6

I have been using the docker build --ssh flag to give builds access to my keys from ssh-agent.

When I try the same thing with podman it does not work. I am working on macOS Monterey 12.0.1. Intel chip. I have also reproduced this on Ubuntu and WSL2.

❯ podman --version
podman version 3.4.4

This is an example Dockerfile:

FROM python:3.10

RUN mkdir -p -m 0600 ~/.ssh \
    && ssh-keyscan github.com >> ~/.ssh/known_hosts

RUN --mount=type=ssh git clone git@github.com:ruarfff/a-private-repo-of-mine.git

When I run DOCKER_BUILDKIT=1 docker build --ssh default . it works i.e. the build succeeds, the repo is cloned and the ssh key is not baked into the image.

When I run podman build --ssh default . the build fails with:

git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Error: error building at STEP "RUN --mount=type=ssh git clone git@github.com:ruarfff/a-private-repo-of-mine.git": error while running runtime: exit status 128

I have just begun playing around with podman. Looking at the docs, that flag does appear to be supported. I have tried playing around with the format a little, specifying the id directly for example but no variation of specifying the flag or the mount has worked so far. Is there something about how podman works that I may be missing that explains this?

Adding this line as suggested in the comments:

RUN --mount=type=ssh ssh-add -l

Results in this error:

STEP 4/5: RUN --mount=type=ssh ssh-add -l 
Could not open a connection to your authentication agent.
Error: error building at STEP "RUN --mount=type=ssh ssh-add -l": error while running runtime: exit status 2

Edit:

I belive this may have something to do with this issue in buildah. A fix has been merged but has not been released yet as far as I can see.

Ruairi O'Brien
  • 1,209
  • 5
  • 18
  • 33
  • What version of `podman` are you using? This all seems to work as expected for me with podman 3.4.4 on Fedora 35. If you include `RUN --mount=type=ssh ssh-add -l ` in your Dockerfile, do you see the expected keys? – larsks Jan 05 '22 at 14:39
  • Thank you @larsks. I am on version 3.4.4. When I added the line you mentioned I get `Could not open a connection to your authentication agent.` This does not happen with docker so I guess the clue is there :) – Ruairi O'Brien Jan 05 '22 at 16:33
  • Despite installing Podman v4.0.3, which uses Buildah v1.2.4, which is supposed to solve this problem, I still get the same error. – I'll Eat My Hat Apr 29 '22 at 18:19
  • incidentally using macOS 12.3. Exact same issue. A coworker confirmed it works for him on Fedora, so it's probably an issue with the mac version of Podman – I'll Eat My Hat Apr 29 '22 at 19:19
  • The needed Buildah version for the fix seems to be v1.24.0, not v1.2.4. Though I can’t tell what version I have in Podman v4.1.1. It’s also not working for me. – monozok Jul 30 '22 at 02:09
  • A temporary workaround I used: The `—secret` flag. Though I used an SSH key with no passphrase which was the whole reason I started down this path in the first place. See https://docs.podman.io/en/latest/markdown/podman-build.1.html#secret-id-id-src-path – monozok Jul 30 '22 at 02:12
  • This still appears to be an issue on MacOS with the latest versions (OSX 13.5, Podman 4.5.1) – bplattenburg Aug 17 '23 at 18:48
  • See https://github.com/containers/podman/issues/14074 – bplattenburg Aug 24 '23 at 15:35

1 Answers1

1

The error while running runtime: exit status 2 message does not appear to be necessarily related to SSH or --ssh for podman build, not to me at least. It's hard to be sure admittedly, and I've successfully used --ssh like you are trying to do, with some minor differences that I can't relate to the error.

I am also not sure ssh-add being run as part of building the container is what you really meant to do -- if you want it to talk to an agent, you need to have two environment variables being exported from the environment in which you run ssh-add, these define where to find the agent to talk to and are as follows:

  • SSH_AUTH_SOCK, specifying the path to a socket file that a program uses to communicate with the agent
  • SSH_AGENT_PID, specifying the PID of the agent

Again, without these two variables present in the set of exported environment variables, the agent is not discoverable and might as well not exist at all so ssh-add will fail.

Since your agent is probably running as part of the set of processes to which your podman build also belongs to, at the minimum the PID denoted by SSH_AGENT_PID should be valid in that namespace (meaning it's normally invalid in the set of processes that container building is isolated to, so defining the variable as part of building the container would be a mistake). Similar story with SSH_AUTH_SOCK -- the path to the socket file dumped by starting the agent program, would not normally refer to a file that exists in the mount namespace of the container being built.

Now, you can run both the agent and ssh-add as part of building a container, but ssh-add reads keys from ~/.ssh and if you had key files there as part of the container image being built you wouldn't need --ssh in the first place, would you?

The value of --ssh lies in allowing you to transfer your authority to talk to remote services defined through your keys on the host, to the otherwise very isolated container building procedure, through use of nothing else but an SSH agent designed for this very purpose. That removes the need to do things like copying key files into the container. They (keys) should also normally not be part of the built container, especially if they were only to be used during building. The agent, on the other hand, runs on the host, securely encapsulates the keys you add to it, and since the host is where you'd have your keys that's where you're supposed to run ssh-add at to add them to the agent.

Armen Michaeli
  • 8,625
  • 8
  • 58
  • 95