Share and learn in the Docker community.
Now that /private is available to be mounted – will I be able to re-use the OSX ssh-agent inside my container?
for example:
docker run -it -v ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK} -e SSH_AUTH_SOCK="${SSH_AUTH_SOCK}" --rm golang ssh -T git@github.com
There was a solution mentioned in the meetup yesterday, but I’m not finding it here.
Yes! Sorry - I forgot to ask Anil to post it to the forums. Thanks for the reminder 
Has there been a forum post or docs update with the mentioned solution? I’m also interested in this. Thanks!
In the docs it says:
Socket files and named pipes only transmit between containers and between OS X processes – no transmission across the hypervisor is supported, yet.
Which suggests to me that we still cannot share the ssh-agent socket from OS X to inside a docker container 
There is https://github.com/avsm/docker-ssh-agent-forward but it’s not the officially supported method to do this, yet.
We do have generic socket forwarding planned for a beta in the next month but work hasn’t yet begun on it.
This is similar to some of the previous tricks used against docker host VMs w/ sshd running. I think it’ll work great till a supported solution is available. Thank you!
Another thing you can do in ssh-find-agent.sh is create a symbolic link to ${SSH_AUTH_SOCK} – instead of setting and reading in the path, you can assume it always exists in /tmp/agent.sock.
ln -sf $SSH_AUTH_SOCK /tmp/agent.sock
then…
docker run -it \
-v ${LOCAL_STATE}:/tmp \
-e SSH_AUTH_SOCK=/tmp/agent.sock \
golang ssh -T git@github.com
This has also made defining the path in compose files quite trivial…
We do have generic socket forwarding planned for a beta in the next month but work hasn’t yet begun on it.
@dsheets any updates on socket support yet?
@rcoup No, unfortunately. We’re prioritzing bug fixes and performance right now.
Hey @dsheets, any updates ?
cheers
Hello, is there a Github issue related to this problem ?
I have not found any.
Thanks
Hey @bclaridge
Have you managed to make it work? I use Docker for Mac (1.12.0-rc2-beta17 (build: 9779)) and tried many solutions but I always get the error: bind: Address already in use
docker run -it -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK="$SSH_AUTH_SOCK" --rm ubuntu bash
root@2ef24e4b480d:/# echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.F1ULFbm6Mx/Listeners
root@2ef24e4b480d:/# ssh-add -l
Could not open a connection to your authentication agent.
root@2ef24e4b480d:/# eval $(`ssh-agent -a $SSH_AUTH_SOCK`)
bind: Address already in use
Thanks
+1 for this issue. Very annoying when you have encrypted private key.
Like you, I’m still waiting for a real solution. In the meantime I’m following this solution:
+1 for this issue - we have plenty of private gems in our bundler Gemfiles that we pull via ssh.
Do you think generic socket forwarding feature will be available in beta24?
Thank you
I’ve created an issue in GitHub https://github.com/docker/for-mac/issues/410
i found a quite simple way to forward agent:
run this in the container
socat UNIX-LISTEN:/var/run/agentBridge.sock,reuseaddr,fork TCP:192.168.65.1:12345
run this on the mac osx host
socat TCP-LISTEN:12345,reuseaddr,fork,bind=127.0.0.1 UNIX-CLIENT:$SSH_AUTH_SOCK
The drawback is that its listening on a public port 12345 which could be read by anybody, but its limited on the loopback device (and xhyve box)
I implemented a solution to this problem using docker-ssh-agent-forward for using ssh-agent at runtime and committing intermediary images for builds (yes, docker build). This should be more robust than using socat for concurrent builds (socat can only handle single connections unless you are using fork which complicates things further) and more secure. It works great on Docker for Mac and Linux alike.
I have posted complete solution with documentation, examples and base Dockerfile for node/npm here: https://github.com/iheartradio/docker-node
It can of course be extended to other development environments.
docker-ssh-agent-forward doesn’t seem to work with Docker for Mac on MacOS Sierra. Does anyone have another workaround?