Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH Agent forwarding not working on Docker for Mac #7556

Open
kmeelu opened this issue Jan 21, 2025 · 0 comments
Open

SSH Agent forwarding not working on Docker for Mac #7556

kmeelu opened this issue Jan 21, 2025 · 0 comments
Labels
area/network status/triage version/4.37.2

Comments

@kmeelu
Copy link

kmeelu commented Jan 21, 2025
edited
Loading

Description

Docker for Mac has guidance to allow SSH agent forwarding from the mac environment into the container's environment: https://docs.docker.com/desktop/features/networking/#ssh-agent-forwarding

Attempting to use this is not working as expected for my teammate. It does work for others I work with, so I'm not sure if something unique to the machine or SSH agent setup is causing this. I'd love to figure out if there are issues with this feature or with the environment that are leading to this.

Reproduce

  1. Ensure that the SSH agent is running: eval "$(ssh-agent -s)"
  2. Add an ssh key that the agent is referencing (in our case, we're trying to access github ssh key from the container): ssh-add ~/.ssh/<path-to-key>
  3. Now, from the mac environment, you'll be able to see that ssh key listed when running ssh-add -l
  4. Run the docker container and attempt to view the ssh key from within the container: docker run --rm --mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" --entrypoint /usr/bin/ssh-add alpine/git -l

Expected behavior

What I'd expect to see if that we can access that ssh key within the docker container. Something like this:

❯ ssh-add -l

256 SHA256:jZai0OlOi3YtFltFlFceSy06+etmRm/M4bVwm043z5s [email protected] (ED25519)

❯ docker run --rm --mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" --entrypoint /usr/bin/ssh-add alpine/git -l

Unable to find image 'alpine/git:latest' locally
latest: Pulling from alpine/git
52f827f72350: Pull complete
949a2fde922e: Pull complete
88c63baf2e61: Pull complete
Digest: sha256:75d5278aed92f5b777cbe9ad8df2b3292802e52707212fcac0d3d61262aa3b42
Status: Downloaded newer image for alpine/git:latest

256 SHA256:jZai0OlOi3YtFltFlFceSy06+etmRm/M4bVwm043z5s [email protected] (ED25519)

However, what we're seeing is that the key doesn't exist within the docker container:

❯ ssh-add ~/.ssh/id_ed25519
Identity added: /Users/jessicachen/.ssh/id_ed25519 ([email protected])

❯ ssh-add -l
256 SHA256:3zK/Y7WGHmJsUlslsK52hjGmAjYP4cixgysHVmJ8HB8 [email protected] (ED25519)

❯ docker run --rm --mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" --entrypoint /usr/bin/ssh-add alpine/git -l
Unable to find image 'alpine/git:latest' locally
latest: Pulling from alpine/git
52f827f72350: Pull complete
949a2fde922e: Pull complete
88c63baf2e61: Pull complete
Digest: sha256:75d5278aed92f5b777cbe9ad8df2b3292802e52707212fcac0d3d61262aa3b42
Status: Downloaded newer image for alpine/git:latest

The agent has no identities.

The The agent has no identities. is unexpected.

docker version

Client:
 Version:           27.4.0
 API version:       1.47
 Go version:        go1.22.10
 Git commit:        bde2b89
 Built:             Sat Dec  7 10:35:43 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.37.2 (179585)
 Engine:
  Version:          27.4.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.10
  Git commit:       92a8393
  Built:            Sat Dec  7 10:38:33 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.21
  GitCommit:        472731909fa34bd7bc9c087e4c27943f9835f111
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.4.0
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Ask Gordon - Docker Agent (Docker Inc.)
    Version:  v0.5.1
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-ai
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.2-desktop.1
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.31.0-desktop.2
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.37
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Beta) (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.15.1
    Path:     /Users/jessicachen/.docker/cli-plugins/docker-scout
WARNING: Plugin "/Users/jessicachen/.docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /Users/jessicachen/.docker/cli-plugins/docker-scan: no such file or directory

Server:
 Containers: 7
  Running: 4
  Paused: 0
  Stopped: 3
 Images: 14
 Server Version: 27.4.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.14-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 27.36GiB
 Name: docker-desktop
 ID: 0bd9575b-290a-4589-b3a5-ac208f75693a
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/jessicachen/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

89690258-600A-4A1F-A057-1F99359E18DE/20250121200934

Additional Info

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/network status/triage version/4.37.2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kmeelu @bsousaa