New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forward ssh key agent into container #6396
Comments
I wonder if #6075 will give you what you need |
A secret container might make it a little bit safer, but all the points mentioned still stand. |
+1 I would find this capability useful as well. In particular when building containers that require software from private git repos, for example. I'd rather not have to share a repo key into the container, and instead would like to be able to have the "docker build ..." use some other method for gaining access to the unlocked SSH keys, perhaps through a running ssh-agent. |
+1. I'm just starting to get my feet wet with Docker and this was the first barrier that I hit. I spent a while trying to use VOLUME to mount the auth sock before I realized that docker can't/won't mount a host volume during a build. I don't want copies of a password-less SSH key lying around and the mechanics of copying one into a container then deleting it during the build feels wrong. I do work within EC2 and don't even feel good about copying my private keys up there (password-less or not.) My use case is building an erlang project with rebar. Sure enough, I could clone the first repo and ADD it to the image with a Dockerfile, but that doesn't work with private dependencies that the project has. I guess I could just build the project on the host machine and ADD the result to the new Docker image, but I'd like to build it in the sandbox that is Docker. Here are some other folks that have the same use-case: https://twitter.com/damncabbage/status/453347012184784896 Please, embrace SSH_AUTH_SOCK, it is very useful. Thanks Edit: Now that I know more about how Docker works (FS layers), it's impossible to do what I described in regards to ADDing an SSH key during a build and deleting it later. The key will still exist in some of the FS layers. |
+1, being able to use SSH_AUTH_SOCK will be super useful! |
I use SSH keys to authenticate with Github, whether it's a private repository or a public one. This means my I can volume mount my host |
👍 for ssh forwarding during builds. |
As I understand this is wrong way. Right way is create docker image in dev machine, and than copy it to docker server. |
@SevaUA - no that's not correct. This request is due to a limitation when doing |
I like the idea of #6697 (secret store/vault), and that might work for this once it's merged in. But if that doesn't work out, an alternative is to do man-in-the-middle transparent proxying ssh stuff outside of the docker daemon, intercepting docker daemon traffic (not internally). Alternatively, all git+ssh requests could be to some locally-defined host that transparently proxies to github or whatever you ultimately need to end up at. |
That idea has already been raised (see comment 2). It does not solve the issue. |
+1 for ssh forwarding during builds. |
+1 on SSH agent forwarding on |
+1 for ssh forwarding during build for the likes of npm install or similar. |
Has anyone got ssh forwarding working during run on OSX? I've put a question up here: http://stackoverflow.com/questions/27036936/using-ssh-agent-with-docker/27044586?noredirect=1#comment42633776_27044586 it looks like it's not possible with OSX... |
+1 =( |
Just hit this roadblock as well. Trying to run |
+1 |
+1 same as the previous guys. Seems the best solution to this issue when needing to access one or more private git repositories (think |
@razic Can you share how you get that working? Because when I tried that before it did complain about "Bad owner or permissions" Unless you make sure that all containers run with a specific user or permissions which allows you to do that? |
+1 to SSH_AUTH_SOCK |
@tonivdv have a look at the |
@KyleJamesWalker yup that's what I understand from @razic and which was one of my attempts some time ago, so when I read @razic was able to make it work, I was wondering how :) |
@tonivdv I'd also love to know if it's possible, I couldn't find anything when I last tried though. |
if you are using |
Finally. I believe this problem can now be solved using just Then, use a second (I have not actually tried this yet, but if the feature works as described...) |
@benton multi-stage builds work as described, we use it. It's by far the best option for many different problems, including this one. |
I have verified the following technique:
Here's an example ########################################################################
# BUILD STAGE 1 - Start with the same image that will be used at runtime
FROM ubuntu:latest as builder
# ssh is used to test GitHub access
RUN apt-get update && apt-get -y install ssh
# The GITHUB_SSH_KEY Build Argument must be a path or URL
# If it's a path, it MUST be in the docker build dir, and NOT in .dockerignore!
ARG GITHUB_SSH_KEY=/path/to/.ssh/key
# Set up root user SSH access for GitHub
ADD ${GITHUB_SSH_KEY} /root/.ssh/id_rsa
# Add the full application codebase dir, minus the .dockerignore contents...
# WARNING! - if the GITHUB_SSH_KEY is a file and not a URL, it will be added!
COPY . /app
WORKDIR /app
# Build app dependencies that require SSH access here (bundle install, etc.)
# Test SSH access (this returns false even when successful, but prints results)
RUN ssh -o StrictHostKeyChecking=no -vT git@github.com 2>&1 | grep -i auth
# Finally, remove the $GITHUB_SSH_KEY if it was a file, so it's not in /app!
# It can also be removed from /root/.ssh/id_rsa, but you're probably not going
# to COPY that directory into the runtime image.
RUN rm -vf ${GITHUB_SSH_KEY} /root/.ssh/id*
########################################################################
# BUILD STAGE 2 - copy the compiled app dir into a fresh runtime image
FROM ubuntu:latest as runtime
COPY --from=builder /app /app It might be safer to pass the key data itself in the |
@jbiel Another year, and the solution I found is to use something like Vault. |
I'm just adding a note to say that neither of the current approaches will work if you have a passphrase on the ssh key you're using since the agent will prompt you for the passphrase whenever you perform the action that requires access. I don't think there's a way around this without passing around the key phrase (which is undesirable for a number of reasons) |
Solving.
