1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
5 // Package ssh_executor provides an implementation of pool.Executor
6 // using a long-lived multiplexed SSH session.
17 "git.curoverse.com/arvados.git/lib/cloud"
18 "golang.org/x/crypto/ssh"
21 // New returns a new Executor, using the given target.
22 func New(t cloud.ExecutorTarget) *Executor {
23 return &Executor{target: t}
26 // An Executor uses a multiplexed SSH connection to execute shell
27 // commands on a remote target. It reconnects automatically after
30 // When setting up a connection, the Executor accepts whatever host
31 // key is provided by the remote server, then passes the received key
32 // and the SSH connection to the target's VerifyHostKey method before
33 // executing commands on the connection.
35 // A zero Executor must not be used before calling SetTarget.
37 // An Executor must not be copied.
38 type Executor struct {
39 target cloud.ExecutorTarget
41 mtx sync.RWMutex // controls access to instance after creation
45 clientOnce sync.Once // initialized private state
46 clientSetup chan bool // len>0 while client setup is in progress
47 hostKey ssh.PublicKey // most recent host key that passed verification, if any
50 // SetSigners updates the set of private keys that will be offered to
51 // the target next time the Executor sets up a new connection.
52 func (exr *Executor) SetSigners(signers ...ssh.Signer) {
54 defer exr.mtx.Unlock()
58 // SetTarget sets the current target. The new target will be used next
59 // time a new connection is set up; until then, the Executor will
60 // continue to use the existing target.
62 // The new target is assumed to represent the same host as the
63 // previous target, although its address and host key might differ.
64 func (exr *Executor) SetTarget(t cloud.ExecutorTarget) {
66 defer exr.mtx.Unlock()
70 // Target returns the current target.
71 func (exr *Executor) Target() cloud.ExecutorTarget {
73 defer exr.mtx.RUnlock()
77 // Execute runs cmd on the target. If an existing connection is not
78 // usable, it sets up a new connection to the current target.
79 func (exr *Executor) Execute(env map[string]string, cmd string, stdin io.Reader) ([]byte, []byte, error) {
80 session, err := exr.newSession()
85 for k, v := range env {
86 err = session.Setenv(k, v)
91 var stdout, stderr bytes.Buffer
93 session.Stdout = &stdout
94 session.Stderr = &stderr
95 err = session.Run(cmd)
96 return stdout.Bytes(), stderr.Bytes(), err
99 // Close shuts down any active connections.
100 func (exr *Executor) Close() {
101 // Ensure exr is initialized
104 exr.clientSetup <- true
105 if exr.client != nil {
106 defer exr.client.Close()
108 exr.client, exr.clientErr = nil, errors.New("closed")
112 // Create a new SSH session. If session setup fails or the SSH client
113 // hasn't been setup yet, setup a new SSH client and try again.
114 func (exr *Executor) newSession() (*ssh.Session, error) {
115 try := func(create bool) (*ssh.Session, error) {
116 client, err := exr.sshClient(create)
120 return client.NewSession()
122 session, err := try(false)
124 session, err = try(true)
129 // Get the latest SSH client. If another goroutine is in the process
130 // of setting one up, wait for it to finish and return its result (or
131 // the last successfully setup client, if it fails).
132 func (exr *Executor) sshClient(create bool) (*ssh.Client, error) {
133 exr.clientOnce.Do(func() {
134 exr.clientSetup = make(chan bool, 1)
135 exr.clientErr = errors.New("client not yet created")
137 defer func() { <-exr.clientSetup }()
139 case exr.clientSetup <- true:
141 client, err := exr.setupSSHClient()
142 if err == nil || exr.client == nil {
143 if exr.client != nil {
144 // Hang up the previous
145 // (non-working) client
146 go exr.client.Close()
148 exr.client, exr.clientErr = client, err
155 // Another goroutine is doing the above case. Wait
156 // for it to finish and return whatever it leaves in
158 exr.clientSetup <- true
160 return exr.client, exr.clientErr
163 // Create a new SSH client.
164 func (exr *Executor) setupSSHClient() (*ssh.Client, error) {
165 target := exr.Target()
166 addr := target.Address()
168 return nil, errors.New("instance has no address")
170 var receivedKey ssh.PublicKey
171 client, err := ssh.Dial("tcp", addr, &ssh.ClientConfig{
173 Auth: []ssh.AuthMethod{
174 ssh.PublicKeys(exr.signers...),
176 HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
180 Timeout: time.Minute,
184 } else if receivedKey == nil {
185 return nil, errors.New("BUG: key was never provided to HostKeyCallback")
188 if exr.hostKey == nil || !bytes.Equal(exr.hostKey.Marshal(), receivedKey.Marshal()) {
189 err = target.VerifyHostKey(receivedKey, client)
193 exr.hostKey = receivedKey