docker-env: change --ssh-host login as root by bhavyaBeliever · Pull Request #22577 · kubernetes/minikube

bhavyaBeliever · 2026-01-28T12:26:28Z

Before for KIC driver for docker-runtime:

bhavya@bhavyaBeliever:~/btech/project/minikube$ minikube docker-env --ssh-host
export DOCKER_HOST="ssh://docker@127.0.0.1:32783"
export MINIKUBE_ACTIVE_DOCKERD="minikube"

# To point your shell to minikube's docker-daemon, run:
# eval $(minikube -p minikube docker-env --ssh-host)

After:

bhavya@bhavyaBeliever:~/btech/project/minikube$ ./out/minikube docker-env --ssh-host
export DOCKER_HOST="ssh://root@127.0.0.1:32783"
export MINIKUBE_ACTIVE_DOCKERD="minikube"

# To point your shell to minikube's docker-daemon, run:
# eval $(minikube -p minikube docker-env --ssh-host)

bhavya@bhavyaBeliever:~/btech/project/minikube$ eval $(./out/minikube docker-env --ssh-host)

bhavya@bhavyaBeliever:~/btech/project/minikube$ docker ps
CONTAINER ID   IMAGE                          COMMAND                  CREATED       STATUS       PORTS     NAMES
58f8adee15b7   6e38f40d628d                   "/storage-provisioner"   2 hours ago   Up 2 hours             k8s_storage-provisioner_storage-provisioner_kube-system_74e03f84-e660-493b-9c77-3996c63ec53f_1
6eb150a830d7   registry.k8s.io/pause:3.10.1   "/pause"                 2 hours ago   Up 2 hours             k8s_POD_storage-provisioner_kube-system_74e03f84-e660-493b-9c77-3996c63ec53f_0
76533e04dfa1   aa5e3ebc0dfe                   "/coredns -conf /etc…"   2 hours ago   Up 2 hours             k8s_coredns_coredns-7d764666f9-gx8gm_kube-system_cce9e4c3-4d1e-455b-ac09-4f1553567b85_0
...

Before For VM (kvm2) driver for docker-runtime:

┌──────────┬────────┬─────────┬────────────────┬─────────┬────────┬───────┬────────────────┬────────────────────┐
│ PROFILE  │ DRIVER │ RUNTIME │       IP       │ VERSION │ STATUS │ NODES │ ACTIVE PROFILE │ ACTIVE KUBECONTEXT │
├──────────┼────────┼─────────┼────────────────┼─────────┼────────┼───────┼────────────────┼────────────────────┤
│ minikube │ kvm2   │ docker  │ 192.168.39.165 │ v1.34.0 │ OK     │ 1     │ *              │ *                  │
└──────────┴────────┴─────────┴────────────────┴─────────┴────────┴───────┴────────────────┴────────────────────┘
bhavya@bhavyaBeliever:~/btech/project/minikube$ eval $(minikube docker-env --ssh-host)

bhavya@bhavyaBeliever:~/btech/project/minikube$ docker ps
error during connect: Get "http://docker.example.com/v1.53/containers/json": command [ssh -l docker -p 22 -o ConnectTimeout=30 -T -- 192.168.39.165 docker system dial-stdio] has exited with exit status 255, make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
Host key verification failed.

After:

bhavya@bhavyaBeliever:~/btech/project/minikube$ ./out/minikube docker-env --ssh-host
export DOCKER_HOST="ssh://root@192.168.39.61:22"
export MINIKUBE_ACTIVE_DOCKERD="minikube"

# To point your shell to minikube's docker-daemon, run:
# eval $(minikube -p minikube docker-env --ssh-host)
Identity added: /home/bhavya/.minikube/machines/minikube/id_rsa (/home/bhavya/.minikube/machines/minikube/id_rsa)
Host added: /home/bhavya/.ssh/known_hosts (192.168.39.61)
bhavya@bhavyaBeliever:~/btech/project/minikube$ eval $(./out/minikube docker-env --ssh-host)
Identity added: /home/bhavya/.minikube/machines/minikube/id_rsa (/home/bhavya/.minikube/machines/minikube/id_rsa)

bhavya@bhavyaBeliever:~/btech/project/minikube$ docker ps
CONTAINER ID   IMAGE                          COMMAND                  CREATED          STATUS          PORTS     NAMES
5b5b163f36db   6e38f40d628d                   "/storage-provisioner"   10 seconds ago   Up 9 seconds              k8s_storage-provisioner_storage-provisioner_kube-system_da069fdf-7f20-4983-8f82-ce82daf8991c_1
168300ab68c5   6521110cdb01                   "/usr/local/bin/kube…"   40 seconds ago   Up 40 seconds             k8s_kube-proxy_kube-proxy-rbh8g_kube-system_ac4cca72-b0f1-4ea4-a93d-8a34e7a18cb6_0
...

