You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/04/11 16:34:16 UTC
[GitHub] [airflow] czerbinati opened a new issue, #22914: Permission error for SSH Key, not able to set them correctly and not able to connect using DAG
czerbinati opened a new issue, #22914:
URL: https://github.com/apache/airflow/issues/22914
### Official Helm Chart version
1.2.0
### Apache Airflow version
2.0.1
### Kubernetes Version
1.21
### Helm Chart configuration
Hi all, I'm trying to mount a private key as a secret in worker nodes, and for that I'm using the extraVolume section for workers, where i define the name:
```
- name: airflow-ssh-secret
secret:
secretName: airflow-ssh-secret
defaultMode: 0400
```
And then the extraVolumeMounts:
```
- name: airflow-ssh-secret
mountPath: "/opt/airflow/keys/airflow-ssh-secret"
readOnly: true
```
I'm also running the value file with the follwing uid and gid (I customized a bit the docker image):
```
uid: 15012
gid: 5000
```
I generated the secret with this command:
```
kubectl create secret generic airflow-ssh-secret --from-file=ssh-privatekey=airflow_sec -n airflow
```
Where `airflow_sec` is a private key in OpenSSH format
### Docker Image customisations
The docker image is the official one from the repository:
```
FROM apache/airflow:2.0.1
```
With the difference that I changed uid and gid for the standard user like this:
```
RUN groupadd -g 5000 groupname && \
usermod -u 15012 -g 5000 airflow && \
groupadd -g 15023 ftp && \
usermod -a -G 15023 airflow && \
find / -xdev -user 50000 -exec chown -h airflow {} \; && \
find / -xdev -group $(id -g airflow) -exec chgrp -h groupname {} \;
```
And installed a few packages from a requirements file as pasted below:
```
apache-airflow[crypto,celery,jdbc,password,redis,ssh,oracle]==2.0.1
psycopg2-binary==2.8.6
SQLAlchemy==1.3.23
pyarrow==4.0.0
xlrd==2.0.1
openpyxl==3.0.7
apache-airflow-providers-jdbc==1.0.1
apache-airflow-providers-oracle==1.1.0
azure-storage-file-share==12.6.0
```
### What happened
I'm deploying on an AKS (Azure Kubernetes Service) cluster in the namespace called `airflow`, every deploy goes fine, but when we run a DAG that uses the SFTPOperator we receive the following error:
```
[2022-03-23 11:18:18,680] {taskinstance.py:1455} ERROR - Error while transferring None, error: not a valid RSA private key file
Traceback (most recent call last):
File "/home/airflow/.local/lib/python3.6/site-packages/airflow/providers/sftp/operators/sftp.py", line 123, in execute
self.ssh_hook = SSHHook(ssh_conn_id=self.ssh_conn_id)
File "/home/airflow/.local/lib/python3.6/site-packages/airflow/providers/ssh/hooks/ssh.py", line 132, in __init__
self.pkey = paramiko.RSAKey.from_private_key(StringIO(private_key))
File "/home/airflow/.local/lib/python3.6/site-packages/paramiko/pkey.py", line 256, in from_private_key
key = cls(file_obj=file_obj, password=password)
File "/home/airflow/.local/lib/python3.6/site-packages/paramiko/rsakey.py", line 52, in __init__
self._from_private_key(file_obj, password)
File "/home/airflow/.local/lib/python3.6/site-packages/paramiko/rsakey.py", line 179, in _from_private_key
data = self._read_private_key("RSA", file_obj, password)
File "/home/airflow/.local/lib/python3.6/site-packages/paramiko/pkey.py", line 324, in _read_private_key
raise SSHException("not a valid {} private key file".format(tag))
paramiko.ssh_exception.SSHException: not a valid RSA private key file
```
I checked the key if it was working correctly and it was, since I can connect to the server using the `ssh` command inside the pod as you can see here below:
```
airflow@airflow-worker-1:/opt/airflow$ ssh -i /opt/airflow/keys/airflow-ssh-secret/ssh-privatekey sftp_user@somesftp.com
Linux somesftp.com 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 11 16:01:28 2022 from some_ip_here
sftp_user@somesftp:~$
```
The Paramiko Version obtained with `pip show paramiko` is:
```
airflow@airflow-worker-1:/opt/airflow$ pip show paramiko
Name: paramiko
Version: 2.7.2
Summary: SSH2 protocol library
Home-page: https://github.com/paramiko/paramiko/
Author: Jeff Forcier
Author-email: jeff@bitprophet.org
License: LGPL
Location: /home/airflow/.local/lib/python3.6/site-packages
Requires: bcrypt, pynacl, cryptography
Required-by: sshtunnel, pysftp, apache-airflow-providers-ssh, apache-airflow-providers-sftp
```
So it should support OpenSSH RSA private key, this is the format of the secret key.
Could it be because permissions on file mount are not correct?
I tried every single mount variations on `defaultMode`, binary, octal and decimal, every mode will result in this:
```
lrwxrwxrwx 1 root groupname 21 Mar 22 16:29 ssh-privatekey -> ..data/ssh-privatekey
```
### What you think should happen instead
It should connect with the SFTP service without error, as the base library for the SFTP is the same as SSH
### How to reproduce
Using the helm chart version 1.2.0 with airflow version 2.0.1 and try to mount a SSH private key in worker pods, with the same libraries as above and the same command for `kubectl create secret`
The variable that contains the path to the keyfile is defined in Airflow Variables section of the webserver, and then used in the DAG simply refering to the name
### Anything else
This problem happens everytime we use the SFTPOperator.
Sorry if there could be some errors or maybe not a well structured English, I'm trying to do my best to give you a full description for this error, if there are further clarification needed, I'm available.
Thanks a lot.
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #22914: Permission error for SSH Key, not able to set them correctly and not able to connect using DAG
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #22914:
URL: https://github.com/apache/airflow/issues/22914#issuecomment-1098516833
This has been fixed in SSH provider 2.1.0 https://airflow.apache.org/docs/apache-airflow-providers-ssh/stable/index.html#id12
You need to upgrade to newer version of Airflow as it can only be installed in Airflow 2.1 +. I recommend to upgrade to latest released airflow version (2.2.5 currently).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk closed issue #22914: Permission error for SSH Key, not able to set them correctly and not able to connect using DAG
Posted by GitBox <gi...@apache.org>.
potiuk closed issue #22914: Permission error for SSH Key, not able to set them correctly and not able to connect using DAG
URL: https://github.com/apache/airflow/issues/22914
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #22914: Permission error for SSH Key, not able to set them correctly and not able to connect using DAG
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #22914:
URL: https://github.com/apache/airflow/issues/22914#issuecomment-1095279697
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org