0

from user1@host1 I wish to execute a docker command on a remote host i.e root@host2

Thus, on remote host2 I made the below changes:

sudo visudo
user1 ALL=(ALL) NOPASSWD: /bin/docker
dbuser ALL=(ALL) NOPASSWD: /bin/docker

I login from host1 to host2 using the below ssh command:

[root@host1]# ssh -i /home/user1/.ssh/id_rsa user1@host2

[user1@host2 ~]# sudo -u root -i -H

[root@host2 ~]# sudo docker exec STG-MYDB-mongo-rs mongo  --port 27062 --authenticationDatabase '$external' --authenticationMechanism PLAIN -u  'dbuser' -p 'dbpassword'  --eval 'rs.isMaster()'

MongoDB shell version v4.2.20

connecting to: mongodb://127.0.0.1:27062/?authMechanism=PLAIN&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("cadeffab-911e-4290-9455-4aabcb232dfd") }

MongoDB server version: 4.2.20

{
        "hosts" : [
                "host2.ec2.internal:27062",
                "host3.ec2.internal:27062",
                "host4.ec2.internal:27062"
        ],
        "setName" : "REPGBMA062",
        "setVersion" : 10,
        "ismaster" : true,
        "secondary" : false,
        "primary" : "host2.ec2.internal:27062",
        "me" : "host2.ec2.internal:27062",
        "electionId" : ObjectId("7fffffff0000000000000129"),
        "lastWrite" : {
                "opTime" : {
                        "ts" : Timestamp(1689546619, 1),
                        "t" : NumberLong(297)
                },
                "lastWriteDate" : ISODate("2023-07-16T22:30:19Z"),
                "majorityOpTime" : {
                        "ts" : Timestamp(1689546619, 1),
                        "t" : NumberLong(297)
                },
                "majorityWriteDate" : ISODate("2023-07-16T22:30:19Z")
        },
        "maxBsonObjectSize" : 16777216,
        "maxMessageSizeBytes" : 48000000,
        "maxWriteBatchSize" : 100000,
        "localTime" : ISODate("2023-07-16T22:30:23.089Z"),
        "logicalSessionTimeoutMinutes" : 30,
        "connectionId" : 7620,
        "minWireVersion" : 0,
        "maxWireVersion" : 8,
        "readOnly" : false,
        "ok" : 1,
        "$clusterTime" : {
                "clusterTime" : Timestamp(1689546619, 1),
                "signature" : {
                        "hash" : BinData(0,"bPyk8MEnMN/ThBc8m1tdsVjOcN8="),
                        "keyId" : NumberLong("7216872790308536321")
                }
        },
        "operationTime" : Timestamp(1689546619, 1)
}

[root@host2 ~]# sudo docker exec STG-MYDB-mongo-rs mongo  --port 27062 --authenticationDatabase '$external' --authenticationMechanism PLAIN -u  'dbuser' -p 'dbpassword'  --eval 'rs.isMaster()' | grep primary

        "primary" : "host2.ec2.internal:27062",

However, when I try the same command through ssh it fails with an error and does not return the same output I received running the command manually.

Failure output:

[root@host1 actions-runner]# ssh -t -i /home/user1/.ssh/id_rsa  user1@host2.ec2.internal "sudo docker exec STG-MYDB-mongo-rs mongo  --port 27062 --authenticationDatabase '$external' --authenticationMechanism PLAIN -u  'dbuser' -p 'dbpassword'  --eval 'rs.isMaster()'"

##################################################################
# *** This Server is using Centrify                          *** #
# *** Remember to use your Active Directory account          *** #
# ***    password when logging in                            *** #
##################################################################

MongoDB shell version v4.2.20

connecting to: mongodb://127.0.0.1:27062/?authMechanism=PLAIN&compressors=disabled&gssapiServiceName=mongodb

2023-07-16T22:32:32.073+0000 E  QUERY    [js] Error: Authentication failed. :

connect@src/mongo/shell/mongo.js:353:17

@(connect):3:6

2023-07-16T22:32:32.074+0000 F  -        [main] exception: connect failed

2023-07-16T22:32:32.074+0000 E  -        [main] exiting with code 1

Connection to host2.ec2.internal closed.

[root@host1 actions-runner]#

How can I get the same output using the remote ssh command as I get running the command manually?

James Z
  • 12,209
  • 10
  • 24
  • 44
Ashar
  • 2,942
  • 10
  • 58
  • 122
  • Try escaping `'$external'` (`'\$external'`) in your SSH remote command. – Grobu Jul 16 '23 at 23:34
  • @Grobu it works !! please post as an answer – Ashar Jul 17 '23 at 04:08
  • (Can you use a `docker run -p` published port, `ssh -L` port forwarding, and a local non-container `mongo` client to access the database, avoiding the multiple layers of shell and the `docker exec` call?) – David Maze Jul 17 '23 at 10:16
  • @DavidMaze i tried the same but docker was running as secure https and inorder for remote docker to connect to target docker on secure the SAN and CN should match which was not the case. – Ashar Jul 17 '23 at 14:50

1 Answers1

2

When you issue your SSH remote command :

ssh (...) "sudo docker (...) --authenticationDatabase '$external' (...)"

... the $external part gets interpolated locally by your shell because it is inside a double-quoted string. So if the variable $external is not defined locally, you're actually sending an empty value (e.g. --authenticationDatabase ''). Simply escaping the dollar character (\$) should be enough to make your command work as expected.

Cheers

Grobu
  • 599
  • 1
  • 11