feat(ssh-auth): add ssh-auth and forward into vm (#77)

ihexon · web-flow · commit 1d086fc371c8 · 2025-03-11T17:59:48.000+08:00
This PR:
1. start a local ssh-auth server `$TMP/oo-ssh-agent-host.sock` linked to
host `$SSH_AUTH_SOCK`
2. forward the local ssh-auth socket to vm
`/ssh_auth/oo-ssh-agent-remote.sock` over ssh when vm ready, means all
connections happened in `/ssh_auth/oo-ssh-agent-remote.sock` will
forward to local ssh-agent server `$TMP/oo-ssh-agent-host.sock`
diff --git a/cmd/bauklotze/machine/start.go b/cmd/bauklotze/machine/start.go
@@ -4,6 +4,7 @@
 package machine
 
 import (
+	"bauklotze/pkg/machine/channel"
 	"context"
 	"fmt"
 	"os"
@@ -12,20 +13,19 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
+
+	"bauklotze/cmd/registry"
 	"bauklotze/pkg/api/server"
 	"bauklotze/pkg/machine"
 	allFlag "bauklotze/pkg/machine/allflag"
 	"bauklotze/pkg/machine/define"
+	"bauklotze/pkg/machine/events"
 	"bauklotze/pkg/machine/io"
 	"bauklotze/pkg/machine/shim"
 	"bauklotze/pkg/machine/vmconfig"
-
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"golang.org/x/sync/errgroup"
-
-	"bauklotze/cmd/registry"
-	"bauklotze/pkg/machine/events"
 	"bauklotze/pkg/system"
 )
 
@@ -132,6 +132,13 @@ func start(cmd *cobra.Command, args []string) error {
 		return startMachine(ctx, mc)
 	})
 
+	g.Go(func() error {
+		if err := shim.TryStartSSHAuthService(ctx, mc); err != nil {
+			logrus.Warnf("SSH auth service stop: %v", err)
+		}
+		return nil
+	})
+
 	defer cleanUp(mc) // Clean tmp files at the end
 	return g.Wait()   //nolint:wrapcheck
 }
@@ -176,6 +183,7 @@ func startMachine(parentCtx context.Context, mc *vmconfig.MachineConfig) error {
 	}
 
 	logrus.Infof("Machine start successful")
+	channel.NotifyMachineReady()
 
 	return shim.Wait(ctx, mc) //nolint:wrapcheck
 }
@@ -198,9 +206,11 @@ func cleanUp(mc *vmconfig.MachineConfig) {
 }
 
 func SyncDisk(mc *vmconfig.MachineConfig) {
-	events.NotifyRun(events.SyncMachineDisk)
-	if err := shim.DiskSync(mc); err != nil {
-		logrus.Warnf("Failed to sync disk: %v", err)
-		return
+	if channel.IsVMReady() {
+		events.NotifyRun(events.SyncMachineDisk)
+		if err := shim.DiskSync(mc); err != nil {
+			logrus.Warnf("Failed to sync disk: %v", err)
+			return
+		}
 	}
 }
diff --git a/cmd/registry/registry.go b/cmd/registry/registry.go
@@ -5,6 +5,7 @@ package registry
 
 import (
 	allFlag "bauklotze/pkg/machine/allflag"
+	"bauklotze/pkg/machine/channel"
 	"bauklotze/pkg/machine/define"
 	"bauklotze/pkg/machine/events"
 	"bauklotze/pkg/machine/io"
@@ -41,6 +42,7 @@ func GetExitCode() int {
 
 func NotifyAndExit(code int) {
 	events.NotifyExit()
+	channel.Close()
 	SetExitCode(code)
 	os.Exit(GetExitCode())
 }
diff --git a/go.mod b/go.mod
@@ -1,6 +1,8 @@
 module bauklotze
 
-go 1.23.4
+go 1.24.0
+
+toolchain go1.24.1
 
 require (
 	github.com/Code-Hex/go-infinity-channel v1.0.0
@@ -15,14 +17,16 @@ require (
 	github.com/go-playground/validator/v10 v10.25.0
 	github.com/gorilla/mux v1.8.1
 	github.com/json-iterator/go v1.1.12
+	github.com/oomol-lab/ovm-ssh-agent v1.1.1-0.20250307113355-2fe4d500c53c
+	github.com/oomol-lab/ssh-forward v0.0.0-20250311033012-057eea751dd7
 	github.com/prashantgupta24/mac-sleep-notifier v1.0.1
 	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/crypto v0.35.0
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/sync v0.12.0
+	golang.org/x/sys v0.31.0
 )
 