And in Dockerfile using socat:
Then run |
@benton why do you use |
@benton And also it's not safe to do:
You have to check fingerprint |
I sovled this problem by this way
then build with docker build --build-arg USERNAME=use --build-arg PASSWORD=pwd. -t service But at first, your private git server must support |
@zeayes RUN command stored in container history. So your password is visible to other. |
Correct; when using For example, in the following example, FROM something AS builder
ARG USERNAME
ARG PASSWORD
RUN something that uses $USERNAME and $PASSWORD
FROM something AS finalstage
COPY --from= builder /the/build-artefacts /usr/bin/something If only the final image (produced by "finalstage") is pushed to a registry, then However, in the local build cache history, those variables will still be there (and stored on disk in plain text). The next generation builder (using BuildKit) will have more features, also related to passing build-time secrets; it's available in Docker 18.06 as an experimental feature, but will come out of experimental in a future release, and more features will be added (I'd have to check if secrets/credentials are already possible in the current version) |
@kinnalru @thaJeztah thx, i use multi-stage builds, but the password can be seen in the cache container's history, thx! |
@zeayes Oh! I see I did a copy/paste error; last stage must not use |
This comment by @kinnalru is the right way to do this #6396 (comment) With this method, docker never handles your private keys. And it also works today, without any new features being added. It took me a while to figure it out, so here is a more clear, and improved explanation. I changed @kinnalru code to use This is #!/usr/bin/env bash
# ensure the processes get killed when we're done
trap 'kill $(jobs -p)' EXIT
# create a connection from port 56789 to the unix socket SSH_AUTH_SOCK (which is used by ssh-agent)
socat TCP-LISTEN:56789,reuseaddr,fork UNIX-CLIENT:${SSH_AUTH_SOCK} &
# Run docker
# Pass it all the command line args ($@)
# set the network to "host" so docker can talk to localhost
docker $@ --network='host' In the Dockerfile we connect over localhost to the hosts ssh-agent: FROM python:3-stretch
COPY . /app
WORKDIR /app
RUN mkdir -p /tmp
# install socat and ssh to talk to the host ssh-agent
RUN apt-get update && apt-get install git socat openssh-client \
# create variable called SSH_AUTH_SOCK, ssh will use this automatically
&& export SSH_AUTH_SOCK=/tmp/auth.sock \
# make SSH_AUTH_SOCK useful by connecting it to hosts ssh-agent over localhost:56789
&& /bin/sh -c "socat UNIX-LISTEN:${SSH_AUTH_SOCK},unlink-early,mode=777,fork TCP:localhost:56789 &" \
# stuff I needed my ssh keys for
&& mkdir -p ~/.ssh \
&& ssh-keyscan gitlab.com > ~/.ssh/known_hosts \
&& pip install -r requirements.txt Then you can build your image by invoking the script: $ docker_with_host_ssh.sh build -f ../docker/Dockerfile . |
@cowlicks you may be interested in this pull request, which adds support for That pull request will be part of the upcoming 18.09 release. |
It looks like this is now available in the 18.09 release. Since this thread comes up before the release notes and medium post, I'll cross-post here. Release Notes: Medium Post: Very exciting. |
@kalenp see also moby/buildkit#760 and moby/buildkit#825 |
I think we can close this because we have |
Related compose issue here: docker/compose#6865. Functionality to use Compose and expose SSH agent socket to containers noted to be landing in next release candidate, 1.25.0-rc3 (releases). |
Stumbled upon this one while looking for something
I think it would be useful to have the same feature for Maybe there's other tickets around this, but let me re-open this one (in case there isn't) |
It would be nice to be able to forward an ssh key agent into a container during a
run
orbuild
.Frequently we need to build source code which exists in a private repository where access is controlled by ssh key.
Adding the key file into the container is a bad idea as:
You could do something like:
But:
docker run
, notbuild
.The ideal solution is to have the client forward the key agent socket just like
ssh
can.However the difficulty in this is that it would require the remote API build and attach calls to support proxying an arbitrary number of socket streams. Just doing a single 2-way stream wouldn't be sufficient as the ssh key agent is a unix domain socket, and it can have multiple simultaneous connections.
The text was updated successfully, but these errors were encountered: