38

I would like to use ssh-agent to forward my keys into the docker image and pull from a private github repo.

I am using a slightly modified version of https://github.com/phusion/passenger-docker with boot2docker on Yosemite.

ssh-add -l
...key details
boot2docker up

Then I use the command which I have seen in a number of places (i.e. https://gist.github.com/d11wtq/8699521):

docker run --rm -t -i -v $SSH_AUTH_SOCK:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent my_image /bin/bash

However it doesn't seem to work:

root@299212f6fee3:/# ssh-add -l
Could not open a connection to your authentication agent.

root@299212f6fee3:/# eval `ssh-agent -s`
Agent pid 19

root@299212f6fee3:/# ssh-add -l
The agent has no identities.

root@299212f6fee3:/# ssh [email protected]
Warning: Permanently added the RSA host key for IP address '192.30.252.128' to the list of known hosts.
Permission denied (publickey).
Improve this question
1
  • What are the permissions on the file $SSH_AUTH_SOCK? Commented Nov 20, 2014 at 11:48

8 Answers 8

Reset to default
28

Since version 2.2.0.0, docker for macOS allows users to access the host’s SSH agent inside containers.

Here's an example command that let's you do it:

docker run --rm -it \
-v /run/host-services/ssh-auth.sock:/ssh-agent \
-e SSH_AUTH_SOCK="/ssh-agent" \
my_image

Note that you have to mount the specific path (/run/host-services/ssh-auth.sock) instead of the path contained in $SSH_AUTH_SOCK environment variable, like you would do on linux hosts.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

After more digging : Works only if the user inside the container is root I think (otherwise he cannot access the socket in the VM)
On my mac OS Big Sur there's no such path /run/host-services. Why? Should I install something?
@Salivan I also don't have this path myself. This is a "magic" mount - docker knows how to handle this path when it sees it. Did you try it out?
@JakubKukul yep, and it worked. Why isn't it documented anywhere? Or at least my google isn't able to find the documentation where this is mentioned.
@Salivan Ideally this should be documented somewhere, yes. I found out about it by following this Github issue's thread: github.com/docker/for-mac/issues/410
|
8

A one-liner:

Here’s how to set it up on Ubuntu 16 running a Debian Jessie image:

docker run --rm -it --name container_name \
-v $(dirname $SSH_AUTH_SOCK):$(dirname $SSH_AUTH_SOCK) \
-e SSH_AUTH_SOCK=$SSH_AUTH_SOCK my_image

https://techtip.tech.blog/2016/12/04/using-ssh-agent-forwarding-with-a-docker-container/

Improve this answer

2 Comments

This looks very promising, but on OS X I'm getting a Permission denied (publickey). error. Perhaps it's because on non-linux hosts Docker is running in it's own WM?
Works great for me on Linux.
4

I expanded on @wilwilson's answer, and created a script that will setup agent forwarding in an OSX boot2docker environment.

https://gist.github.com/rcoup/53e8dee9f5ea27a51855

#!/bin/bash

# Use a unique ssh socket name per-invocation of this script
SSH_SOCK=boot2docker.$$.ssh.socket

# ssh into boot2docker with agent forwarding
ssh -i ~/.ssh/id_boot2docker \
    -o StrictHostKeyChecking=no \
    -o IdentitiesOnly=yes \
    -o UserKnownHostsFile=/dev/null \
    -o LogLevel=quiet \
    -p 2022 docker@localhost \
    -A -M -S $SSH_SOCK -f -n \
    tail -f /dev/null

# get the agent socket path from the boot2docker vm
B2D_AGENT_SOCK=$(ssh -S $SSH_SOCK docker@localhost echo \$SSH_AUTH_SOCK)

# mount the socket (from the boot2docker vm) onto the docker container
# and set the ssh agent environment variable so ssh tools pick it up
docker run \
    -v $B2D_AGENT_SOCK:/ssh-agent \
    -e "SSH_AUTH_SOCK=/ssh-agent" \
    "$@"

# we're done; kill off the boot2docker ssh agent
ssh -S $SSH_SOCK -O exit docker@localhost

Stick it in ~/bin/docker-run-ssh, chmod +x it, and use docker-run-ssh instead of docker run.

