pkg/hostagent: Use in-process SSH client on executing requirement scripts

Use an in-process SSH client on executing requirement scripts other than starting an SSH ControlMaster process.
To fall back to external SSH, add the `LIMA_EXTERNAL_SSH_REQUIREMENT` environment variable.

- pkg/sshutil: Add `ExecuteScriptViaInProcessClient()`

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

# Conflicts:
#	pkg/sshutil/sshutil.go

# Conflicts:
#	pkg/sshutil/sshutil.go

Author: norio-nomura

pkg/hostagent/requirements.go

@@ -6,8 +6,11 @@ package hostagent
 import (
 	"errors"
 	"fmt"
+	"os"
 	"runtime"
+	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/lima-vm/sshocker/pkg/ssh"
@@ -103,39 +106,65 @@ func (a *HostAgent) waitForRequirement(r requirement) error {
 	if err != nil {
 		return err
 	}
+	var stdout, stderr string
 	sshConfig := a.sshConfig
-	if r.noMaster || runtime.GOOS == "windows" {
-		// Remove ControlMaster, ControlPath, and ControlPersist options,
-		// because Cygwin-based SSH clients do not support multiplexing when executing commands.
-		// References:
-		//   https://inbox.sourceware.org/cygwin/c98988a5-7e65-4282-b2a1-bb8e350d5fab@acm.org/T/
-		//   https://stackoverflow.com/questions/20959792/is-ssh-controlmaster-with-cygwin-on-windows-actually-possible
-		// By removing these options:
-		//   - Avoids execution failures when the control master is not yet available.
-		//   - Prevents error messages such as:
-		//     > mux_client_request_session: read from master failed: Connection reset by peer
-		//     > ControlSocket ....sock already exists, disabling multiplexing
-		//     > mm_send_fd: sendmsg(2): Connection reset by peer\\r\\nmux_client_request_session: send fds failed\\r\\n
-		sshConfig = &ssh.SSHConfig{
-			ConfigFile:     sshConfig.ConfigFile,
-			Persist:        false,
-			AdditionalArgs: sshutil.DisableControlMasterOptsFromSSHArgs(sshConfig.AdditionalArgs),
+	if r.external || determineUseExternalSSH() {
+		if r.noMaster || runtime.GOOS == "windows" {
+			// Remove ControlMaster, ControlPath, and ControlPersist options,
+			// because Cygwin-based SSH clients do not support multiplexing when executing commands.
+			// References:
+			//   https://inbox.sourceware.org/cygwin/c98988a5-7e65-4282-b2a1-bb8e350d5fab@acm.org/T/
+			//   https://stackoverflow.com/questions/20959792/is-ssh-controlmaster-with-cygwin-on-windows-actually-possible
+			// By removing these options:
+			//   - Avoids execution failures when the control master is not yet available.
+			//   - Prevents error messages such as:
+			//     > mux_client_request_session: read from master failed: Connection reset by peer
+			//     > ControlSocket ....sock already exists, disabling multiplexing
+			//     > mm_send_fd: sendmsg(2): Connection reset by peer\\r\\nmux_client_request_session: send fds failed\\r\\n
+			sshConfig = &ssh.SSHConfig{
+				ConfigFile:     sshConfig.ConfigFile,
+				Persist:        false,
+				AdditionalArgs: sshutil.DisableControlMasterOptsFromSSHArgs(sshConfig.AdditionalArgs),
+			}
 		}
+		stdout, stderr, err = ssh.ExecuteScript(a.instSSHAddress, a.sshLocalPort, sshConfig, script, r.description)
+	} else {
+		stdout, stderr, err = sshutil.ExecuteScriptViaInProcessClient(a.instSSHAddress, a.sshLocalPort, *a.instConfig.User.Name, a.instName, script, r.description)
 	}
-	stdout, stderr, err := ssh.ExecuteScript(a.instSSHAddress, a.sshLocalPort, sshConfig, script, r.description)
 	logrus.Debugf("stdout=%q, stderr=%q, err=%v", stdout, stderr, err)
 	if err != nil {
 		return fmt.Errorf("stdout=%q, stderr=%q: %w", stdout, stderr, err)
 	}
 	return nil
 }
 
