Docker Community Forums

Share and learn in the Docker community.

Can we re-use the OSX ssh-agent socket in a container?


(Brian Claridge) #1

Now that /private is available to be mounted – will I be able to re-use the OSX ssh-agent inside my container?

for example:
docker run -it -v ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK} -e SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" --rm golang ssh -T git@github.com

There was a solution mentioned in the meetup yesterday, but I’m not finding it here.


(Dave Tucker) #2

Yes! Sorry - I forgot to ask Anil to post it to the forums. Thanks for the reminder :slight_smile:


(Dblandin) #3

Has there been a forum post or docs update with the mentioned solution? I’m also interested in this. Thanks!


(Ryan Graham) #4

In the docs it says:

Socket files and named pipes only transmit between containers and between OS X processes – no transmission across the hypervisor is supported, yet.

Which suggests to me that we still cannot share the ssh-agent socket from OS X to inside a docker container :frowning:


(David Sheets) #5

There is https://github.com/avsm/docker-ssh-agent-forward but it’s not the officially supported method to do this, yet.

We do have generic socket forwarding planned for a beta in the next month but work hasn’t yet begun on it.


(Brian Claridge) #6

This is similar to some of the previous tricks used against docker host VMs w/ sshd running. I think it’ll work great till a supported solution is available. Thank you!


(Brian Claridge) #7

Another thing you can do in ssh-find-agent.sh is create a symbolic link to ${SSH_AUTH_SOCK} – instead of setting and reading in the path, you can assume it always exists in /tmp/agent.sock.

ln -sf $SSH_AUTH_SOCK /tmp/agent.sock

then…

docker run -it \
  -v ${LOCAL_STATE}:/tmp \
  -e SSH_AUTH_SOCK=/tmp/agent.sock \
  golang ssh -T git@github.com

This has also made defining the path in compose files quite trivial…


(Rcoup) #8

We do have generic socket forwarding planned for a beta in the next month but work hasn’t yet begun on it.

@dsheets any updates on socket support yet?


(David Sheets) #9

@rcoup No, unfortunately. We’re prioritzing bug fixes and performance right now.


(Alexandre Garcia) #10

Hey @dsheets, any updates ?

cheers


(François Petitit) #11

Hello, is there a Github issue related to this problem ?
I have not found any.

Thanks


(Rompalmas) #12

Hey @bclaridge

Have you managed to make it work? I use Docker for Mac (1.12.0-rc2-beta17 (build: 9779)) and tried many solutions but I always get the error: bind: Address already in use

docker run -it -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK="$SSH_AUTH_SOCK" --rm ubuntu bash

root@2ef24e4b480d:/# echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.F1ULFbm6Mx/Listeners

root@2ef24e4b480d:/# ssh-add -l
Could not open a connection to your authentication agent.

root@2ef24e4b480d:/# eval $(`ssh-agent -a $SSH_AUTH_SOCK`)
bind: Address already in use

Thanks


(Marius Grigaitis) #13

+1 for this issue. Very annoying when you have encrypted private key.


(Brian Claridge) #14

Like you, I’m still waiting for a real solution. In the meantime I’m following this solution:


(Pobrien) #15

+1 for this issue - we have plenty of private gems in our bundler Gemfiles that we pull via ssh.


(Samifruit514) #16

Do you think generic socket forwarding feature will be available in beta24?

Thank you


(Marius Grigaitis) #17

I’ve created an issue in GitHub https://github.com/docker/for-mac/issues/410


(Samifruit514) #18

i found a quite simple way to forward agent:

run this in the container
socat UNIX-LISTEN:/var/run/agentBridge.sock,reuseaddr,fork TCP:192.168.65.1:12345

run this on the mac osx host
socat TCP-LISTEN:12345,reuseaddr,fork,bind=127.0.0.1 UNIX-CLIENT:$SSH_AUTH_SOCK

The drawback is that its listening on a public port 12345 which could be read by anybody, but its limited on the loopback device (and xhyve box)


(Tarikihr) #19

I implemented a solution to this problem using docker-ssh-agent-forward for using ssh-agent at runtime and committing intermediary images for builds (yes, docker build). This should be more robust than using socat for concurrent builds (socat can only handle single connections unless you are using fork which complicates things further) and more secure. It works great on Docker for Mac and Linux alike.

I have posted complete solution with documentation, examples and base Dockerfile for node/npm here: https://github.com/iheartradio/docker-node

It can of course be extended to other development environments.


(Gordon Diggs) #20

docker-ssh-agent-forward doesn’t seem to work with Docker for Mac on MacOS Sierra. Does anyone have another workaround?