Reputation: 7034
docker buildkit mount ssh when using remote agent forwarding
I use the --ssh docker buildkit feature and it works fine locally.
I want to build Docker at a remote server and for that I use the -A flag to forward my local github key, like:
ssh -i "server.pem" -A <user>@<server-ip>
Then in server terminal I run:
ssh -T [email protected]
And I get the "Hello user" message, which means the key forwarding works fine.
(In the server, $SSH_AUTH_SOCK is indeed set, and I can git clone)
Now, when building locally I use:
DOCKER_BUILDKIT=1 docker build --ssh default=~/.ssh/id_rsa -t myimage:latest .
Which works fine.
But in the server the private key does not exists at ~/.ssh/id_rsa. So how can I forward it to docker build?
Tried this in the server:
DOCKER_BUILDKIT=1 docker build --ssh default=$SSH_AUTH_SOCK -t myimage:latest .
But it does not work. The error is:
could not parse ssh: [default]: invalid empty ssh agent socket, make sure SSH_AUTH_SOCK is set
Even though SSH_AUTH_SOCK is set
Docker version: 19.03
Upvotes: 18
Views: 21452
Answers (3)
Reputation: 11
Another possible cause: "Host key verification failed": in your Dockerfile, you need to either use ssh-keyscan to setup ~/.ssh/known_hosts, or disable host key verification in ssh.
Upvotes: 1
Reputation: 3804
I had a similar issue and it was fixed quite simply, I wrapped ${SSH_AUTH_SOCK} within curly braces
eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa
DOCKER_BUILDKIT=1 docker build -t myimage:latest --ssh default=${SSH_AUTH_SOCK} .
In the Docker file, I have appropriate RUN instruction to run a command that requires sensitive data
RUN --mount=type=ssh \
mkdir vendor && composer install
Upvotes: 24
Reputation: 104
You need to have ssh-agent running on your machine and the key added to it with ssh-add or use ssh -A -o AddKeysToAgent=true when logging in. SSH will not automatically forward the key specified with -i if you set -A afaik. After logging in you can run ssh-add -L to make sure your keys were forwarded and if you see records there then docker build --ssh default . should work fine now.
eval `ssh-agent`
ssh-add server.pem
ssh -A <user>@<server-ip>
Upvotes: 3
Related Questions
- Can not ssh-add private key to docker build
- How to use the mounted ssh in docker for subsequent commands in Dockerfile
- Using ssh-agent with docker on macOS
- BuildKit: ssh mount doesn't work in container correctly
- SSH agent forwarding during docker build
- Pass ssh-agent to dockerfile to install private repository modules
- Dockerfile: Permission denied during build when running ssh-agent on /tmp
- Forward ssh agent socket to docker build
- Docker build dockerfile with SSH keys used during build process (for private Git repos)
- SSH Agent forwarding inside docker compose container