Improve this answer

2 Comments

I created a version that works with docker-machine, now that Docker is recommending against using boot2docker. gist.github.com/leedm777/923706741c8296869e7d
dave - have you tried using this with docker-compose? Not sure how to modify your example to work with statically defined environment variables in docker-compose.yml.
1

I ran into a similar issue, and was able to make things pretty seamless by using ssh in master mode with a control socket and wrapping it all in a script like this:

#!/bin/sh   

ssh -i ~/.vagrant.d/insecure_private_key -p 2222 -A -M -S ssh.socket -f [email protected] tail -f /dev/null

HOST_SSH_AUTH_SOCK=$(ssh -S ssh.socket [email protected] env | grep "SSH_AUTH_SOCK" | cut -f 2 -d =)

docker run -v $HOST_SSH_AUTH_SOCK:/ssh-agent \
       -e "SSH_AUTH_SOCK=/ssh-agent" \
       -t hello-world "$@"

ssh -S ssh.socket -O exit [email protected]

Not the prettiest thing in the universe, but much better than manually keeping an SSH session open IMO.

Improve this answer

1 Comment

Meanwhile newes docker complains: docker: Error response from daemon: invalid volume spec ":/ssh-agent": invalid volume specification: ':/ssh-agent'.
1

For me accessing ssh-agent to forward keys worked on OSX Mavericks and docker 1.5 as follows:

  1. ssh into the boot2docker VM with boot2docker ssh -A. Don't forget to use option -A which enables forwarding of the authentication agent connection.

  2. Inside the boot2docker ssh session:

    docker@boot2docker:~$ echo $SSH_AUTH_SOCK
/tmp/ssh-BRLb99Y69U/agent.7750

This session must be left open. Take note of the value of the SSH_AUTH_SOCK environmental variable.

  1. In another OS X terminal issue the docker run command with the SSH_AUTH_SOCK value from step 2 as follows:

    docker run --rm -t -i \
  -v /tmp/ssh-BRLb99Y69U/agent.7750:/ssh-agent \
  -e SSH_AUTH_SOCK=/ssh-agent my_image /bin/bash
root@600d0e9b443d:/# ssh-add -l
2048 6c:8e:82:08:74:33:78:61:f9:9a:74:1b:65:46:be:eb         
/Users/dev/.ssh/id_rsa (RSA)

I don't really like the fact that I have to keep a boot2docker ssh session open to make this work, but until a better solution is found, this at least worked for me.

Improve this answer

Comments

1

Socket forwarding doesn't work on OS X yet. Here is a variation of @henrjk answer brought into 2019 using Docker for Mac instead of boot2docker which is now obsolete.

  1. First run a ssh server in the container, with /tmp being on the exportable volume. Like this

     docker run -v tmp:/tmp -v \
 ${HOME}/.ssh/id_rsa.pub:/root/.ssh/authorized_keys:ro \
 -d -p 2222:22 arvindr226/alpine-ssh

  2. Then ssh into this container with agent forwarding

     ssh -A -p 2222 root@localhost

  3. Inside of that ssh session find out the current socket for ssh-agent

     3f53fa1f5452:~# echo $SSH_AUTH_SOCK
 /tmp/ssh-9zjJcSa3DM/agent.7

  4. Now you can run your real container. Just make sure to replace the value of SSH_AUTH_SOCK below, with the value you got in the step above

     docker run -it -v tmp:/tmp  \
 -e SSH_AUTH_SOCK=/tmp/ssh-9zjJcSa3DM/agent.7 \
 vladistan/ansible
Improve this answer

1 Comment

Still useful and working on Docker Desktop for Mac in Aug,2022 for deploying rails 7 app using capistrano agent forwarding.
0

By default, boot2docker shares only files under /Users. SSH_AUTH_SOCK is probably under /tmp so the -v mounts the agent of the VM, not the one from your mac.

If you setup your VirtualBox to share /tmp, it should be working.

Improve this answer

3 Comments

This sounds promising, could you provide some more information on how to do this? I found this: github.com/boot2docker/boot2docker#virtualbox-guest-additions but I'm relatively new to docker
Open your virtualbox, right click on the boo2docker vm, settings, shared directires, click the add button, enter /tmp, tick automount and permanent. However, after testing, it appears that shared directory does not allow you to share the socket, so it will not work.
I don't think this is possible. SSH_AUTH_SOCK is a Unix socket, not a file, so it can't be shared with VirtualBox the way files are.
0

Could not open a connection to your authentication agent.

This error occurs when $SSH_AUTH_SOCK env var is set incorrectly on the host or not set at all. There are various workarounds you could try. My suggestion, however, is to dual-boot Linux and macOS.

Additional resources:

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.