Add support for ssh_config for connection

[afbjorklund]

Previously had to use podman system connection

Normal ssh://<alias> would fail to work properly

e.g. "default", podman --host ssh://default --ssh native ps

Host default
  HostName 127.0.0.1
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile $PWD/.vagrant/machines/default/virtualbox/private_key
  IdentitiesOnly yes
  LogLevel FATAL

Does this PR introduce a user-facing change?

ssh connection URL now supports regular ssh_config

Also adds support for default ssh user and path.

---

Tested manually with Lima. No unit tests found.

$ limactl start --name podman template://podman
$ ssh -F ~/.lima/podman/ssh.config lima-podman podman

$ limactl show-ssh --format=config podman >>~/.ssh/config
$ CONTAINER_HOST=ssh://lima-podman podman-remote version

Uses https://github.com/kevinburke/ssh_config

Closes #23831
Fixes #17452

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[afbjorklund]

Added required files to the "vendor" directory (by using go1.22.0 mod vendor)

bloat approved

***************************************************************************
* bin/podman grew by 110536 bytes; max allowed is 51200.
*
* Please investigate, and fix if possible.
*
* A repo admin can override by setting the bloat_approved label
***************************************************************************

no new tests

pr-should-include-tests: PR does not include changes in the 'tests' directory

Please write a regression test for what you're fixing. Even if it
seems trivial or obvious, try to add a test that will prevent
regressions.

If your change is minor, feel free to piggyback on already-written
tests, possibly just adding a small step to a similar existing test.
Every second counts in CI.

If your commit really, truly does not need tests, you can proceed
by asking a repo maintainer to set the 'No New Tests' github label.
This will only be done when there's no reasonable alternative.

BTW; There is no "tests" directory, but there is a "test" directory?

• podman ssh work, using new c/common interface #15094

The "secure" parameter doesn't seem to do anything anymore?

ssh://<user>@<host>[:port]/run/podman/podman.sock?secure=True

[afbjorklund]

This will fix trying to nslookup the alias, but it will not add support for ProxyJump

In order to support that, Podman needs to use more of containers/common SSHMode

Like it said in the original PR #15094 (that added --ssh=native):

Overall, this is a v1 of a long process of offering native ssh

---

     ProxyCommand
             Specifies the command to use to connect to the server.  The com‐
             mand string extends to the end of the line, and is executed using
             the user's shell ‘exec’ directive to avoid a lingering shell
             process.
             ...

     ProxyJump
             Specifies one or more jump proxies as either [user@]host[:port]
             or an ssh URI.  Multiple proxies may be separated by comma char‐
             acters and will be visited sequentially.  Setting this option
             will cause ssh(1) to connect to the target host by first making a
             ssh(1) connection to the specified ProxyJump host and then estab‐
             lishing a TCP forwarding to the ultimate target from there.
             ...

• podman tries to lookup hostname which is used for ssh connection. #21113

The current workaround is to tunnel a temporary unix: socket with a ssh -L command

[mheon]

* bin/podman grew by 110536 bytes; max allowed is 51200.

110kb from a 1700 line diffstat, ouch. Bloat approved label added still.

[mheon]

Few nits, looks fine overall. @baude PTAL when you get back.

[afbjorklund]

* bin/podman grew by 110536 bytes; max allowed is 51200.

110kb from a 1700 line diffstat, ouch. Bloat approved label added still.

Not sure if there was any obvious culprit, it seemed to be evenly spread...

11714	runtime
1323	os
806	fmt
698	regexp
521	strings
501	strconv
437	unicode
430	bytes
429	sync
366	io
243	os/user
214	path/filepath
73	errors

---

EDIT: I take that back, the use of "runtime" seems suspicious and bloated

https://github.com/kevinburke/ssh_config/blob/v1.2.0/config.go#L312

                if r := recover(); r != nil {
                        if _, ok := r.(runtime.Error); ok {
                                panic(r)
                        }
                        if e, ok := r.(error); ok && e == ErrDepthExceeded {
                                err = e
                                return
                        }
                        err = errors.New(r.(string))
                }

https://go.dev/wiki/CodeReviewComments#dont-panic
https://go.dev/blog/defer-panic-and-recover

So maybe the bloat checker was onto something anyway?

[Luap99]

These debug statements are not clear, they need to mention ssh config at least

[afbjorklund]

They could be removed altogether, they were mostly used during implementing...

[Luap99]

There is likely value in having them to see what the lib parsed in case of weird user configs

[afbjorklund]

A compromise might be to log the new URL (once), once all the substitution (if any) is done.

[Luap99]

Yes logging the final url once sounds good to me.

[afbjorklund]

Wasn't so easy to log the information since _url is not the only source of information used...

But changed it so that it only outputs something, if an alias was actually found in ssh_config.

[Luap99]

This is not a good idea for performance reasons, podman info is slow...
Also podman info has no actual knowledge of the actual API socket path and just guess the /run/podman/podman.sock or /run/user/xxx/podman/podman.sock as rootless so there is no reason to do that as you might as well guess on the client. Of course you would need to get the uid on the server to do this.

I mean alone the extra ssh connection is already slow but I think there is no need to avoid that if we need the uid on the server so maybe the podman info at this point is not to bad either?
Given that is is properly not a good idea to recommend leaving it the socket path if users care about performance.

[afbjorklund]

I think it was more about compatibility/simplicity, and less about performance?

There is already the "system connection", that should be the preferred option...

[afbjorklund]

I don't think it can hardcode the /run/user/$UID either, need to query for $XDG_RUNTIME_DIR.

Most systems with systemd will use the default, but other systems might use another directory...

[Luap99]

Yeah I looked at this was like podman info isn't really great for this but thinking about this again given there is no way around opening an extra ssh connection for it so doing the podman info call should not be that big of a deal either.

[afbjorklund]

Eventually it might use the containers/common functionality for this (the "SSHMode").

[afbjorklund]

https://github.com/containers/common/tree/main/pkg/ssh (the "golang" vs "native")

[afbjorklund]

Note that if providing a fully qualified URL, this will be a no-op (assuming an empty/small ~/.ssh/config)

export CONTAINER_HOST=ssh://[email protected]:2222/run/user/1000/podman/podman.sock
export CONTAINER_SSHKEY=$PWD/.vagrant/machines/default/virtualbox/private_key

It will only kick in, if there is an "alias" defined or if there are any parameters missing (like user or path)

• https://wiki.debian.org/SshAliases
• https://lima-vm.io/docs/reference/limactl_show-ssh/

[afbjorklund]

There is more talk about performance in the issue, beyond using a legacy --host=ssh://

• Podman over SSH in native mode does not use custom config ~/.ssh/config #23831 (comment)

How to reuse the same ssh connection (and path), and how to choose a faster encryption...

For lima there is a "host agent" that sets up a persistent tunnel, and provides a unix socket

[Luap99]

Sorry for the delay, I have not forgotten this.

[Luap99]

Also can you squash your commits please.

[packit-as-a-service]

Cockpit tests failed for commit b174663c2f1354c5b3f32c234f780303b177a2ac. @martinpitt, @jelly, @mvollmer please check.

[Luap99]

LGTM, sorry for the late reply this time it fell of my list.
Can you rebase this please? If you don't have time I can also do that.

@mheon PTAL so we can merge once rebased.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afbjorklund, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Luap99]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mheon]

/lgtm