_opts: #{connect_opts}")
Net::SSH.start(ssh_info[:host], ssh_info[:username], connect_opts)
ensure
# Make sure we output the connection log
@logger.debug("== Net-SSH connection debug-level log START ==")
@logger.debug(ssh_logger_io.string)
@logger.debug("== Net-SSH connection debug-level log END ==")
end
end
end
rescue Errno::EACCES
# This happens on connect() for unknown reasons yet...
raise Vagrant::Errors::SSHConnectEACCES
rescue Errno::ETIMEDOUT, Timeout::Error
# This happens if we continued to timeout when attempting to connect.
raise Vagrant::Errors::SSHConnectionTimeout
rescue Net::SSH::AuthenticationFailed
# This happens if authentication failed. We wrap the error in our
# own exception.
raise Vagrant::Errors::SSHAuthenticationFailed
rescue Net::SSH::Disconnect
# This happens if the remote server unexpectedly closes the
# connection. This is usually raised when SSH is running on the
# other side but can't properly setup a connection. This is
# usually a server-side issue.
raise Vagrant::Errors::SSHDisconnected
rescue Errno::ECONNREFUSED
# This is raised if we failed to connect the max amount of times
raise Vagrant::Errors::SSHConnectionRefused
rescue Errno::ECONNRESET
# This is raised if we failed to connect the max number of times
# due to an ECONNRESET.
raise Vagrant::Errors::SSHConnectionReset
rescue Errno::ECONNABORTED
# This is raised if we failed to connect the max number of times
# due to an ECONNABORTED
raise Vagrant::Errors::SSHConnectionAborted
rescue Errno::EHOSTDOWN
# This is raised if we get an ICMP DestinationUnknown error.
raise Vagrant::Errors::SSHHostDown
rescue Errno::EHOSTUNREACH, Errno::ENETUNREACH
# This is raised if we can't work out how to route traffic.
raise Vagrant::Errors::SSHNoRoute
rescue Net::SSH::Exception => e
# This is an internal error in Net::SSH
raise Vagrant::Errors::NetSSHException, message: e.message
rescue NotImplementedError
# This is raised if a private key type that Net-SSH doesn't support
# is used. Show a nicer error.
raise Vagrant::Errors::SSHKeyTypeNotSupported
end
@connection = connection
@connection_ssh_info = ssh_info
# Yield the connection that is ready to be used and
# return the value of the block
return yield connection if block_given?
end
# The shell wrapper command used in shell_execute defined by
# the sudo and shell options.
def shell_cmd(opts)
sudo = opts[:sudo]
shell = opts[:shell]
# Determine the shell to execute. Prefer the explicitly passed in shell
# over the default configured shell. If we are using `sudo` then we
# need to wrap the shell in a `sudo` call.
cmd = machine_config_ssh.shell
cmd = shell if shell
cmd = machine_config_ssh.sudo_command.gsub("%c", cmd) if sudo
cmd
end
# Executes the command on an SSH connection within a login shell.
def shell_execute(connection, command, **opts)
opts = {
sudo: false,
shell: nil
}.merge(opts)
sudo = opts[:sudo]
@logger.info("Execute: #{command} (sudo=#{sudo.inspect})")
exit_status = nil
# These variables are used to scrub PTY output if we're in a PTY
pty = false
pty_stdout = ""
# Open the channel so we can execute or command
channel = connection.open_channel do |ch|
if machine_config_ssh.pty
ch.request_pty do |ch2, success|
pty = success && command != ""
if success
@logger.debug("pty obtained for connection")
else
@logger.warn("failed to obtain pty, will try to continue anyways")
end
end
end
marker_found = false
data_buffer = ''
stderr_marker_found = false
stderr_data_buffer = ''
ch.exec(shell_cmd(opts)) do |ch2, _|
# Setup the channel callbacks so we can get data and exit status
ch2.on_data do |ch3, data|
# Filter out the clear screen command
data = remove_ansi_escape_codes(data)
if pty
pty_stdout << data
else
if !marker_found
data_buffer << data
marker_index = data_buffer.index(CMD_GARBAGE_MARKER)
if marker_index
marker_found = true
data_buffer.slice!(0, marker_index + CMD_GARBAGE_MARKER.size)
data.replace(data_buffer)
data_buffer = nil
end
end
if block_given? && marker_found && !data.empty?
yield :stdout, data
end
end
end
ch2.on_extended_data do |ch3, type, data|
# Filter out the clear screen command
data = remove_ansi_escape_codes(data)
@logger.debug("stderr: #{data}")
if !stderr_marker_found
stderr_data_buffer << data
marker_index = stderr_data_buffer.index(CMD_GARBAGE_MARKER)
if marker_index
stderr_marker_found = true
stderr_data_buffer.slice!(0, marker_index + CMD_GARBAGE_MARKER.size)
data.replace(stderr_data_buffer)
stderr_data_buffer = nil
end
end
if block_given? && stderr_marker_found && !data.empty?
