fix(ssh): Sync non-root user SSH keys to /root/.ssh for Airflow container access

tosin2013 · claude · tosin2013 · commit 2d033db4807d · 2026-01-05T16:13:19.000+01:00
The Airflow container mounts /root/.ssh:/root/.ssh:ro but when running as a non-root admin user (e.g., github-runner), the SSH key exists at /home/<user>/.ssh/id_rsa which is not accessible inside the container. This fix: - E2E workflow: Copy admin user's SSH key to /root/.ssh/ after generation - docker-compose.yml: Add AIRFLOW_CONN_LOCALHOST_SSH with configurable SSH user via QUBINODE_SSH_USER env var (defaults to root) - deploy-qubinode.sh: Sync admin user's SSH key to /root/.ssh/ during configure_ssh() for production deployments The SSH connection now uses the mounted /root/.ssh/id_rsa key while connecting as the configured user (root or QUBINODE_SSH_USER). Fixes E2E test failure: FileNotFoundError: [Errno 2] No such file or directory: '/home/github-runner/.ssh/id_rsa' 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -258,6 +258,40 @@ jobs:
           echo "SSH_USER=$SSH_USER" >> $GITHUB_ENV
           echo "SSH_HOME=$SSH_HOME" >> $GITHUB_ENV
 
+          # CRITICAL: Copy SSH key to /root/.ssh/ for Airflow container access
+          # The docker-compose.yml mounts /root/.ssh:/root/.ssh:ro into containers
+          # So the key MUST be available at /root/.ssh/id_rsa for the container to use it
+          if [ "$SSH_USER" != "root" ]; then
+            echo "[INFO] Syncing SSH key to /root/.ssh for Airflow container access..."
+            sudo mkdir -p /root/.ssh
+            sudo chmod 700 /root/.ssh
+
+            # Check if source key exists before copying
+            if sudo test -f "$SSH_HOME/.ssh/id_rsa"; then
+              # Only copy if /root/.ssh/id_rsa doesn't exist or is different
+              if ! sudo test -f /root/.ssh/id_rsa || \
+                 ! sudo diff -q "$SSH_HOME/.ssh/id_rsa" /root/.ssh/id_rsa >/dev/null 2>&1; then
+                sudo cp "$SSH_HOME/.ssh/id_rsa" /root/.ssh/id_rsa
+                sudo cp "$SSH_HOME/.ssh/id_rsa.pub" /root/.ssh/id_rsa.pub
+                sudo chmod 600 /root/.ssh/id_rsa
+                sudo chmod 644 /root/.ssh/id_rsa.pub
+                echo "[OK] SSH key copied to /root/.ssh/"
+              else
+                echo "[OK] SSH key already in sync at /root/.ssh/"
+              fi
+
+              # Also add the key to root's authorized_keys for container->host SSH
+              sudo touch /root/.ssh/authorized_keys
+              sudo chmod 600 /root/.ssh/authorized_keys
+              if ! sudo grep -qF "$USER_PUB_KEY" /root/.ssh/authorized_keys 2>/dev/null; then
+                echo "$USER_PUB_KEY" | sudo tee -a /root/.ssh/authorized_keys > /dev/null
+                echo "[OK] SSH key added to /root/.ssh/authorized_keys"
+              fi
+            else
+              echo "[WARN] Source SSH key not found at $SSH_HOME/.ssh/id_rsa"
+            fi
+          fi
+
       - name: Deploy Qubinode Stack
         env:
           SSH_PASSWORD: ${{ secrets.SSH_PASSWORD }}
diff --git a/airflow/docker-compose.yml b/airflow/docker-compose.yml
@@ -42,6 +42,11 @@ x-airflow-common:
     QUBINODE_KCLI_ENABLED: 'true'
     QUBINODE_RAG_INTEGRATION: 'true'
     # SSH Connection Configuration (for SSHOperator in DAGs)
+    # This connection is used by DAGs to SSH to the host for kcli/virsh commands
+    # The key at /root/.ssh/id_rsa is mounted from the host (see volumes below)
+    # For non-root users: set QUBINODE_SSH_USER and copy your key to /root/.ssh/
+    # Or override the entire connection via AIRFLOW_CONN_LOCALHOST_SSH env var
+    AIRFLOW_CONN_LOCALHOST_SSH: ${AIRFLOW_CONN_LOCALHOST_SSH:-ssh://${QUBINODE_SSH_USER:-root}@localhost?key_file=/root/.ssh/id_rsa&no_host_key_check=true}
     # Override default SSH connection ID if needed (default: localhost_ssh)
     # QUBINODE_SSH_CONN_ID: 'localhost_ssh'
     # See SSH-CONNECTION-SETUP.md for configuration instructions
diff --git a/scripts/development/deploy-qubinode.sh b/scripts/development/deploy-qubinode.sh
@@ -1371,6 +1371,33 @@ configure_ssh() {
         fi
     fi
 
+    # Sync SSH key to /root/.ssh/ for Airflow container access
+    # The docker-compose.yml mounts /root/.ssh:/root/.ssh:ro into containers
+    # So the key MUST be available at /root/.ssh/id_rsa for the container to use it
+    if [[ -n "${QUBINODE_ADMIN_USER:-}" && "${QUBINODE_ADMIN_USER}" != "root" ]]; then
+        log_info "Syncing SSH key to /root/.ssh for Airflow container access..."
+        if [[ -f "$ssh_key_path" ]]; then
+            mkdir -p /root/.ssh
+            chmod 700 /root/.ssh
+            # Only copy if not already in sync
+            if [[ ! -f /root/.ssh/id_rsa ]] || ! diff -q "$ssh_key_path" /root/.ssh/id_rsa &>/dev/null; then
+                cp "$ssh_key_path" /root/.ssh/id_rsa
+                cp "${ssh_key_path}.pub" /root/.ssh/id_rsa.pub
+                chmod 600 /root/.ssh/id_rsa
+                chmod 644 /root/.ssh/id_rsa.pub
+                log_info "SSH key copied to /root/.ssh/"
+            fi
+            # Also add to root's authorized_keys for container->host SSH
+            touch /root/.ssh/authorized_keys
+            chmod 600 /root/.ssh/authorized_keys
+            local pub_key=$(cat "${ssh_key_path}.pub")
+            if ! grep -qF "$pub_key" /root/.ssh/authorized_keys 2>/dev/null; then
+                echo "$pub_key" >> /root/.ssh/authorized_keys
+                log_info "SSH key added to /root/.ssh/authorized_keys"
+            fi
+        fi
+    fi
+
     log_success "SSH configuration completed"
     return 0
 }