Before for containerd runtime:

bhavya@bhavyaBeliever:~/btech/project/minikube$ minikube docker-env
❗  Using the docker-env command with the containerd runtime is a highly experimental feature, please provide feedback or contribute to make it better
export DOCKER_HOST="ssh://docker@127.0.0.1:32768"
export MINIKUBE_ACTIVE_DOCKERD="minikube"
export SSH_AUTH_SOCK="/tmp/ssh-AejB0xf0BXMm/agent.15030"
export SSH_AGENT_PID="15031"

# To point your shell to minikube's docker-daemon, run:
# eval $(minikube -p minikube docker-env --ssh-host)
Identity added: /home/bhavya/.minikube/machines/minikube/id_rsa (/home/bhavya/.minikube/machines/minikube/id_rsa)
Host added: /home/bhavya/.ssh/known_hosts ([127.0.0.1]:32768)
bhavya@bhavyaBeliever:~/btech/project/minikube$ eval $(minikube docker-env)
❗  Using the docker-env command with the containerd runtime is a highly experimental feature, please provide feedback or contribute to make it better
Identity added: /home/bhavya/.minikube/machines/minikube/id_rsa (/home/bhavya/.minikube/machines/minikube/id_rsa)
bhavya@bhavyaBeliever:~/btech/project/minikube$ docker ps
CONTAINER ID   IMAGE                                             COMMAND                  CREATED          STATUS    PORTS     NAMES
02632595d5e1   registry.k8s.io/pause:3.10.1                      "/pause"                 53 seconds ago   Up                  k8s://kube-system/etcd-minikube
0ffec6f18c43   registry.k8s.io/kube-apiserver:v1.34.0            "kube-apiserver --ad…"   52 seconds ago   Up                  k8s://kube-system/kube-apiserver-minikube/kube-apiserver
1dada935757b   kindest/kindnetd:v20250512-df8de77b               "/bin/kindnetd"          43 seconds ago   Up                  k8s://kube-system/kindnet-prnp8/kindnet-cni
...

After:

bhavya@bhavyaBeliever:~/btech/project/minikube$ ./out/minikube docker-env
❗  Using the docker-env command with the containerd runtime is a highly experimental feature, please provide feedback or contribute to make it better
export DOCKER_HOST="ssh://root@127.0.0.1:32773"
export MINIKUBE_ACTIVE_DOCKERD="minikube"
export SSH_AUTH_SOCK="/tmp/ssh-GFtWGd6689YW/agent.19593"
export SSH_AGENT_PID="19594"

# To point your shell to minikube's docker-daemon, run:
# eval $(minikube -p minikube docker-env --ssh-host)
Identity added: /home/bhavya/.minikube/machines/minikube/id_rsa (/home/bhavya/.minikube/machines/minikube/id_rsa)
bhavya@bhavyaBeliever:~/btech/project/minikube$ eval $(./out/minikube docker-env)
❗  Using the docker-env command with the containerd runtime is a highly experimental feature, please provide feedback or contribute to make it better
Identity added: /home/bhavya/.minikube/machines/minikube/id_rsa (/home/bhavya/.minikube/machines/minikube/id_rsa)
bhavya@bhavyaBeliever:~/btech/project/minikube$ docker ps
CONTAINER ID   IMAGE                                             COMMAND                  CREATED         STATUS    PORTS     NAMES
c8f84a7253f5   registry.k8s.io/coredns/coredns:v1.13.1           "/coredns -conf /etc…"   2 minutes ago   Up                  k8s://kube-system/coredns-7d764666f9-rgzdn/coredns
002723522430   gcr.io/k8s-minikube/storage-provisioner:v5        "/storage-provisioner"   2 minutes ago   Up                  k8s://kube-system/storage-provisioner/storage-provisioner
...

