17

I use the --ssh docker buildkit feature and it works fine locally. I want to build Docker at a remote server and for that I use the -A flag to forward my local github key, like: 

ssh -i "server.pem" -A <user>@<server-ip>

Then in server terminal I run: 

ssh -T git@github.com

And I get the "Hello user" message, which means the key forwarding works fine.
(In the server, $SSH_AUTH_SOCK is indeed set, and I can git clone)

Now, when building locally I use: 

DOCKER_BUILDKIT=1 docker build --ssh default=~/.ssh/id_rsa -t myimage:latest .

Which works fine.
But in the server the private key does not exists at ~/.ssh/id_rsa. So how can I forward it to docker build? Tried this in the server: 

DOCKER_BUILDKIT=1 docker build --ssh default=$SSH_AUTH_SOCK -t myimage:latest .

But it does not work. The error is: 

could not parse ssh: [default]: invalid empty ssh agent socket, make sure SSH_AUTH_SOCK is set

Even though SSH_AUTH_SOCK is set

Docker version: 19.03

user3599803
  • 6,435
  • 17
  • 69
  • 130

3 Answers3

20

I had a similar issue and it was fixed quite simply, I wrapped ${SSH_AUTH_SOCK} within curly braces

eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa
DOCKER_BUILDKIT=1 docker build -t myimage:latest --ssh default=${SSH_AUTH_SOCK} .

In the Docker file, I have appropriate RUN instruction to run a command that requires sensitive data

RUN --mount=type=ssh \
    mkdir vendor && composer install
Serhii Popov
  • 3,326
  • 2
  • 25
  • 36
3

You need to have ssh-agent running on your machine and the key added to it with ssh-add or use ssh -A -o AddKeysToAgent=true when logging in. SSH will not automatically forward the key specified with -i if you set -A afaik. After logging in you can run ssh-add -L to make sure your keys were forwarded and if you see records there then docker build --ssh default . should work fine now.

eval `ssh-agent`
ssh-add server.pem
ssh -A <user>@<server-ip>
Tõnis Tiigi
  • 104
  • 2
  • 1
    The key that I want to forward is not the one that I use with `-i`. I did run ssh-agent ssh-add in both client and server. And in the server when using `ssh-add -L` I do see my local key – user3599803 Jan 22 '20 at 15:25
  • I would also specify that the key must be named `id_rsa` or some similar default key name for this to work and under Linux, you may have AppArmor in the way. See [my answer here](https://stackoverflow.com/questions/65824786/building-go-apps-with-private-gitlab-modules-in-docker/69774987#69774987) for way more details. – Alexis Wilke Oct 29 '21 at 23:00
  • Nice, i had this error cuz ssh agent was down – user3180 Jan 09 '22 at 07:16
0

Another possible cause: "Host key verification failed": in your Dockerfile, you need to either use ssh-keyscan to setup ~/.ssh/known_hosts, or disable host key verification in ssh.

M--
  • 25,431
  • 8
  • 61
  • 93
Alan Pita
  • 1