Closed Minipada closed 6 years ago
Hi @Minipada,
Here is an example of what I've done when using an ssh-agent. I'll give my usual disclaimer about how this is punching some holes in the isolation of the container, so if you're worried make sure the agent only has the keys added to it for the repos it needs.
docker run -it --rm=true -v ~/.ssh/config:/home/yoctouser/.ssh/config -v ~/.ssh/known_hosts:/home/yoctouser/.ssh/known_hosts -v $SSH_AUTH_SOCK:/ssh.socket -e SSH_AUTH_SOCK=/ssh.socket crops/poky:fedora-27 .......
It's just bind mounting the socket used by the agent into the container, and then setting the appropriate environment variable to make sure the socket gets used. I added the .ssh/config and .ssh/known_hosts since that usually ends up being an issue as well if you have ports specified etc.
Hi, Thanks for your reply. I just tested but it still is unsuccessful:
As you can see, I can clearly connect to github on my host but the forwarding doesn't work in the container. I believe I'm missing something obvious
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ eval $(ssh-agent -s)
Agent pid 14184
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ ssh-add ~/.ssh/yocto
Identity added: /home/dbensoussan/.ssh/yocto (/home/dbensoussan/.ssh/yocto)
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ ssh -T git@github.com
Hi synapticonbot! You've successfully authenticated, but GitHub does not provide shell access.
dbensoussan@ip-XXX-XX-X-XX:~/workspace$ docker run -it --rm=true -v ~/.ssh/config:/home/yoctouser/.ssh/config -v ~/.ssh/known_hosts:/home/yoctouser/.ssh/known_hosts -v $SSH_AUTH_SOCK:/ssh.socket -e SSH_AUTH_SOCK=/ssh.socket crops/poky:fedora-27
[pokyuser@1d8d5573145e ~]$ ssh -T git@github.com
The authenticity of host 'github.com (192.30.253.112)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.112' (RSA) to the list of known hosts.
git@github.com: Permission denied (publickey).
I suspect that the uid inside of the container is not getting set to match the host user running the ssh-agent. Typically the uid of the pokyuser inside of the container is set based on the --workdir argument detailed in README.md.
If you specify the --workdir argument using a directory owned by the same uid:gid as the user running the ssh-agent do you still have the same error? If so, then could you run id
on both the host and inside the container to check that pokyuser inside the container has the same id as the ssh-agent owner?
You are right, ids they are different:
Host: uid=1001(dbensoussan) gid=1001(dbensoussan) groups=1001(dbensoussan)
Container: uid=1000(pokyuser) gid=1000(pokyuser) groups=1000(pokyuser)
I tested using workdir as you said, I tested it in the past without success. sshd is started by root but the agent is by my user.
$ ps aux | grep ssh
root 1218 0.0 0.0 61392 3084 ? Ss 08:08 0:00 /usr/sbin/sshd -D
root 23483 0.2 0.0 107720 4268 ? Ss 09:22 0:00 sshd: dbensoussan [priv]
dbensou+ 23554 0.0 0.0 107720 1900 ? S 09:22 0:00 sshd: dbensoussan@pts/0
dbensou+ 23579 0.0 0.0 10636 520 ? Ss 09:22 0:00 ssh-agent -s
dbensou+ 23595 0.0 0.0 11764 928 pts/0 S+ 09:22 0:00 grep --color=auto ssh
Then, on my host, you can see that the test folder is owned by 1001 and I start the container passing this test folder as a volume in the home directory. I still :
$ ls -lisa test
1841953 4 drwxr-xr-x 4 dbensoussan dbensoussan 4096 Jul 12 09:07 .
271142 4 drwxr-xr-x 23 dbensoussan dbensoussan 4096 Jul 12 09:23 ..
1841954 4 drwxr-xr-x 16 dbensoussan dbensoussan 4096 Jul 12 09:06 yocto_ws
$ docker run -it --rm=true -v ~/.ssh/config:/home/yoctouser/.ssh/config \
-v ~/.ssh/known_hosts:/home/yoctouser/.ssh/known_hosts \
-v $SSH_AUTH_SOCK:/ssh.socket \
-e SSH_AUTH_SOCK=/ssh.socket \
--workdir=/home/pokyuser/yocto \
-v ${PWD}/test:/home/pokyuser/yocto \
crops/poky:fedora-27
And inside the container
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
bash-4.4$ pwd
/home/pokyuser
bash-4.4$ ls -lisa
total 12
398534 4 drwxr-xr-x 3 root root 4096 Jul 12 09:24 .
393699 4 drwxr-xr-x 5 root root 4096 Jul 12 09:24 ..
1841953 4 drwxr-xr-x 4 1001 1001 4096 Jul 12 09:07 yocto
bash-4.4$ cd yocto/
bash-4.4$ ls -lisa /ssh.socket
920244 0 srw------- 1 1001 1001 0 Jul 12 09:22 /ssh.socket
bash-4.4$ ssh -T git@github.com
Could not create directory '/home/pokyuser/.ssh'.
The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/pokyuser/.ssh/known_hosts).
git@github.com: Permission denied (publickey).
I think there are a few things going on here:
So if we accept the fact that we can't bind mount things into pokyuser right now, you should still be able to get the agent working with something along these lines:
docker run -it --rm=true \
-v $SSH_AUTH_SOCK:/ssh.socket \
-e SSH_AUTH_SOCK=/ssh.socket \
-v ${PWD}/test:/workdir \
crops/poky:fedora-27 \
--workdir=/workdir
If that gets the ssh-agent working for you, then I need to come up with a decent way to get the .ssh/config and .ssh/known_hosts to work as well.
Ok I see, it's clearer now, the command you just passed works perfectly :). Thanks very much for the support!
To fetch private repository, I would like to forward my ssh-agent. I tried to but it seems the container doesn't have the sufficient permission to do so in the poky container.
Would there be any other clean way to solve this?