Allow minikube ssh login as root instead of as docker

[afbjorklund]

Currently we are changing the permissions or the group of the "docker" socket in minikube.

This is to match the old "docker" group, that used to control /var/run/docker.sock access.

But it is not the default setting of Podman or containerd, that prefer to connect as root instead...

When no longer using the legacy TCP socket, it would be possible to ssh root@ instead of docker@

• Deprecate the old tcp port for docker-env #9229

It is mostly a matter of adding /root/.ssh/authorized_keys in addition to /home/docker/.ssh/authorized_keys

Then the docker (group) and podman configuration could back to the default, which requires sudo or root.

https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user

"The Docker daemon binds to a Unix socket, not a TCP port. By default it's the root user that owns the Unix socket, and other users can only access it using sudo. The Docker daemon always runs as the root user." (This is assuming kubernetes and not usernetes, in the future it might be possible to run rootless...)

You can still use sudo podman or sudo nerdctl, if not using podman system service or nerdctld.

It is just that if using a tunneled socket instead of a command line, then there is no place for "sudo"

---

The minikube-automount does this: (when mounting the disk image)

https://github.com/kubernetes/minikube/blob/master/deploy/iso/minikube-iso/package/automount/minikube-automount#L150 (from https://github.com/boot2docker/boot2docker/blob/master/files/init.d/autoformat#L147)

    if [ -e "/userdata.tar" ]; then
        mv /userdata.tar /var/lib/boot2docker/
    fi

    tar xf /var/lib/boot2docker/userdata.tar -C /home/docker/
    chown -R docker:docker /home/docker/.ssh

Where userdata.tar contains the keys. (when creating the disk image)

https://github.com/minikube-machine/machine/blob/main/libmachine/mcnutils/b2d.go#L498
(similar code has been copied/pasted into various libmachine drivers, to the same effect)

        // .ssh/key.pub => authorized_keys
        file = &tar.Header{Name: ".ssh", Typeflag: tar.TypeDir, Mode: 0700}
        if err := tw.WriteHeader(file); err != nil {
                return err
        }
        pubKey, err := os.ReadFile(d.publicSSHKeyPath())
        if err != nil {
                return err
        }
        file = &tar.Header{Name: ".ssh/authorized_keys", Size: int64(len(pubKey)), Mode: 0644}
        if err := tw.WriteHeader(file); err != nil {
                return err
        }
        if _, err := tw.Write(pubKey); err != nil {
                return err
        }

[afbjorklund]

Compare with podman system connection ls, when using Podman Machine and after having done podman machine init:

Name                         URI                                                          Identity                                  Default
podman-machine-default       ssh://core@127.0.0.1:44913/run/user/1000/podman/podman.sock  /home/anders/.ssh/podman-machine-default  true
podman-machine-default-root  ssh://root@127.0.0.1:44913/run/podman/podman.sock            /home/anders/.ssh/podman-machine-default  false