 require (
@@ -48,7 +52,7 @@ require (
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -64,6 +64,16 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/oomol-lab/ovm-ssh-agent v1.1.1-0.20250307080813-33a2addd8d70 h1:mwoDZHyzkai9/Ho4SqHTn3ZNjeairpDAjxBwbZzlYxg=
+github.com/oomol-lab/ovm-ssh-agent v1.1.1-0.20250307080813-33a2addd8d70/go.mod h1:UiWnuQCSmt3Zta1LctVpp+ETEaJv08OA+Bkp45uyM/M=
+github.com/oomol-lab/ovm-ssh-agent v1.1.1-0.20250307113355-2fe4d500c53c h1:kbYQjlZ0eKNiUPjX99nudcbvh2z86TF3hM0jAvytApo=
+github.com/oomol-lab/ovm-ssh-agent v1.1.1-0.20250307113355-2fe4d500c53c/go.mod h1:UiWnuQCSmt3Zta1LctVpp+ETEaJv08OA+Bkp45uyM/M=
+github.com/oomol-lab/ssh-forward v0.0.0-20250306133922-a0a693bfc5f6 h1:uJP1EoqmP88TOqA6PbpJlzt0eyE27WZ6XAefuc3H4T4=
+github.com/oomol-lab/ssh-forward v0.0.0-20250306133922-a0a693bfc5f6/go.mod h1:/X60uEwaCA1Bt0AJ+6VShkjErRBbkDbzmqwxR8jPpMI=
+github.com/oomol-lab/ssh-forward v0.0.0-20250310111812-cc1e7c2d1876 h1:9HgxxAcKJx9U6w8oRTtIIc7Tdp7F55p5yUTJlMqahtc=
+github.com/oomol-lab/ssh-forward v0.0.0-20250310111812-cc1e7c2d1876/go.mod h1:/X60uEwaCA1Bt0AJ+6VShkjErRBbkDbzmqwxR8jPpMI=
+github.com/oomol-lab/ssh-forward v0.0.0-20250311033012-057eea751dd7 h1:T+1ULZnf+KeO/w3kTuv5zQwllJjISB0UTKvNR4CHtwc=
+github.com/oomol-lab/ssh-forward v0.0.0-20250311033012-057eea751dd7/go.mod h1:/X60uEwaCA1Bt0AJ+6VShkjErRBbkDbzmqwxR8jPpMI=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
@@ -100,24 +110,24 @@ github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+F
 github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
-golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
 golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/pkg/api/server/handler.go b/pkg/api/server/handler.go
@@ -75,7 +75,7 @@ func (s *APIServer) APIHandler(h http.HandlerFunc) http.HandlerFunc {
 
 func (s *APIServer) apiWrapper(h http.HandlerFunc, w http.ResponseWriter, r *http.Request) {
 	if err := r.ParseForm(); err != nil {
-		logrus.Errorf("Failed Request: unable to parse form: " + err.Error())
+		logrus.Errorf("Failed Request: unable to parse form: %v", err)
 	}
 	h(w, r)
 }
diff --git a/pkg/machine/channel/channel.go b/pkg/machine/channel/channel.go
@@ -0,0 +1,33 @@
+package channel
+
+import "context"
+
+var (
+	vmReady  context.Context
+	vmCancel context.CancelFunc
+)
+
+func init() {
+	vmReady, vmCancel = context.WithCancel(context.Background()) //nolint:fatcontext
+}
+
+func NotifyMachineReady() {
+	vmCancel()
+}
+
+func WaitVMReady() <-chan struct{} {
+	return vmReady.Done()
+}
+
+func IsVMReady() bool {
+	select {
+	case <-vmReady.Done():
+		return true
+	default:
+		return false
+	}
+}
+
+func Close() {
+	vmCancel()
+}
diff --git a/pkg/machine/shim/ssh_auth.go b/pkg/machine/shim/ssh_auth.go
@@ -0,0 +1,109 @@
+//  SPDX-FileCopyrightText: 2024-2025 OOMOL, Inc. <https://www.oomol.com>
+//  SPDX-License-Identifier: MPL-2.0
+
+package shim
+
+import (
+	"bauklotze/pkg/machine/channel"
+	"bauklotze/pkg/machine/define"
+	"bauklotze/pkg/machine/vmconfig"
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sync/errgroup"
+
+	"github.com/oomol-lab/ovm-ssh-agent/pkg/sshagent"
+	"github.com/oomol-lab/ovm-ssh-agent/pkg/system"
+
+	"github.com/oomol-lab/ovm-ssh-agent/pkg/identity"
+	forwarder "github.com/oomol-lab/ssh-forward"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TryStartSSHAuthService(ctx context.Context, mc *vmconfig.MachineConfig) error {
+	select {
+	case <-ctx.Done():
+		return fmt.Errorf("cancel TryStartSSHAuthService cause: %w", context.Cause(ctx))
+	case <-channel.WaitVMReady():
+		break
+	}
+
+	logrus.Infoln("Start SSH auth service")
+	return startSSHAuthServiceAndForward(ctx, mc)
+}
+
+func startSSHAuthServiceAndForward(ctx context.Context, mc *vmconfig.MachineConfig) error {
+	ctx, cancel := context.WithCancelCause(ctx)
+	defer cancel(context.Canceled)
+
+	g, ctx := errgroup.WithContext(ctx)
+
+	localSocketFile := filepath.Join(mc.Dirs.SocksDir.GetPath(), "oo-ssh-agent-host.sock")
+	if err := os.Remove(localSocketFile); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove local ssh agent socket: %w", err)
+	}
+
+	listener, err := net.Listen("unix", localSocketFile)
+	if err != nil {
+		return fmt.Errorf("failed to listen unix socket: %w", err)
+	}
+	defer listener.Close()
+
+	upstreamSocket := system.GetSSHAgent()
+	if upstreamSocket == "" {
+		return fmt.Errorf("upstream SSH agent socket empty")
+	}
+	logrus.Infof("upstream ssh agent listened in: %q", upstreamSocket)
+
+	ooSSHAgent, err := sshagent.NewSSHAgent(ctx, upstreamSocket)
+	if err != nil {
+		return fmt.Errorf("failed to create oo ssh agent: %w", err)
+	}
+	defer ooSSHAgent.Close()
+
+	// find local private keys ~/.ssh
+	ooSSHAgent.LoadLocalKeys(identity.FindPrivateKeys()...)
+
+	g.Go(func() error {
+		return ooSSHAgent.Serve(listener)
+	})
+
+	remoteSocketFile := "/opt/ssh_auth/oo-ssh-agent.sock"
+	logrus.Infof("forward unix socket %q to %q", localSocketFile,
+		fmt.Sprintf("%s@%s:%d:[%s]", mc.SSH.RemoteUsername, define.LocalHostURL, mc.SSH.Port, remoteSocketFile))
+
+	socketForwarder := forwarder.NewUnixRemote(localSocketFile, define.LocalHostURL, remoteSocketFile)
+	socketForwarder.SetTunneledConnState(func(tun *forwarder.ForwardConfig, state *forwarder.TunneledConnState) {
+		logrus.Infof("connect state: %v", state)
+	})
+
+	socketForwarder.SetKeyFile(mc.SSH.IdentityPath)
+	socketForwarder.SetUser(mc.SSH.RemoteUsername)
+	socketForwarder.SetPort(mc.SSH.Port)
+
+	// We set a callback to know when the tunnel is ready
+	socketForwarder.SetConnState(func(tun *forwarder.ForwardConfig, state forwarder.ConnState) {
+		switch state {
+		case forwarder.StateStarting:
+			logrus.Infof("socket forwarder state is staring")
+			logrus.Infof("clean target socket file:%s", socketForwarder.Remote.String())
+			if err := socketForwarder.CleanTargetSocketFile(); err != nil {
+				cancel(fmt.Errorf("failed to clean target socket file: %w", err))
+			}
+		case forwarder.StateStarted:
+			logrus.Infoln("socket forwarder state is: started")
+		case forwarder.StateStopped:
+			logrus.Infoln("socket forwarder state is: stopped")
+		}
+	})
+
+	g.Go(func() error {
+		return socketForwarder.Start(ctx)
+	})
+
+	return g.Wait() //nolint:wrapcheck
+}

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ func (s *APIServer) APIHandler(h http.HandlerFunc) http.HandlerFunc {`
`75`	`75`
`76`	`76`	`func (s APIServer) apiWrapper(h http.HandlerFunc, w http.ResponseWriter, r http.Request) {`
`77`	`77`	`if err := r.ParseForm(); err != nil {`
`78`		`- logrus.Errorf("Failed Request: unable to parse form: " + err.Error())`
	`78`	`+ logrus.Errorf("Failed Request: unable to parse form: %v", err)`
`79`	`79`	`}`
`80`	`80`	`h(w, r)`
`81`	`81`	`}`