SSH agent forwarding during docker build

Question

While building up a docker image through a dockerfile, I have to clone a github repo. I added my public ssh keys to my git hub account and I am able to clone the repo from my docker host. While I see that I can use docker host's ssh key by mapping $SSH_AUTH_SOCK env variable at the time of docker run like

docker run --rm -it --name container_name \
  -v $(dirname $SSH_AUTH_SOCK):$(dirname $SSH_AUTH_SOCK) \
  -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK my_image

How can I do the same during a docker build?

Answer 1

For Docker 18.09 and newer

You can use new features of Docker to forward your existing SSH agent connection or a key to the builder. This enables for example to clone your private repositories during build.

Steps:

First set environment variable to use new BuildKit

export DOCKER_BUILDKIT=1

Then create Dockerfile with new (experimental) syntax:

# syntax=docker/dockerfile:experimental

FROM alpine

# install ssh client and git
RUN apk add --no-cache openssh-client git

# download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# clone our private repository
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject

And build image with

docker build --ssh default .

Read more about it here: https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066

Answer 2

Unfortunately, you cannot forward your ssh socket to the build container since build time volume mounts are currently not supported in Docker.

This has been a topic of discussion for quite a while now, see the following issues on GitHub for reference:

• https://github.com/moby/moby/issues/6396
• https://github.com/moby/moby/issues/14080

As you can see this feature has been requested multiple times for different use cases. So far the maintainers have been hesitant to address this issue because they feel that volume mounts during build would break portability:

the result of a build should be independent of the underlying host

As outlined in this discussion.

Answer 3

This may be solved using an alternative build script. For example you may create a bash script and put it in ~/usr/local/bin/docker-compose or your favourite location:

#!/bin/bash

trap 'kill $(jobs -p)' EXIT
socat TCP-LISTEN:56789,reuseaddr,fork UNIX-CLIENT:${SSH_AUTH_SOCK} &

/usr/bin/docker-compose $@

Then in your Dockerfile you would use your existing ssh socket:

...
ENV SSH_AUTH_SOCK /tmp/auth.sock
...
  && apk add --no-cache socat openssh \
  && /bin/sh -c "socat -v UNIX-LISTEN:${SSH_AUTH_SOCK},unlink-early,mode=777,fork TCP:172.22.1.11:56789 &> /dev/null &" \
  && bundle install \
...
or any other ssh commands will works

Now you can call our custom docker-compose build. It would call the actual docker script with a shared ssh socket.

Answer 4

This one is also interesting:

• https://github.com/docker/for-mac/issues/483#issuecomment-344901087

It looks like:

• On the host

mkfifo myfifo
nc -lk 12345 <myfifo | nc -U $SSH_AUTH_SOCK >myfifo

• In the dockerfile

RUN mkfifo myfifo
RUN while true; do \
  nc 172.17.0.1 12345 <myfifo | nc -Ul /tmp/ssh-agent.sock >myfifo \
done &

RUN export SSH_AUTH_SOCK=/tmp/ssh-agent.sock

RUN ssh ...