docker : how to share ssh-keys between containers?

Question

I've 4 containers configured like the following (docker-compose.yml):

version: '3'
networks:
  my-ntwk:
    ipam:
      config:
        - subnet: 172.20.0.0/24
services:
  f-app:
    image: f-app
    tty: true
    container_name: f-app
    hostname: f-app.info.my
    ports:
      - "22:22"
    networks:
      my-ntwk:
        ipv4_address: 172.20.0.5
    extra_hosts:
      - "f-db.info.my:172.20.0.6"
      - "p-app.info.my:172.20.0.7"
      - "p-db.info.my:172.20.0.8"
    depends_on:
      - f-db
      - p-app
      - p-db
  f-db:
    image: f-db
    tty: true
    container_name: f-db
    hostname: f-db.info.my
    networks:
      my-ntwk:
        ipv4_address: 172.20.0.6
  p-app:
    image: p-app
    tty: true
    container_name: p-app
    hostname: p-app.info.my
    networks:
      my-ntwk:
        ipv4_address: 172.20.0.7
  p-db:
    image: p-db
    tty: true
    container_name: prod-db
    hostname: p-db.info.my
    networks:
      my-ntwk:
        ipv4_address: 172.20.0.8

Each image is build by the same Dockerfile :

FROM openjdk:8

RUN apt-get update && \
    apt-get install -y openssh-server

EXPOSE 22

RUN useradd -s /bin/bash -p $(openssl passwd -1 myuser) -d /home/nf2/ -m myuser

ENTRYPOINT service ssh start && bash

Now I want to be able to connect from f-app to any other machine without typing the password when running this line : ssh myuser@f-db.info.my.

I know that I need to exchange ssh-keys between the servers (thats not a problem). My problem is how to do it with docker containers and when (build or runtime)!

Answer 1

In my case I haven't managed to find a solution that works without a password, if you don't care your password is given in plain text (I think so because technically it's the same as setting no password as propose in accepted answer) you can install sshpass in addition of openssh then call your SSH command like this (I added the -o StrictHostKeyChecking=accept-new in order not to have the prompt to accept connection first time running SSH):

sshpass -p YourPassword ssh -o StrictHostKeyChecking=accept-new myuser@f-db.info.my

Answer 2

For doing ssh without password you to need to create passwordless user along with configuring SSH keys in the container, plus you will also need to add ssh keys in the sources container plus public key should be added in the authorized of the destination container.

Here is the working Dockerfile

FROM openjdk:7

RUN apt-get update && \
    apt-get install -y openssh-server vim 

EXPOSE 22


RUN useradd -rm -d /home/nf2/ -s /bin/bash -g root -G sudo -u 1001 ubuntu
USER ubuntu
WORKDIR /home/ubuntu

RUN mkdir -p /home/nf2/.ssh/ && \
    chmod 0700 /home/nf2/.ssh  && \
    touch /home/nf2/.ssh/authorized_keys && \
    chmod 600 /home/nf2/.ssh/authorized_keys

COPY ssh-keys/ /keys/
RUN cat /keys/ssh_test.pub >> /home/nf2/.ssh/authorized_keys

USER root
ENTRYPOINT service ssh start && bash

docker-compose will remain same, here is the testing script that you can try.

#!/bin/bash
set -e
echo "start docker-compose"
docker-compose up -d
echo "list of containers"
docker-compose ps
echo "starting ssh test from f-db to f-app"
docker exec -it f-db sh -c "ssh -i /keys/ssh_test ubuntu@f-app"

For further detail, you can try the above working example docker-container-ssh

git clone git@github.com:Adiii717/docker-container-ssh.git
cd docker-container-ssh; 
./test.sh

You can replace the keys as these were used for testing purpose only.

Answer 3

If you are using docker compose an easy choice is to forward SSH agent like that:

something:
    container_name: something
    volumes:
        - $SSH_AUTH_SOCK:/ssh-agent # Forward local machine SSH key to docker
    environment:
        SSH_AUTH_SOCK: /ssh-agent

ssh-forwarding on macOS hosts - instead of mounting the path of $SSH_AUTH_SOCK, you have to mount this path - /run/host-services/ssh-auth.sock

---

or you can do it like:

---

It's a harder problem if you need to use SSH at build time. For example if you're using git clone, or in my case pip and npm to download from a private repository.

The solution I found is to add your keys using the --build-arg flag. Then you can use the new experimental --squash command (added 1.13) to merge the layers so that the keys are no longer available after removal. Here's my solution:

Build command

$ docker build -t example --build-arg ssh_prv_key="$(cat ~/.ssh/id_rsa)" --build-arg ssh_pub_key="$(cat ~/.ssh/id_rsa.pub)" --squash .

Dockerfile

FROM openjdk:8

ARG ssh_prv_key
ARG ssh_pub_key

RUN apt-get update && \
    apt-get install -y \
        git \
        openssh-server \
        libmysqlclient-dev

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 0700 /root/.ssh && \
    ssh-keyscan github.com > /root/.ssh/known_hosts

# Add the keys and set permissions
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    echo "$ssh_pub_key" > /root/.ssh/id_rsa.pub && \
    chmod 600 /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa.pub

RUN apt-get update && \
    apt-get install -y openssh-server && \
    apt-get install -y openssh-client

EXPOSE 22

RUN useradd -s /bin/bash -p $(openssl passwd -1 myuser) -d /home/nf2/ -m myuser

ENTRYPOINT service ssh start && bash

---

If you're using Docker 1.13+ and/or have experimental features on you can append --squash to the build command which will merge the layers, removing the SSH keys and hiding them from docker history.