Open fabiofdsantos opened 3 years ago
Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
comment.
Stale issues will be closed after an additional 30 days of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen
comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
Hey! Same problem here. SSH agent forwarding stops working.
Documentation is gone too: https://docs.docker.com/docker-for-mac/osxfs/#ssh-agent-forwarding.
MacOS 11.4
Docker for Mac v3.5.2.
Compose 1.29.2
UPD:
eval $(ssh-agent -s)
command breaks magic of /run/host-services/ssh-auth.sock
. To fix this - reboot your Mac and run ssh-add
command once more
Any update on this topic?
Also looking for the solution. It seems related to running image as non-root user:
That works for
Dockerfile
anddocker-compose
if a user isroot
and with some adjustments inDockerfile
for non-root.
When a user is non-root in the image and we use it indocker-compose
with a mounted socket in volume, as explained https://docs.docker.com/docker-for-mac/osxfs/#ssh-agent-forwarding
the issue is that socket is owned byroot
and not accessible by the inner user from the image.
Is there any solution if we’re running image as non-root user? Currently only feasible solution is to brute-force /run/host-services/ssh-auth.sock
with chmod 777
; that’s probably okay in development environment, but security issue in any other situation.
There are a few different (but related) issues w/ SSH agent forwarding in Docker for Mac:
/run/host-services/ssh-auth.sock
. I'm not a security expert, but it seems like DFM should catch this and set usable permissions on the socket.$SSH_AUTH_SOCK
. It appears to be reading the var on startup (i.e. before it's customized by the user), or is preferring the value from launchctl getenv
. Either way, if you're using a newer version of openssh (for example, to use FIDO2 resident keys) then it's likely that DFM is referencing the wrong socket.Given that the error message from openssh is similar for both issues, it's very painful to get agent forwarding working when using a YubiKey (though I guess that shouldn't be surprising :roll_eyes:).
To get things working for me, I ended up:
$SSH_AUTH_SOCK
would be picked up), but the symlink is a more holistic solution.Hope this summary helps any future travelers - good luck :wave:.
Information
I'm unable to get ssh-agent working inside the container. However, it works properly with
docker run -it -v...
.Diagnostic logs
Output
Host:
Container:
docker-compose.yml
php.dockerfile