Can we re-use the OSX ssh-agent socket in a container?

Hey @bclaridge

Have you managed to make it work? I use Docker for Mac (1.12.0-rc2-beta17 (build: 9779)) and tried many solutions but I always get the error: bind: Address already in use

docker run -it -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK="$SSH_AUTH_SOCK" --rm ubuntu bash

root@2ef24e4b480d:/# echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.F1ULFbm6Mx/Listeners

root@2ef24e4b480d:/# ssh-add -l
Could not open a connection to your authentication agent.

root@2ef24e4b480d:/# eval $(`ssh-agent -a $SSH_AUTH_SOCK`)
bind: Address already in use

Thanks

+1 for this issue. Very annoying when you have encrypted private key.

2 Likes

Like you, I’m still waiting for a real solution. In the meantime I’m following this solution:

+1 for this issue - we have plenty of private gems in our bundler Gemfiles that we pull via ssh.

Do you think generic socket forwarding feature will be available in beta24?

Thank you

I’ve created an issue in GitHub https://github.com/docker/for-mac/issues/410

1 Like

i found a quite simple way to forward agent:

run this in the container
socat UNIX-LISTEN:/var/run/agentBridge.sock,reuseaddr,fork TCP:192.168.65.1:12345

run this on the mac osx host
socat TCP-LISTEN:12345,reuseaddr,fork,bind=127.0.0.1 UNIX-CLIENT:$SSH_AUTH_SOCK

The drawback is that its listening on a public port 12345 which could be read by anybody, but its limited on the loopback device (and xhyve box)

3 Likes

I implemented a solution to this problem using docker-ssh-agent-forward for using ssh-agent at runtime and committing intermediary images for builds (yes, docker build). This should be more robust than using socat for concurrent builds (socat can only handle single connections unless you are using fork which complicates things further) and more secure. It works great on Docker for Mac and Linux alike.

I have posted complete solution with documentation, examples and base Dockerfile for node/npm here: https://github.com/iheartradio/docker-node

It can of course be extended to other development environments.

docker-ssh-agent-forward doesn’t seem to work with Docker for Mac on MacOS Sierra. Does anyone have another workaround?

1 Like

We really need support for this to pull from private repos that require SSH authentication.

1 Like

Any updates on this? Or new work-arounds?

1 Like

Still waiting on this. It’s quite crippling to not have a solution.

1 Like

+1 I’m waiting on this…

1 Like

Lack of proper socket support prevents us from for using Docker in our environment. Any updates on this?

2 Likes

Any news on this? I’m blocked if i can’t share the agent.

Can we get a link to github issues or other issue tracker around this issue? Are there any other workarounds available? docker-ssh-agent-forward is extremely unwieldy.

2016-08-24: https://github.com/docker/for-mac/issues/410

1 Like

There is an official solution https://docs.docker.com/docker-for-mac/osxfs/#ssh-agent-forwarding using magic path /run/host-services/ssh-auth.sock.

1 Like

That works for Dockerfile and docker-compose if a user is root and with some adjustments in Dockerfile for non-root.
When a user is non-root in the image and we use it in docker-compose with a mounted socket in volume, as explained https://docs.docker.com/docker-for-mac/osxfs/#ssh-agent-forwarding
the issue is that socket is owned by root and not accessible by the inner user from the image.

Any potential solution with chown or chmod didn’t work.

The idea is not to use root when pulling private repos as dependencies in image build process and during development in docker-compose.yml.

Any advice on how to proceed in this case?

Thanks!

this works flawlessly, and as you said, if you listen only on the bridge that the docker-desktop vm runs, will be only limited to it.