ssh-add in docker - Could not open a connection to your authentication agent

Asked 6/12, 2018 at 7:47 Answered 20/7, 2022 at 4:13

I am trying to create a docker image for my Python flask API.

I need git to install dependencies and I have already installed git in docker few times. But here, I cannot understand what I'm doing wrong.

With the docker:

FROM python:3.6-slim

ARG ssh_prv_key
ARG ssh_pub_key

RUN apt-get update && \
    apt-get install -y openssh-server &&\
    apt-get install -y git

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 0700 /root/.ssh && \
    ssh-keyscan github.com > /root/.ssh/known_hosts

# Add the keys and set permissions
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    echo "$ssh_pub_key" > /root/.ssh/id_rsa.pub && \
    chmod 600 /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa.pub && \
    echo "StrictHostKeyChecking no " > /root/.ssh/config


RUN eval "$(ssh-agent -s)"
RUN ssh-add /root/.ssh/id_rsa

RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

COPY requirements.txt /usr/src/app/
RUN pip3 install --no-cache-dir -r requirements.txt

# Remove SSH keys
RUN rm -rf /root/.ssh/

COPY ./my_api /usr/src/app

# Expose the Flask port
EXPOSE 5000

CMD [ "python", "./app.py" ]

I execute the command:

docker build --build-arg ssh_prv_key=.keys/id_rsa --build-arg ssh_pub_key=.keys/id_rsa.pub -t my-api -f Dockerfile .

Which gives me the error below:

Step 7/16 : RUN eval "$(ssh-agent -s)"
 ---> Running in be450cc39533
Agent pid 9
Removing intermediate container be450cc39533
 ---> fb101226dc5f
Step 8/16 : RUN ssh-add /root/.ssh/id_rsa
 ---> Running in 4288e93db584
Could not open a connection to your authentication agent.
The command '/bin/sh -c ssh-add /root/.ssh/id_rsa' returned a non-zero code: 2

A PID is retrieved by the eval function for the ssh-agent but I cannot connect to it.

SOLVED

I finally found what I was doing wrong. First of all, my build args wasn't correct. The correct docker build command is as follow:

docker build --build-arg ssh_prv_key="$(cat .keys/id_rsa)" --build-arg ssh_pub_key="$(cat .keys/id_rsa.pub)" -t my-api -f Dockerfile .

Also, and I don't know why, git handle correctly my ssh keys without usage of

RUN eval "$(ssh-agent -s)"
RUN ssh-add /root/.ssh/id_rsa

The commands above resulting into an could not connect to your agent error.

Then, the right file is

FROM python:3.6-slim

ARG ssh_prv_key
ARG ssh_pub_key

RUN apt-get update && \
    apt-get install -y git

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 0700 /root/.ssh && \
    ssh-keyscan github.com > /root/.ssh/known_hosts

# Add the keys and set permissions
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    echo "$ssh_pub_key" > /root/.ssh/id_rsa.pub && \
    chmod 600 /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa.pub


RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

COPY requirements.txt /usr/src/app/
RUN pip3 install --no-cache-dir -r requirements.txt

# Remove SSH keys
RUN rm -rf /root/.ssh/

COPY ./my_api /usr/src/app

# Expose the Flask port
EXPOSE 5000

CMD [ "python", "./app.py" ]

Calorific answered 6/12, 2018 at 7:47 Comment(0)

I believe the issue related to ssh configuration in your container, the default ssh strategy in Ubuntu is to refuse the root remote login.

To enable it, add the below line to your Dockerfile.

RUN echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

This line edits the /etc/ssh/sshd_config file to permit root login, but you need to restart sshd service, to do so, you have to add the below line also in your Dockerfile.

RUN systemctl restart sshd

Also if you trust the certificate, just add -K flag to ssh-add.

RUN ssh-add -k /root/.ssh/id_rsa

The -k option is used When loading keys into or deleting keys from the agent, process plain private keys only and skip certificates.

I hope this can help.
Best Regards,

Gasket answered 6/12, 2018 at 9:53 Comment(3)

on the RUN systemctl restart sshd, I have the following error: Failed to connect to bus: No such file or directory – Calorific 6/12, 2018 at 10:44

The problem now is that your init process PID 1 is /bin/bash not systemd. You can try "RUN service sshd restart" instead. If it doesn't work try "RUN /etc/init.d/sshd restart". If you are using it as a client to connect to another host you can skip this step by the way. Also, check this question it may helps "askubuntu.com/questions/813588/…". – Gasket 6/12, 2018 at 12:37

this is along the right track but if it doesn't get you home see this: https://mcmap.net/q/12599/-could-not-open-a-connection-to-your-authentication-agent – For 26/2, 2021 at 20:41

Instead of writing these commands

RUN eval "$(ssh-agent -s)"
RUN ssh-add /root/.ssh/id_rsa  
RUN pip3 install --no-cache-dir -r requirements.txt

with different RUN statements, execute them in a single layer i.e:

RUN eval "$(ssh-agent -s)" && \
    ssh-add /root/.ssh/id_rsa && \
    pip3 install --no-cache-dir -r requirements.txt

Tried this and it worked without any problem.

Marking answered 22/7, 2021 at 8:32 Comment(1)

This should work if RUN eval "$(ssh-agent -s)" && echo "$SSH_AUTH_SOCK" returns a path-like. – Charcot 11/12, 2021 at 1:24

More recently, you can use the build command to specify the ssh option: https://docs.docker.com/compose/compose-file/build/#ssh

The configuration inside the docker-compose file would be like this:

build:
  context: .
  ssh: 
    - default   # mount the default ssh agent

Later edit (30th july 2022):

This ssh feature was added not long ago and there's a big thread on github about implementing it. Tried using this recently on a project for CI/CD pipeline and cli support for docker-compose and ssh is absent. We solved this by resorting to using docker build command:

DOCKER_BUILDKIT=1 docker build --ssh default=${SSH_KEY_PATH} -t imagename .

Then, inside the docker-compose file simply use the newly built image name:

services:
  servicename:
    image: imagename
    container_name: containername
    ...

Kuhns answered 20/7, 2022 at 4:13 Comment(0)

Recommended topics

Hot tags