How to forward ssh-agent to fetch private repos?

[Minipada]

To fetch private repository, I would like to forward my ssh-agent. I tried to but it seems the container doesn't have the sufficient permission to do so in the poky container.

Would there be any other clean way to solve this?

[rewitt1]

Hi @Minipada,

Here is an example of what I've done when using an ssh-agent. I'll give my usual disclaimer about how this is punching some holes in the isolation of the container, so if you're worried make sure the agent only has the keys added to it for the repos it needs.

docker run -it --rm=true -v ~/.ssh/config:/home/yoctouser/.ssh/config -v ~/.ssh/known_hosts:/home/yoctouser/.ssh/known_hosts -v $SSH_AUTH_SOCK:/ssh.socket -e SSH_AUTH_SOCK=/ssh.socket crops/poky:fedora-27 .......

It's just bind mounting the socket used by the agent into the container, and then setting the appropriate environment variable to make sure the socket gets used. I added the .ssh/config and .ssh/known_hosts since that usually ends up being an issue as well if you have ports specified etc.

[Minipada]

Hi, Thanks for your reply. I just tested but it still is unsuccessful:

As you can see, I can clearly connect to github on my host but the forwarding doesn't work in the container. I believe I'm missing something obvious

dbensoussan@ip-XXX-XX-X-XX:~/workspace$ eval $(ssh-agent -s)
Agent pid 14184
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ ssh-add ~/.ssh/yocto
Identity added: /home/dbensoussan/.ssh/yocto (/home/dbensoussan/.ssh/yocto)
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ ssh -T git@github.com
Hi synapticonbot! You've successfully authenticated, but GitHub does not provide shell access.
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ docker run -it --rm=true -v ~/.ssh/config:/home/yoctouser/.ssh/config -v ~/.ssh/known_hosts:/home/yoctouser/.ssh/known_hosts -v $SSH_AUTH_SOCK:/ssh.socket -e SSH_AUTH_SOCK=/ssh.socket crops/poky:fedora-27
[pokyuser@1d8d5573145e ~]$ ssh -T git@github.com
The authenticity of host 'github.com (192.30.253.112)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.112' (RSA) to the list of known hosts.
git@github.com: Permission denied (publickey).

[rewitt1]

I suspect that the uid inside of the container is not getting set to match the host user running the ssh-agent. Typically the uid of the pokyuser inside of the container is set based on the --workdir argument detailed in README.md.

If you specify the --workdir argument using a directory owned by the same uid:gid as the user running the ssh-agent do you still have the same error? If so, then could you run id on both the host and inside the container to check that pokyuser inside the container has the same id as the ssh-agent owner?

[Minipada]

You are right, ids they are different:

Host: uid=1001(dbensoussan) gid=1001(dbensoussan) groups=1001(dbensoussan)

Container: uid=1000(pokyuser) gid=1000(pokyuser) groups=1000(pokyuser)

I tested using workdir as you said, I tested it in the past without success. sshd is started by root but the agent is by my user.

$ ps aux | grep ssh
root      1218  0.0  0.0  61392  3084 ?        Ss   08:08   0:00 /usr/sbin/sshd -D
root     23483  0.2  0.0 107720  4268 ?        Ss   09:22   0:00 sshd: dbensoussan [priv]
dbensou+ 23554  0.0  0.0 107720  1900 ?        S    09:22   0:00 sshd: dbensoussan@pts/0
dbensou+ 23579  0.0  0.0  10636   520 ?        Ss   09:22   0:00 ssh-agent -s
dbensou+ 23595  0.0  0.0  11764   928 pts/0    S+   09:22   0:00 grep --color=auto ssh

Then, on my host, you can see that the test folder is owned by 1001 and I start the container passing this test folder as a volume in the home directory. I still :

$ ls -lisa test
1841953 4 drwxr-xr-x  4 dbensoussan dbensoussan 4096 Jul 12 09:07 .
 271142 4 drwxr-xr-x 23 dbensoussan dbensoussan 4096 Jul 12 09:23 ..
1841954 4 drwxr-xr-x 16 dbensoussan dbensoussan 4096 Jul 12 09:06 yocto_ws

$ docker run -it --rm=true -v ~/.ssh/config:/home/yoctouser/.ssh/config \
  -v ~/.ssh/known_hosts:/home/yoctouser/.ssh/known_hosts \
  -v $SSH_AUTH_SOCK:/ssh.socket \
  -e SSH_AUTH_SOCK=/ssh.socket \
  --workdir=/home/pokyuser/yocto \
  -v ${PWD}/test:/home/pokyuser/yocto \
  crops/poky:fedora-27

And inside the container

useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
bash-4.4$ pwd
/home/pokyuser

bash-4.4$ ls -lisa
total 12
 398534 4 drwxr-xr-x 3 root root 4096 Jul 12 09:24 .
 393699 4 drwxr-xr-x 5 root root 4096 Jul 12 09:24 ..
1841953 4 drwxr-xr-x 4 1001 1001 4096 Jul 12 09:07 yocto

bash-4.4$ cd yocto/

bash-4.4$ ls -lisa /ssh.socket 
920244 0 srw------- 1 1001 1001 0 Jul 12 09:22 /ssh.socket

bash-4.4$ ssh -T git@github.com
Could not create directory '/home/pokyuser/.ssh'.
The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/pokyuser/.ssh/known_hosts).
git@github.com: Permission denied (publickey).

[rewitt1]

I think there are a few things going on here:

• First, I had a major brain lapse when I gave my first suggestion. yoctouser doesn't even exist as a user in this container, it's from https://github.com/crops/yocto-dockerfiles. So bind mounting anything to yoctouser won't work, it should of course be pokyuser.
• But even if you use pokyuser, things still aren't quite right. It seems the act of adding files to /home/pokyuser before it gets created by useradd, causes user creation to have undesirable side effects such as not even using a skeleton directory, and leaving the home directory owned by root.
• You are passing --workdir to docker rather than to the container. Order matters here, and so --workdir should come after the image name.

So if we accept the fact that we can't bind mount things into pokyuser right now, you should still be able to get the agent working with something along these lines:

docker run -it --rm=true \
  -v $SSH_AUTH_SOCK:/ssh.socket \
  -e SSH_AUTH_SOCK=/ssh.socket \
  -v ${PWD}/test:/workdir \
  crops/poky:fedora-27 \
--workdir=/workdir

If that gets the ssh-agent working for you, then I need to come up with a decent way to get the .ssh/config and .ssh/known_hosts to work as well.

[Minipada]

Ok I see, it's clearer now, the command you just passed works perfectly :). Thanks very much for the support!