Can we re-use the OSX ssh-agent socket in a container?

bclaridge · March 31, 2016, 5:05pm

Now that /private is available to be mounted – will I be able to re-use the OSX ssh-agent inside my container?

for example:
docker run -it -v ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK} -e SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" --rm golang ssh -T git@github.com

There was a solution mentioned in the meetup yesterday, but I’m not finding it here.

davetucker · March 31, 2016, 6:24pm

Yes! Sorry - I forgot to ask Anil to post it to the forums. Thanks for the reminder

dblandin · April 4, 2016, 4:21am

Has there been a forum post or docs update with the mentioned solution? I’m also interested in this. Thanks!

rmgraham · April 5, 2016, 12:05am

In the docs it says:

Socket files and named pipes only transmit between containers and between OS X processes – no transmission across the hypervisor is supported, yet.

Which suggests to me that we still cannot share the ssh-agent socket from OS X to inside a docker container

dsheets · April 5, 2016, 12:45pm

There is https://github.com/avsm/docker-ssh-agent-forward but it’s not the officially supported method to do this, yet.

We do have generic socket forwarding planned for a beta in the next month but work hasn’t yet begun on it.

bclaridge · April 5, 2016, 2:03pm

This is similar to some of the previous tricks used against docker host VMs w/ sshd running. I think it’ll work great till a supported solution is available. Thank you!

bclaridge · April 6, 2016, 1:20am

Another thing you can do in ssh-find-agent.sh is create a symbolic link to ${SSH_AUTH_SOCK} – instead of setting and reading in the path, you can assume it always exists in /tmp/agent.sock.

ln -sf $SSH_AUTH_SOCK /tmp/agent.sock

then…

docker run -it \
  -v ${LOCAL_STATE}:/tmp \
  -e SSH_AUTH_SOCK=/tmp/agent.sock \
  golang ssh -T git@github.com

This has also made defining the path in compose files quite trivial…

rcoup · May 10, 2016, 9:48am

We do have generic socket forwarding planned for a beta in the next month but work hasn’t yet begun on it.

@dsheets any updates on socket support yet?

dsheets · May 10, 2016, 9:56am

@rcoup No, unfortunately. We’re prioritzing bug fixes and performance right now.

kuuji · June 15, 2016, 10:48pm

Hey @dsheets, any updates ?

cheers

fpetitit · June 22, 2016, 8:16am

Hello, is there a Github issue related to this problem ?
I have not found any.

Thanks

rompalmas · July 1, 2016, 6:36am

Hey @bclaridge

Have you managed to make it work? I use Docker for Mac (1.12.0-rc2-beta17 (build: 9779)) and tried many solutions but I always get the error: bind: Address already in use

docker run -it -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK="$SSH_AUTH_SOCK" --rm ubuntu bash

root@2ef24e4b480d:/# echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.F1ULFbm6Mx/Listeners

root@2ef24e4b480d:/# ssh-add -l
Could not open a connection to your authentication agent.

root@2ef24e4b480d:/# eval $(`ssh-agent -a $SSH_AUTH_SOCK`)
bind: Address already in use

Thanks

mariusgrigaitis · July 1, 2016, 1:30pm

+1 for this issue. Very annoying when you have encrypted private key.

bclaridge · July 2, 2016, 2:43am

Like you, I’m still waiting for a real solution. In the meantime I’m following this solution:

pobrien · July 19, 2016, 12:18am

+1 for this issue - we have plenty of private gems in our bundler Gemfiles that we pull via ssh.

samifruit514 · August 24, 2016, 11:48am

Do you think generic socket forwarding feature will be available in beta24?

Thank you

mariusgrigaitis · August 24, 2016, 11:58am

I’ve created an issue in GitHub https://github.com/docker/for-mac/issues/410

samifruit514 · August 24, 2016, 9:07pm

i found a quite simple way to forward agent:

run this in the container
socat UNIX-LISTEN:/var/run/agentBridge.sock,reuseaddr,fork TCP:192.168.65.1:12345

run this on the mac osx host
socat TCP-LISTEN:12345,reuseaddr,fork,bind=127.0.0.1 UNIX-CLIENT:$SSH_AUTH_SOCK

The drawback is that its listening on a public port 12345 which could be read by anybody, but its limited on the loopback device (and xhyve box)

tarikihr · September 26, 2016, 3:41am

I implemented a solution to this problem using docker-ssh-agent-forward for using ssh-agent at runtime and committing intermediary images for builds (yes, docker build). This should be more robust than using socat for concurrent builds (socat can only handle single connections unless you are using fork which complicates things further) and more secure. It works great on Docker for Mac and Linux alike.

I have posted complete solution with documentation, examples and base Dockerfile for node/npm here: https://github.com/iheartradio/docker-node

It can of course be extended to other development environments.

gordondiggs · January 23, 2017, 4:31pm

docker-ssh-agent-forward doesn’t seem to work with Docker for Mac on MacOS Sierra. Does anyone have another workaround?