Docker Community Forums

Share and learn in the Docker community.

What precisely does --ssh do inside a docker-build?

I’m going round in circles trying to get buildkit to actually forward my SSH agent. I’ve tried various things with environment variable DOCKER_BUILDKIT=1 and:

  • --ssh default
  • --ssh $SSH_AUTH_SOCK
  • --ssh /tmp/ssh-kMLMKuJKBj/agent.3964170

And nothing seems to work. What’s curious is that when I run experimental commands inside the Dockerfile there’s no evidence of the agent actually being forwarded.

SSH_AUTH_SOCK is not set inside the build environment and /tmp is empty.

I’ve tried this on various installs of docker both on mac and ubuntu. Mostly version 19.03.6 API version 1.4.

What am I missing here?

Okay this could be a little better documented on the docker-build page. Anyway if anyone else trips up on this, you need to explicitly use the agent in your docker file for this to work.

Instead of this:

RUN ssh ...

do this

RUN --mount=type=ssh ssh ...
1 Like

This post was flagged by the community and is temporarily hidden.

@lewish95 Buildkit specifically replaces this need, and actually to do what you suggest you don’t need to use new experimental features.

Also NEVER do an ssh-keyscan in a docker file. I know it appears on docker’s website but that’s just an example and not appropriate for general use. Do you ssh-keyscan manually once, save the result and then COPY it into your image. Otherwise someone can happily spoof the ssh server and you’d never know.


So firstly with buildkit (which does require new features). You can add --mount=type=ssh to your RUN commands in your docker file:

RUN --mount=type=ssh pip install -r requirements.txt

Then then start your ssh agent, add a key and build:

ssh-agent
ssh-add ~/.ssh/id_rsa
docker build --ssh default .

To do what you describe without experimental features like “compress” you can just use a multi stage build:

FROM ubuntu:latest as base

FROM base as private
RUN apt-get install git
COPY id_rsa /root/.ssh/id_rsa
WORKDIR /root
RUN git clone ssh://example.com/FooBar

FROM base
COPY --from=private FooBar .
1 Like