고정 헤더 영역
상세 컨텐츠
본문
Solution that you provided works, but it's not convenient / experimental. It requires to append additional parameters on every docker run command which complicates stuff like running containers through docker-compose. It runs separate ssh-agent and shares your local key to that agent. What if your key is encrypted?. We want to make our scripts / files as much platform-independent as possible and this complicates things Would be a lot better if docker for mac provided native support for ssh agent forwarding or socket forwarding in general as mentioned in P.S.
Dropbear is a small SSH server and client that supports multi-hop mode and that permits TCP forwarding to tunnel through several hosts in a single command. SSH (or Secure Shell) is a great service to enable on your Mac at home or work. Shares SSH (or Secure Shell ) is a great service to enable on your Mac at home or work.
Currently docker.sock is forwarded, it's probably not that hard to achieve same solution for other sockets too. I've run into problems trying to support the ssh-agent SSHAUTHSOCK specifically with 'Docker for Mac'. The problem appears to be due to across the OS X Host / Docker Container boundary. As the documentation states: Socket files and named pipes only transmit between containers and between OS X processes – no transmission across the hypervisor is supported, yet.
So I can mount in the ssh-agent socket, it appears inside the container fine. However, accessing it via ssh-add -l always results in: ' Could not open a connection to your authentication agent.'
For example, I can find my SSHAUTHSOCK file on the OSX host (e.g.: /private/tmp/com.apple.launchd.abCDEfghiJ/Listeners) Then, I can run a container using 'Docker for Mac' by passing in the volume mount & environment variable arguments like: -v /private/tmp/com.apple.launchd.abCDEfghiJ:/ssh-agent -e SSHAUTHSOCK=/ssh-agent/Listeners Inside the container, the socket appears as a socket owned by root. I'm running as root in the container & have rw access. However, ssh-add cannot communicate over the socket. The clean way of working around this is to have a docker being responsible for the ssh-agent. Start a docker with a volume /agent and entrypoint ssh-agent - Use docker cp to copy the private key to the container - ssh-add the key and remove it. Use -volume-from instead of mounting the ssh-socket from localhost. If you do it as a bash function the magic stuff can happen in the shadows.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
I've been using which seems to implement 's solution. It provides an sshd container that you can forward the Darwin agent do ( ssh -A.), and exposes the agent as a socket in a docker volume that the target container can then use. A crude diagram: +-+ +-+ +-+ +-+ SSH Filesystem Volume Filesystem Target MacOSX +- sshd +- With +- Container Socket +-+ +-+ +-+ +-+ There's also a, but I couldn't get it to work reliably for whatever reason.
The example in your original issue works for me on Linux with the exception that in the container I make the agent simply /ssh-agent to avoid anything strange from creating non-existent folders plus to also simplify things. Your error report lacks some key details. What happens when you try to ls on the key in docker, cat it, echo the variable to make sure it's good, etc. Have you tested that on another hosts, checked mounts, etc? I might be wrong but I assume both docker.sock and the agent file are the same thing aren't they?
A special file pointing to a unix socket? If that is indeed the case and it works for docker.sock perhaps Mac has a different security set up for SSH agent sockets. For me on Linux it looks like they are all sockets and there's no immediately obvious reason why one should work and not another beyond permissions on the host. Are you also sure that agent forwarding is working at all on your host? SSH might be working in an outer shell if ssh it taking your private key directly. There is some good advice here: In the long run using the default auth sock is a problematic. If you do a normal docker run or docker-compose run it'll be fine to mount it.
You have to keep in mind if what you want to do is something you log in, run, wait for it to finish or if it's something you fire and forget. Basically you're going to have a problem with anything unattended or that you want to initiate through an interface other than SSH. If instead you do something that daemonises containers and then close the session you started them in then your ssh sock will disappear and those containers will no longer be able to connect to SSH using your keys. Mounting personal keys to a docker container is a particularly extreme risk and almost defeats the entire point. It's like storing your raw meat in the lion cage. Agent forwarding carries its own risks but is a mitigation of the risk introduced by exposing your keys. In some cases keys wont be on the machine in question.
Dropbear Ssh Key
You'll ssh into a docker host using agent forwarding and in this case you really don't want ssh agent to have persistence. Given that it's dependent on your originating connection, then it shouldn't be possible to make it persistent. These problems aren't simply docker issues but fundamental to the way SSH key security works. My recommendation is one of the following:. Create separate keys for development, builds, deploy, etc rather than having personal keys used. This wont always be perfect but at least you're not at risk of exposing your own personal keys. Avoid the need for having to ssh into things altogether at all in docker.
There are any number of approaches to this (is authentication for read access even needed in a secure network for example). Mirroring such that the problem only exists in one place is another approach (one container managers fetching everything that needs credentials). If it's genuinely a problem maybe you can do something nasty like you should be able to have a service to translate a domain sock to a TCP endpoint and vice versa. It's not that hard except you'll be publishing your SSH agent over an unsecure port and you'll also need some processes both hostside and container side to manage that.
At the time Mariusgrigaitis posted, part of the dilemma stemmed from the fact that folks were trying to mount sockets like we mount files. Stackoverflow has a great article on sharing sockets between Mac through the hypervisor.
Many developers have been successful with using docker-ssh-agent-forward, however, it was an experimental process, and it was recommended for those who were attempting to do so, contact for immediate assistance. There's also a README.md available on Github.
There's yet another option to run ssh-agent in your container, and access it through your MacOs. The solution: docker-ssh-agent.
How successful that has been for developers, tap me back at this posting and let me know of your experiences, whether they have been positive or negative.
