Login/Register
ssh-agent forwarding into docker-compose environment is not working
Asked Answered
Solved ruby-on-railsdockerdocker-composessh-agentmoby
L

1

14

I have been having serious troubles to get ssh-agent forwarded into the docker container (with my docker-compose installation). I have Mac running Catalina, with docker-engine 19.03.8 and Compose @ 1.24. The following is my docker-compose file:

version: '3.7'
services:
  platform:
    build:
      context: .
      dockerfile: ./platform/compose/Dockerfile.platform.local
    working_dir: /root/platform
    ports:
      - "3000:3000"
    command: ["./compose/scripts/start_rails.sh"]
    tty: true
    stdin_open: true
    volumes:
      - type: bind
        source: /run/host-services/ssh-auth.sock
        target: /run/host-services/ssh-auth.sock
    env_file: ./platform/.env
    environment:
      TERM: xterm-256color
      SSH_AUTH_SOCK: /run/host-services/ssh-auth.sock

volumes:

The way I have configured ssh-agent forwarding is as specified in docker-compose documentation

The ./compose/scripts/start_rails.sh script does bundle install && bundle exec rails s. I have few gems that I am pulling from private-repositories and I thought I should be able to install these gems by forwarding ssh-agent.

I have also tried starting the ssh-agent before I spin the docker-compose up, but that doesnt seem to do anything. 

{
  "debug": true,
  "experimental": true,
  "features": {
    "buildkit": true
  }
}

This is what I have added inside my docker configuration file. Any help is appreciated.

**UPDATE: 0 **

The following in my .ssh directory structure and config:

tree ~/.ssh

├── config
├── known_hosts
├── midhun
│   ├── id_rsa
│   └── id_rsa.pub
└── client
    ├── id_rsa
    └── id_rsa.pub

cat ~/.ssh/config

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/client/id_rsa

Host me.github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/midhun/id_rsa

UPDATE: 1

Updated my config with ForwardAgent Yes and it didn't work either. I have recorded entire ssh-logs in this gist -> https://gist.github.com/midhunkrishna/8f77ebdc90c7230d2ffae0834dc477cc .

Lucifer answered 30/4, 2020 at 13:52 Comment(3)
What are you trying to achieve is not clear?Jarman
Trying to forward ssh-agent into the running docker container so that when I run bundle install, bundler can pull gems from private repo.Lucifer
Please add ForwardAgent yes in both your entries and see if it worksJarman
J
11

I believe below change to your ~/.ssh/config should fix the issue:

Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/client/id_rsa
    ForwardAgent yes

Host me.github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/midhun/id_rsa
    ForwardAgent yes

Update 1: 5th May 2020

In your case, the reason it may not be working is that the agent on the host is key less.

You can confirm that using:

$ ssh-add -L
$ ssh-add -l

The agent will only forward the keys it has in its memory, nothing on your disk. Else you risk exposing every key that is there without any permission. What you need do is make sure you add those keys to your ssh-agent at startup:

$ ssh-add ~/.ssh/client/id_rsa
$ ssh-add ~/.ssh/midhun/id_rsa

Then if you do ssh-add -L on host and inside the docker terminal you should see both keys. And the ssh-agent also will work.

ssh-agent inside docker working

Jarman answered 4/5, 2020 at 16:55 Comment(3)
Thanks Tarun, but that do not seem to work. You can check full logs here -> gist.github.com/midhunkrishna/8f77ebdc90c7230d2ffae0834dc477ccLucifer
Thank you so much. It was just like you said. ssh-agent didnt have any identities added to it. It works now.Lucifer
Another interesting thing that I found is that, after the docker process has started, if I create a new ssh-agent using "eval ssh-agent –s", then the ssh-configuration wont be forwarded.Lucifer

© 2022 - 2024 — McMap. All rights reserved.