Fixes #22360

linux-foundation-easycla · 2026-01-28T12:26:34Z

The committers listed above are authorized under a signed CLA.

✅ login: bhavyaBeliever / name: Bhavya Shah (eee36e9)
✅ login: SaurabhD18 / name: Saurabh Deulkar (da2b0bd)

k8s-ci-robot · 2026-01-28T12:26:35Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bhavyaBeliever
Once this PR has been reviewed and has the lgtm label, please assign medyagh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot · 2026-01-28T12:26:38Z

Hi @bhavyaBeliever. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

minikube-bot · 2026-01-28T12:30:04Z

Can one of the admins verify this patch?

medyagh · 2026-02-01T22:37:12Z

 		}

+		if sshHost == true {
+			ec.username = "root"


I am curious why root has to be set if "sshot"? wouldn't it work with docker user?

and also have u tried it on both VM and Docker driver?

Yeah It works for the docker user for docker container-runtime, @afbjorklund mentions in the issue that this doesn't work for podman and containerd. The current implementation for containerd uses nerdctl.sock.

Yes we have tested for this for docker driver by making local KIC image with docker and containerd runtime. Similarly we built an ISO file and tested the changes on kvm2 driver.

Copilot

Pull request overview

This PR updates minikube’s SSH and docker-env behavior so that the --ssh-host flow and related components support logging in as root instead of docker, aligning better with container runtimes’ default expectations. It updates the kicbase image, ISO automount script, nerdctld startup, and docker-env SSH configuration to provision and use root’s SSH keys and DOCKER_HOST.

Changes:

Extend KIC SSH preparation and the kicbase image to provision /root/.ssh/authorized_keys, enabling root SSH access with the same public key as the docker user.
Update the ISO automount script to unpack userdata SSH keys into /root/.ssh in addition to /home/docker/.ssh.
Adjust docker-env and startNerdctld so --ssh-host uses the root user and attempts to ensure DOCKER_HOST=unix:///var/run/nerdctl.sock is set for both docker and root users (with a small bug in the root check condition).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/drivers/kic/kic.go	Copies the generated SSH public key into both `/home/docker/.ssh/authorized_keys` and `/root/.ssh/authorized_keys`, and sets ownership, enabling SSH as root in KIC containers.
deploy/kicbase/Dockerfile	Ensures `/root/.ssh` exists in the kicbase image so that root’s `authorized_keys` can be installed cleanly.
deploy/iso/minikube-iso/package/automount/minikube-automount	Mirrors the existing userdata SSH key unpacking for `/home/docker` into `/root`, setting root ownership to enable root SSH on the ISO-based nodes.
cmd/minikube/cmd/start.go	Extends `startNerdctld` to check and, if needed, inject `DOCKER_HOST=unix:///var/run/nerdctl.sock` into both docker and root bash environments, but currently uses the non-root check result when deciding whether to update `/root/.bashrc`.
cmd/minikube/cmd/docker-env.go	Forces SSH connections to use `username = "root"` when `--ssh-host` is active and extends `appendKnownHelper` to run for both containerd and Docker runtimes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

medyagh

lets add Before/After for Containerd/Crio as well

medyagh · 2026-02-18T19:29:23Z

@@ -2095,8 +2095,27 @@ func startNerdctld(options *run.CommandOptions) {

 	// set up environment variable on remote machine. docker client uses 'non-login & non-interactive shell' therefore the only way is to modify .bashrc file of user 'docker'
 	// insert this at 4th line


add comment what the code

Thanks for suggestion: kindly check the updated code

medyagh · 2026-02-18T19:30:17Z

 		return fmt.Errorf("create pubkey assetfile : %w", err)
 	}
+
+	f2, err := assets.NewFileAsset(d.GetSSHKeyPath()+".pub", "/root/.ssh/", "authorized_keys", "0644")


I think the right place might be provisioenr package

Thank you for suggestion. Please check the implementation did here

medyagh

lets also add before/after for VM drivers as well

bhavyaBeliever · 2026-02-20T15:12:31Z

lets add Before/After for Containerd/Crio as well

I have added for containerd with docker driver, for other cases minikube docker-env doesn't support, please refer this function dockerEnvSupported. I think @afbjorklund is working on PRs [#22547, #22549] which add support to docker-env

bhavyaBeliever · 2026-02-23T18:55:53Z

/assign @medyagh

medyagh · 2026-02-23T21:21:16Z

lets try another before/after with exacttly explaining what was NOT good before and what is Better now....

bhavyaBeliever · 2026-02-24T11:35:27Z

lets try another before/after with exactly explaining what was NOT good before and what is Better now....

The thing which was not good was that the docker user was accessing docker.sock illegally (just a workaround).
Or else we should migrate the runtimes to rootless mode so that docker user could access the sock without any workaround.
@afbjorklund any suggestions?

k8s-ci-robot requested review from nirs and prezha January 28, 2026 12:26

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jan 28, 2026

bhavyaBeliever force-pushed the ssh_login_as_root branch from db30f7c to 6f1e645 Compare January 29, 2026 09:25

bhavyaBeliever mentioned this pull request Jan 29, 2026

Support docker-env with cri-o runtime #22547

Open

bhavyaBeliever force-pushed the ssh_login_as_root branch from 851aea9 to 73adedf Compare January 30, 2026 07:39

bhavyaBeliever force-pushed the ssh_login_as_root branch from 87536a1 to 73adedf Compare January 30, 2026 07:57

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jan 30, 2026

medyagh requested a review from Copilot February 1, 2026 22:36

Copilot started reviewing on behalf of medyagh February 1, 2026 22:36 View session

medyagh reviewed Feb 1, 2026

View reviewed changes

Copilot AI reviewed Feb 1, 2026

View reviewed changes

Comment thread cmd/minikube/cmd/start.go Outdated

bhavyaBeliever requested a review from medyagh February 11, 2026 12:01

medyagh reviewed Feb 18, 2026

View reviewed changes

medyagh requested a review from afbjorklund February 18, 2026 19:32

medyagh reviewed Feb 18, 2026

View reviewed changes

bhavyaBeliever and others added 2 commits February 20, 2026 19:42

iso: added authorized keys into /root

eee36e9

docker-env: change the username to root during --ssh-host

da2b0bd

SaurabhD18 force-pushed the ssh_login_as_root branch from 11ee157 to da2b0bd Compare February 20, 2026 14:20

k8s-ci-robot assigned medyagh Feb 23, 2026

medyagh changed the title ~~docker-env: allowed ssh login as root~~ docker-env: change --ssh-host login as root Feb 23, 2026

		@@ -2095,8 +2095,27 @@ func startNerdctld(options *run.CommandOptions) {

		// set up environment variable on remote machine. docker client uses 'non-login & non-interactive shell' therefore the only way is to modify .bashrc file of user 'docker'
		// insert this at 4th line

Conversation

bhavyaBeliever commented Jan 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

linux-foundation-easycla Bot commented Jan 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented Jan 28, 2026

Uh oh!

k8s-ci-robot commented Jan 28, 2026

Uh oh!

minikube-bot commented Jan 28, 2026

Uh oh!

medyagh Feb 1, 2026

Choose a reason for hiding this comment

Uh oh!

bhavyaBeliever Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

medyagh left a comment

Choose a reason for hiding this comment

Uh oh!

medyagh Feb 18, 2026

Choose a reason for hiding this comment

Uh oh!

bhavyaBeliever Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

medyagh Feb 18, 2026

Choose a reason for hiding this comment

Uh oh!

bhavyaBeliever Feb 20, 2026

Choose a reason for hiding this comment

Uh oh!

medyagh left a comment

Choose a reason for hiding this comment

Uh oh!

bhavyaBeliever commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bhavyaBeliever commented Feb 23, 2026

Uh oh!

medyagh commented Feb 23, 2026

Uh oh!

bhavyaBeliever commented Feb 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

bhavyaBeliever commented Jan 28, 2026 •

edited

Loading

linux-foundation-easycla Bot commented Jan 28, 2026 •

edited

Loading

bhavyaBeliever Feb 2, 2026 •

edited

Loading

bhavyaBeliever Feb 20, 2026 •

edited

Loading

bhavyaBeliever commented Feb 20, 2026 •

edited

Loading

bhavyaBeliever commented Feb 24, 2026 •

edited

Loading