Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSH Agent forwarding inside docker compose container

Could not open a connection to your authentication agent.

I am following the approach of mounting the $SSH_AUTH_SOCK as a volume, but doing so with compose.

Setup

~/.ssh/config

Host *
  ForwardAgent yes

Dockerfile:

FROM atlashealth/ruby:2.2.2

RUN apt-get update -qq && \
    apt-get install -qy build-essential libxml2-dev libxslt1-dev \
            g++ qt5-default libqt5webkit5-dev xvfb dbus \
            libmysqlclient-dev \
            mysql-client openssh-client git && \

    # cleanup
    apt-get clean && \
    cd /var/lib/apt/lists && rm -fr *Release* *Sources* *Packages* && \
    truncate -s 0 /var/log/*log

Compose yaml:

web:
  build: "."
  environment:
  - SSH_AUTH_SOCK=/ssh-agent
  volumes:
  - "$SSH_AUTH_SOCK:/ssh-agent"

NOTE: I have interpolation running on my compose, so $SSH_AUTH_SOCK is substituted with /private/tmp/com.apple.launchd.ZxGtZy6a9w/Listeners for example.

I have forwarding setup on my host OSX properly, it works against another ubuntu host.

Run

docker-compose run web bash

In-Container

When I run ssh-add -L, it states Could not open a connection to your authentication agent.

When I run ssh-agent, it yields

SSH_AUTH_SOCK=/tmp/ssh-vqjuo7FIfVOL/agent.21; export SSH_AUTH_SOCK;
SSH_AGENT_PID=22; export SSH_AGENT_PID;
echo Agent pid 22;

When I run echo $SSH_AUTH_SOCK from bash, it yields /ssh-agent

Question

It seems that compose is making the SSH_AUTH_SOCK available to bash, but it seems that the ssh-agent is not getting that same env. What am I missing?

like image 282
kross Avatar asked Oct 01 '15 22:10

kross


2 Answers

I solved it using whilp/ssh-agent, though you should note that this is not using SSH_AUTH_SOCK directly and requires an additional long running container. I'll integrate this approach into docker-rails for ease of use.

  1. Start a long running container docker run -d --name=ssh-agent whilp/ssh-agent:latest

  2. Add your key docker run --rm --volumes-from=ssh-agent -v ~/.ssh:/ssh -it whilp/ssh-agent:latest ssh-add /ssh/id_rsa

  3. List your keys docker run --rm --volumes-from=ssh-agent -v ~/.ssh:/ssh -it whilp/ssh-agent:latest ssh-add -L

  4. bash into a container and check the key with ssh -T [email protected]

My yaml looks like:

web:
    build: .
    working_dir: /project
    ports:
      - "3000"

    environment:
      # make ssh keys available via ssh forwarding (see volume entry)
      - SSH_AUTH_SOCK=/ssh-agent/socket

    volumes_from:
      # Use configured whilp/ssh-agent long running container for keys
      - ssh-agent
like image 163
kross Avatar answered Oct 26 '22 11:10

kross


The previous accepted answer using whilp/ssh-agent did not work for me for some reason (it worked before but since last changes it doesn't and I don't know why) so I created my own agent container:

docker-ssh-agent

based on minimal alpine:3.4 base image. So anyone still having trouble with this on OSX, check the README it's now really easy to get it up and running!

like image 40
nardeas Avatar answered Oct 26 '22 11:10

nardeas