+var determineUseExternalSSH = sync.OnceValue(func() bool {
+	var useExternalSSH bool
+	// allow overriding via LIMA_EXTERNAL_SSH_REQUIREMENT environment variable
+	if envVar := os.Getenv("LIMA_EXTERNAL_SSH_REQUIREMENT"); envVar != "" {
+		if b, err := strconv.ParseBool(envVar); err != nil {
+			logrus.WithError(err).Warnf("invalid LIMA_EXTERNAL_SSH_REQUIREMENT value %q", envVar)
+		} else {
+			useExternalSSH = b
+		}
+	}
+	if useExternalSSH {
+		logrus.Info("using external ssh command for executing requirement scripts")
+	} else {
+		logrus.Info("using in-process ssh client for executing requirement scripts")
+	}
+	return useExternalSSH
+})
+
 type requirement struct {
 	description string
 	script      string
 	debugHint   string
 	fatal       bool
 	noMaster    bool
+	// Execute the script externally via the ssh command instead of using the in-process client.
+	// noMaster will be ignored if external is false.
+	external bool
 }
 
 func (a *HostAgent) essentialRequirements() []requirement {
@@ -158,6 +187,7 @@ If any private key under ~/.ssh is protected with a passphrase, you need to have
 true
 `,
 		debugHint: `The persistent ssh ControlMaster should be started immediately.`,
+		external:  true,
 	}
 	if *a.instConfig.Plain {
 		req = append(req, startControlMasterReq)

pkg/sshutil/sshutil.go

@@ -31,6 +31,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-semver/semver"
+	sshocker "github.com/lima-vm/sshocker/pkg/ssh"
 	"github.com/mattn/go-shellwords"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
@@ -688,3 +689,68 @@ func GenerateSSHHostKeys(instDir, hostname string) (map[string]string, error) {
 	}
 	return res, nil
 }
+
+// ExecuteScriptViaInProcessClient executes the given script on the remote host via in-process SSH client.
+func ExecuteScriptViaInProcessClient(host string, port int, user, instanceName, script, scriptName string) (stdout, stderr string, err error) {
+	// Prepare signer
+	signer, err := UserPrivateKey()
+	if err != nil {
+		return "", "", err
+	}
+	// Prepare HostKeyCallback
+	hostKeyChecker, err := HostKeyCheckerWithKeysInKnownHosts(instanceName)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Prepare ssh client config
+	sshConfig := &ssh.ClientConfig{
+		User:            user,
+		Auth:            []ssh.AuthMethod{ssh.PublicKeys(signer)},
+		HostKeyCallback: hostKeyChecker,
+		Timeout:         10 * time.Second,
+	}
+
+	// Connect to SSH server
+	addr := net.JoinHostPort(host, fmt.Sprintf("%d", port))
+	var dialer net.Dialer
+	dialer.Timeout = sshConfig.Timeout
+	conn, err := dialer.DialContext(context.Background(), "tcp", addr)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to dial %q: %w", addr, err)
+	}
+	sshConn, chans, reqs, err := ssh.NewClientConn(conn, addr, sshConfig)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create ssh.Conn to %q: %w", addr, err)
+	}
+	client := ssh.NewClient(sshConn, chans, reqs)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create SSH client to %q: %w", addr, err)
+	}
+	defer client.Close()
+
+	// Create session
+	session, err := client.NewSession()
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create SSH session to %q: %w", addr, err)
+	}
+	defer session.Close()
+
+	// Execute script
+	interpreter, err := sshocker.ParseScriptInterpreter(script)
+	if err != nil {
+		return "", "", err
+	}
+	// Provide the script via stdin
+	session.Stdin = strings.NewReader(strings.TrimPrefix(script, "#!"+interpreter+"\n"))
+	// Capture stdout and stderr
+	var stdoutBuf, stderrBuf bytes.Buffer
+	session.Stdout = &stdoutBuf
+	session.Stderr = &stderrBuf
+	logrus.Debugf("executing ssh for script %q", scriptName)
+	err = session.Run(interpreter)
+	if err != nil {
+		return stdoutBuf.String(), stderrBuf.String(), fmt.Errorf("failed to execute script %q: stdout=%q, stderr=%q: %w", scriptName, stdoutBuf.String(), stderrBuf.String(), err)
+	}
+	return stdoutBuf.String(), stderrBuf.String(), nil
+}

website/content/en/docs/config/environment-variables.md

@@ -106,6 +106,14 @@ This page documents the environment variables used in Lima.
   lima
   ```
 
+### `LIMA_EXTERNAL_SSH_REQUIREMENT`
+- **Description**: Specifies whether to use an external SSH client for checking requirements instead of the built-in SSH client.
+- **Default**: `false`
+- **Usage**: 
+  ```sh
+  export LIMA_EXTERNAL_SSH_REQUIREMENT=true
+  ```
+
 ### `LIMA_SSH_OVER_VSOCK`
 - **Description**: Specifies to use vsock for SSH connection instead of port forwarding.
 - **Default**: `true` (since v2.0.0)