SSH Agent forwarding inside docker compose container

Question

Could not open a connection to your authentication agent.

I am following the approach of mounting the $SSH_AUTH_SOCK as a volume, but doing so with compose.

Setup

~/.ssh/config

Host *
  ForwardAgent yes

Dockerfile:

FROM atlashealth/ruby:2.2.2

RUN apt-get update -qq && \
    apt-get install -qy build-essential libxml2-dev libxslt1-dev \
            g++ qt5-default libqt5webkit5-dev xvfb dbus \
            libmysqlclient-dev \
            mysql-client openssh-client git && \

    # cleanup
    apt-get clean && \
    cd /var/lib/apt/lists && rm -fr *Release* *Sources* *Packages* && \
    truncate -s 0 /var/log/*log

Compose yaml:

web:
  build: "."
  environment:
  - SSH_AUTH_SOCK=/ssh-agent
  volumes:
  - "$SSH_AUTH_SOCK:/ssh-agent"

NOTE: I have interpolation running on my compose, so $SSH_AUTH_SOCK is substituted with /private/tmp/com.apple.launchd.ZxGtZy6a9w/Listeners for example.

I have forwarding setup on my host OSX properly, it works against another ubuntu host.

Run

docker-compose run web bash

In-Container

When I run ssh-add -L, it states Could not open a connection to your authentication agent.

When I run ssh-agent, it yields

SSH_AUTH_SOCK=/tmp/ssh-vqjuo7FIfVOL/agent.21; export SSH_AUTH_SOCK;
SSH_AGENT_PID=22; export SSH_AGENT_PID;
echo Agent pid 22;

When I run echo $SSH_AUTH_SOCK from bash, it yields /ssh-agent

Question

It seems that compose is making the SSH_AUTH_SOCK available to bash, but it seems that the ssh-agent is not getting that same env. What am I missing?

Answer 1

I solved it using whilp/ssh-agent, though you should note that this is not using SSH_AUTH_SOCK directly and requires an additional long running container. I'll integrate this approach into docker-rails for ease of use.

1. Start a long running container docker run -d --name=ssh-agent whilp/ssh-agent:latest

2. Add your key docker run --rm --volumes-from=ssh-agent -v ~/.ssh:/ssh -it whilp/ssh-agent:latest ssh-add /ssh/id_rsa

3. List your keys docker run --rm --volumes-from=ssh-agent -v ~/.ssh:/ssh -it whilp/ssh-agent:latest ssh-add -L

4. bash into a container and check the key with ssh -T [email protected]

My yaml looks like:

web:
    build: .
    working_dir: /project
    ports:
      - "3000"

    environment:
      # make ssh keys available via ssh forwarding (see volume entry)
      - SSH_AUTH_SOCK=/ssh-agent/socket

    volumes_from:
      # Use configured whilp/ssh-agent long running container for keys
      - ssh-agent

Answer 2

The previous accepted answer using whilp/ssh-agent did not work for me for some reason (it worked before but since last changes it doesn't and I don't know why) so I created my own agent container:

docker-ssh-agent

based on minimal alpine:3.4 base image. So anyone still having trouble with this on OSX, check the README it's now really easy to get it up and running!