-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
$SSH_AUTH_SOCK is not being forwarded to docker #410
Comments
Have you checked https://github.com/avsm/docker-ssh-agent-forward ? It seems to do what you want. |
Solution that you provided works, but it's not convenient / experimental
Would be a lot better if docker for mac provided native support for ssh agent forwarding or socket forwarding in general as mentioned in #483 P.S. currently docker.sock is forwarded, it's probably not that hard to achieve same solution for other sockets too. |
I've run into problems trying to support the The problem appears to be due to As the documentation states:
So I can mount in the For example, I can find my Inside the container, the socket appears as a socket owned by [root@62b57964834a ansible]# env | grep -i ssh
SSH_AUTH_SOCK=/ssh-agent/Listeners
[root@62b57964834a ansible]# ls -l $SSH_AUTH_SOCK
srw-rw-rw- 1 root root 0 Feb 1 17:57 /ssh-agent/Listeners
[root@62b57964834a]# whoami
root
[root@62b57964834a]# ssh-add -l
Could not open a connection to your authentication agent. |
@mariusgrigaitis @trinitronx I was maybe not very clear, but yes support for ssh agent forwarder is planned on our roadmap and is indeed very related to #483. I was just pointing out a possible workaround which works today while we implement the feature. |
Ugh, I've just been caught out by this limitation of Docker for Mac 😞 I'm surprised to see that this has still not been resolved 👎 |
I'm not surprised at all. It's a complex issue that goes beyond what normal VM environments can support. I'd really like to have this feature, but I'm not going to assume an easy fix solution is possible. |
|
The clean way of working around this is to have a docker being responsible for the ssh-agent.
If you do it as a bash function the magic stuff can happen in the shadows. |
That forces the user to unlock the key in that Docker container, bypassing
all local customization of the agent, password entry, etc.
Den fre 21 apr. 2017 09:46Josef Johansson <notifications@github.com> skrev:
… The clean way of working around this is to have a docker being responsible
for the ssh-agent.
- Start a docker with a volume /agent and entrypoint ssh-agent
- Use docker cp to copy the private key to the container
- ssh-add the key and remove it.
- Use --volume-from instead of mounting the ssh-socket from localhost.
If you do it as a bash function the magic stuff can happen in the shadows.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#410 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAGPxeJ9C0joxfp1OancPQF2Ok4KpcQks5ryF7MgaJpZM4JrttX>
.
|
True, but the alternative is worse? Anyway there not that much you can customize in the local ssh-agent, and the same customization is possible to add to the docker ssh-agent that way. A plus is that it is consistent across platforms. You can also have different ssh-agents for different purposes. |
Presumably a workaround that doesn't lose local customisations would be to:
That way you use your local ssh-agent |
copying / mounting a private key won't work if you store your ssh key on a hardware token such as yubikey. |
Copying / mounting private keys is not a good idea. If you are going to, @andytson's approach is the best of the bunch. |
at @andytson, since your solution seems to have consensus on its viability, would you mind elaborate a little bit on its steps for the less proficient docker users? Thanks! |
@cecemel, I've been using https://github.com/uber-common/docker-ssh-agent-forward which seems to implement @andytson's solution. It provides an sshd container that you can forward the Darwin agent do (
There's also a solution using pure |
@matttrach asked:
I'm not sure what you mean here by "container". Did you perhaps mean 'image"? You should be able to control your containers and you should be able modify and build images from
Yes; prior to buildkit supporting Each |
I can confirm the 2.1.4.0 edge version works with the config described in this post (note, because it threw me for a loop - these mounted volumes have to be exactly what is described): #410 (comment) Will this be the final implementation for this feature? If so, does this mean this will only work in this fashion on a Mac, and we would have to use a different method for Linux or Windows? |
SSH_AUTH_SOCK support has existed without a problem on Linux for some time. |
I am probably missing something, sorry... but I can get @guillaumerose's example working where he uses alpine:3.4 as base. But I am working on an image based on Debian (Stretch), and here it does not work. Do I need to install something specific? I tried to search for vpnkit-bridge but without any luck. |
@jvcdk on debian you'll need to install openssh-client in the container. i was able to get this to work while running 2.1.5.0 edge:
|
Thank you, @treyd, for your quick answer. I have been testing it a bit this morning and found out that it is because I have a USER statement in my docker file – i.e. I am running as non-root in the container. @andytson mentions it above but I found out there is an additional catch: You cannot use Edit: Thank you for your help :) |
Yep, I had the same issue a couple of weeks ago. I've fixed it by creating the mount point and changing the permissions within my Dockerfile. If it can help you, here are:
|
Hey guys, can anybody help me out here? I am testing this on docker edge v2.1.6.0. First, I just create a new agent with a new socket on OSX and give full permissions:
However, I am getting the following error: Then, if I try to use
I get the following error: On the host, Additionally, I tried with debian as well as, but no luck:
Is there something am I doing wrong? I would really appreciate some help. Thanks! @andytson |
@vcajes : The chmod command should be done within the docker container, not on the host. |
@jvcdk I have tested both approaches, with and without the chmod, on the host and/or on the container, still not luck. Getting the same errors as above. On the host everything works fine: |
@vcajes Your volume parameter needs to be exactly as above, i.e. You're not actually pointing at a socket on your host system, you're pointing at some other special machinery in Docker Desktop for Mac that enables specifically the SSH agent forwarding. |
@vcajes actually you need to use exactly this mount: |
@treyd wow, it was just that. Thanks guys. Working now! :) |
You can also extend the technique like this to get access to the docker socket from within a docker container:
|
I've made a solution for my employer which can be installed via Homebrew and runs as a service: punktDe/docker-mac-ssh-auth-sock. After install |
Workarounds hopefully are no longer necessary with edge builds (2.1.4.0+) and will be fixed for good once those get merged back to a stable release. |
This will indeed be available in the upcoming (next week) Stable 2.2.0.0 release. |
A little caveat: |
On 2.2.0.0, Im still getting the result OP got in his example:
returns:
Edit, found my problem above. I guess you dont mount ${SSH_AUTH_SOCK} but instead |
Hi, I can also confirm that the newest stable (2.2.0.0) work as intended when using the "magic" mounting path Thanks so much @guillaumerose, I guess this issue might finally be closed after 4 years 🎉 |
I'm not so sure this issue is fixed. Title and description explicitly mention |
What about using a To conclude this ticket, in your |
Closed issues are locked after 30 days of inactivity. If you have found a problem that seems similar to this, please open a new issue. Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. |
Expected behavior
OSX ssh-agent socket is available (for mount) in containers
Actual behavior
OSX ssh-agent socket is available, but does not work because it's a socket (unable to connect)
Information
https://forums.docker.com/t/can-we-re-use-the-osx-ssh-agent-socket-in-a-container/8152
It would be great if Docker for Mac would forward osx ssh-agent's socket into VM, just like how it does with docker.sock. Generic solution for socket would also help a lot.
The text was updated successfully, but these errors were encountered: