Forward ssh agent socket to docker build

Question

Connecting to the server where I build docker images

ssh -A user@myserver

Dockerfile

# syntax=docker/dockerfile:experimental

FROM golang
WORKDIR /go/src/github.com/xxx/xxx
RUN --mount=type=ssh git clone git@github.com:xxx/xxx.git .
...

Building image:

export DOCKER_BUILDKIT=1
docker build --ssh default=$SSH_AUTH_SOCK -t xxx/xxx .

...
#8 1.579 Host key verification failed.
#8 1.579 fatal: Could not read from remote repository.
#8 1.579 
#8 1.579 Please make sure you have the correct access rights
#8 1.579 and the repository exists.
------
rpc error: code = Unknown desc = executor failed running [/bin/sh -c git clone git@github.com:xxx/xxx.git .]: exit code: 128

What I am missing?

UPDATE

export DOCKER_BUILDKIT=1
docker build --ssh default -t xxx/xxx .

Building locally produces same result.

This may be obvious, but it's bitten me several times. Did you set up ssh-agent on the host? With `ssh-add /path/to/private/key`? — James, Apr 15 '19 at 20:18
Yes I can `git clone` on "myserver" but not in building process — Jonas, Apr 25 '19 at 14:31

JRaymond · Accepted Answer · 2019-05-07T17:59:37.960

5

You might have figured this out or moved on by now, but in my case, I had skipped this step when configuring my build:

RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

turns out ssh will throw up its hands in disgust without checking the agent if the .ssh directory isn't there, and then will fail early if you haven't imported the server's public key.

edited May 07 '19 at 17:59

answered May 06 '19 at 23:22

JRaymond

11,625
5
37
40

You are my hero! – Jonas May 10 '19 at 08:29
Note, to be a secure citizen we should both probably save the key result from github instead of scanning it every time... will edit when I get the chance – JRaymond May 10 '19 at 19:09

score 0 · Answer 2 · answered Apr 09 '19 at 07:05

0

Your error message says, It could not verify the host (i.e) the docker image which you are trying to build.

In order to do git clone via ssh you have to follow these steps.

But, if you want to clone a repo during image build. you can clone using https instead of ssh.

git clone https://username:password@github.com/username/repository.git

So, your Dockerfile should look something like this:

FROM golang
WORKDIR /xxx
RUN git clone https://username:password@github.com/xxx/xxx.git
...

CREDITS: Git clone using username and password

answered Apr 09 '19 at 07:05

Thilak

935
8
12

Outside docker I can clone with ssh key. This docker key forwarding is not working even on my local host. – Jonas Apr 09 '19 at 07:16
Whether `Outside docker` and `local host` are same machine or different machine? – Thilak Apr 09 '19 at 07:28
Even on local unable to forward key – Jonas Apr 09 '19 at 07:30
@Jonas Apologies, I haven't tried this. but I could find some project which may [help you](https://github.com/nardeas/ssh-agent) – Thilak Apr 09 '19 at 07:43
This new feature for forwarding keys should work, probably I am missing something. OK let's wait maybe someone will suggest solution. – Jonas Apr 09 '19 at 07:56

Forward ssh agent socket to docker build

UPDATE

2 Answers2