Created
January 29, 2014 23:32
-
-
Save d11wtq/8699521 to your computer and use it in GitHub Desktop.
How to SSH agent forward into a docker container
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
docker run -rm -t -i -v $(dirname $SSH_AUTH_SOCK) -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK ubuntu /bin/bash |
the latest official documentation helped me with docker-compose setup https://docs.docker.com/desktop/networking/#ssh-agent-forwarding
That seems to be specific to Docker Desktop. What about Colima and/or Podman?
Based on @tomdavies post, i created this Dockerfile which uses the USER statement in order to have an unpriviledged container instead of su-exec:
FROM python:3.11.6-alpine
RUN apk --no-cache add --update \
socat \
sudo
RUN addgroup --gid 1001 -S ansible && adduser --uid 1001 -S ansible -G ansible -h /home/ansible
RUN echo 'ansible ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/create-ansible-agent-socket.sh' > /etc/sudoers
RUN echo 'socat UNIX-LISTEN:/home/ansible/.ssh/agent,fork,user=ansible,group=ansible,mode=777 UNIX-CONNECT:/root/.ssh/agent' > /usr/local/bin/create-ansible-agent-socket.sh
RUN chmod +x /usr/local/bin/create-ansible-agent-socket.sh
RUN echo 'sudo /usr/local/bin/create-ansible-agent-socket.sh & SSH_AUTH_SOCK=/home/ansible/.ssh/agent "$@"' > /entrypoint.sh
USER ansible
RUN mkdir -p /home/ansible/.ssh && chown ansible:ansible /home/ansible/.ssh
ENTRYPOINT [/bin/sh, /entrypoint.sh]
you run it then with
docker run -it -u ansible \
-v "$SSH_AUTH_SOCK":/root/.ssh/agent \
-e SSH_AUTH_SOCK=/root/.ssh/agent \
name cmd
@benjertho After struggling for hours with the same problem (works on first shell login but after that fails), I tried a hack and it worked! Sharing here:
-
Add an entrypoint line to dockerfile
ENTRYPOINT ["/ros_entrypoint.sh"]
-
In entrypoint script, add the following at the top:
# Dynamically set SSH_AUTH_SOCK if it's available in the mounted /tmp directory
if [ -n "$(find /tmp -type s -name 'agent.*' 2>/dev/null)" ]; then
export SSH_AUTH_SOCK=$(find /tmp -type s -name 'agent.*' 2>/dev/null)
fi
- Add the following to your compose.yaml:
environment:
- SSH_AUTH_SOCK=/tmp/ssh-agent
volumes:
- /tmp:/tmp
Now the ssh auth sock will be set appropriately every time.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
is there a version of setup for Redhat linux and distributions based on it like CentOS and Rocky?