yield :stderr, data
end
end
ch2.on_request("exit-status") do |ch3, data|
exit_status = data.read_long
@logger.debug("Exit status: #{exit_status}")
# Close the channel, since after the exit status we're
# probably done. This fixes up issues with hanging.
ch.close
end
# Set the terminal
ch2.send_data generate_environment_export("TERM", "vt100")
# Set SSH_AUTH_SOCK if we are in sudo and forwarding agent.
# This is to work around often misconfigured boxes where
# the SSH_AUTH_SOCK env var is not preserved.
if @connection_ssh_info[:forward_agent] && sudo
auth_socket = ""
execute("echo; printf $SSH_AUTH_SOCK") do |type, data|
if type == :stdout
auth_socket += data
end
end
if auth_socket != ""
# Make sure we only read the last line which should be
# the $SSH_AUTH_SOCK env var we printed.
auth_socket = auth_socket.split("\n").last.chomp
end
if auth_socket == ""
@logger.warn("No SSH_AUTH_SOCK found despite forward_agent being set.")
else
@logger.info("Setting SSH_AUTH_SOCK remotely: #{auth_socket}")
ch2.send_data generate_environment_export("SSH_AUTH_SOCK", auth_socket)
end
end
# Output the command. If we're using a pty we have to do
# a little dance to make sure we get all the output properly
# without the cruft added from pty mode.
if pty
data = "stty raw -echo\n"
data += generate_environment_export("PS1", "")
data += generate_environment_export("PS2", "")
data += generate_environment_export("PROMPT_COMMAND", "")
data += "printf #{PTY_DELIM_START}\n"
data += "#{command}\n"
data += "exitcode=$?\n"
data += "printf #{PTY_DELIM_END}\n"
data += "exit $exitcode\n"
data = data.force_encoding('ASCII-8BIT')
ch2.send_data data
else
ch2.send_data "printf '#{CMD_GARBAGE_MARKER}'\n(>&2 printf '#{CMD_GARBAGE_MARKER}')\n#{command}\n".force_encoding('ASCII-8BIT')
# Remember to exit or this channel will hang open
ch2.send_data "exit\n"
end
# Send eof to let server know we're done
ch2.eof!
end
end
begin
keep_alive = nil
if machine_config_ssh.keep_alive
# Begin sending keep-alive packets while we wait for the script
# to complete. This avoids connections closing on long-running
# scripts.
keep_alive = Thread.new do
loop do
sleep 5
@logger.debug("Sending SSH keep-alive...")
connection.send_global_request("keep-alive@openssh.com")
end
end
end
# Wait for the channel to complete
begin
channel.wait
rescue Errno::ECONNRESET, IOError
@logger.info(
"SSH connection unexpected closed. Assuming reboot or something.")
exit_status = 0
pty = false
rescue Net::SSH::ChannelOpenFailed
raise Vagrant::Errors::SSHChannelOpenFail
rescue Net::SSH::Disconnect
raise Vagrant::Errors::SSHDisconnected
end
ensure
# Kill the keep-alive thread
keep_alive.kill if keep_alive
end
# If we're in a PTY, we now finally parse the output
if pty
@logger.debug("PTY stdout: #{pty_stdout}")
if !pty_stdout.include?(PTY_DELIM_START) || !pty_stdout.include?(PTY_DELIM_END)
@logger.error("PTY stdout doesn't include delims")
raise Vagrant::Errors::SSHInvalidShell.new
end
data = pty_stdout[/.*#{PTY_DELIM_START}(.*?)#{PTY_DELIM_END}/m, 1]
data ||= ""
@logger.debug("PTY stdout parsed: #{data}")
yield :stdout, data if block_given?
end
# Return the final exit status
return exit_status
end
# Opens an SCP connection and yields it so that you can download
# and upload files.
def scp_connect
# Connect to SCP and yield the SCP object
connect do |connection|
scp = Net::SCP.new(connection)
return yield scp
end
rescue Net::SCP::Error => e
# If we get the exit code of 127, then this means SCP is unavailable.
raise Vagrant::Errors::SCPUnavailable if e.message =~ /\(127\)/
# Otherwise, just raise the error up
raise
end
# This will test whether path is the Vagrant insecure private key.
#
# @param [String] path
def insecure_key?(path)
return false if !path
return false if !File.file?(path)
source_path = Vagrant.source_root.join("keys", "vagrant")
return File.read(path).chomp == source_path.read.chomp
end
def generate_environment_export(env_key, env_value)
template = machine_config_ssh.export_command_template
template.sub("%ENV_KEY%", env_key).sub("%ENV_VALUE%", env_value) + "\n"
end
def machine_config_ssh
@machine.config.ssh
end
end
end
end