SSH forwarding inside Machine

[joecorcoran]

Firstly, sorry if this is posted in the wrong project – I wasn't sure if it belonged here or in Compose.

I'm having trouble getting SSH forwarding to work with Docker/Machine/Compose. First I create a new machine.

$ docker-machine create -d virtualbox test
$ eval $(docker-machine env test)

I have the following, seemingly simple config for an Ubuntu container and Compose.
The idea behind the environment variable and mounted volume is that the SSH socket
from the virtual machine is accessible from within the container.

# Dockerfile
FROM ubuntu
RUN apt-get install -y openssh-server openssh-client
CMD bash

# docker-compose.yml
empty:
  build: .
  environment:
    - SSH_AUTH_SOCK=/ssh-agent
  volumes:
    - $SSH_AUTH_SOCK:/ssh-agent

When I test it out via Compose, I can't connect to the SSH agent.

$ docker-compose run --rm empty
root@11b75d569866:/# ssh-add -l
Could not open a connection to your authentication agent.

However, when running Docker from within the virtual machine, everything is fine.

$ docker-machine ssh test
docker@test:~$ docker run --rm -it -v $SSH_AUTH_SOCK:/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent test_empty bash
root@ff2852518363:/# ssh-add -l
4096 d2:4c:c5:90:0f:09:bd:0d:ac:5e:e4:19:d7:45:7c:d4 .ssh/personal_id_rsa (RSA)

Both scenarios used to work in my previous setup, with a Vagrant virtual machine in place of Docker Machine. What's the difference here?

---

$ docker -v
Docker version 1.9.0, build 76d6bc9
$ docker-compose -v
docker-compose version: 1.5.1
$ docker-machine -v
docker-machine version 0.5.0 (04cfa58)

[dgageot]

Hi @joecorcoran the issue is that you are trying to mount the ssh agent socket. This is not possible out of the box with Virtualbox driver.

The Virtualbox driver creates a vm with one shared folder. This folder is /Users. Everything that is out of /Users cannot be shared with running containers.

See #1826 and #13

[joecorcoran]

SSH is configured correctly within the virtual machine though, so whatever forwarding Docker Machine does is working fine. The issue seems to be at the border between virtual machine and container.

I don't understand the difference between my two scenarios above. Why does starting the container manually work, but starting it via Docker Compose not work? I would expect that docker-compose simply wraps the docker run ... command, but I must be mistaken.

[joecorcoran]

I think I understand this better now. So the issue is that $SSH_AUTH_SOCKET is expanded on the host machine and not inside the Docker Machine VM, as I had for some reason hoped.

Moving my SSH socket into /Users is not really an option for reasons of both security and difficulty. Neither is configuring another shared directory in the VirtualBox GUI, since these virtual machines will be created and destroyed frequently and that's not an acceptable workflow.

Is there a way of passing environment variables from the Docker Machine (not the host) into Docker containers? I think that would solve this problem.

[nathanleclaire]

@joecorcoran How are you setting SSH_AUTH_SOCK in the VM in the first place? It's empty by default for me.

[nathanleclaire]

With docker-machine ssh default -A?

[joecorcoran]

I have forwarding enabled in my host machine SSH config. No explicit attempt to set SSH_AUTH_SOCK on the VM.

[nathanleclaire]

Would bind mounting $HOME/.ssh (which is in /Users) into the container work instead?

[aanand]

Is there a way of passing environment variables from the Docker Machine (not the host) into Docker containers? I think that would solve this problem.

There isn't, no - I'm not sure it would be a good idea in general, from the perspective of leaky abstractions.

There's some related discussion on this in docker/compose#551 and moby/moby#6396. It looks like the general problem of SSH forwarding into a Docker container, when Docker's running in a VM, has not been solved satisfactorily.

Here's something which might work:

1. SSH into the machine with forwarding enabled:

   $ docker-machine ssh default -A

2. In that session, start a container which bind-mounts the temporary auth socket to a fixed path:

   docker@default:~$ docker run --name ssh-auth-sock -v $SSH_AUTH_SOCK:/ssh-auth-sock tianon/true
   Unable to find image 'tianon/true:latest' locally
   latest: Pulling from tianon/true
   d757cc55793a: Pull complete
   082f77f66d5c: Pull complete
   Digest: sha256:975dd54afdf483457367697de5c22b623692bb475d4fd0367d93cb8b699f3b87
   Status: Downloaded newer image for tianon/true:latest

   (I used the tianon/true image here, but you can basically run anything - you just want a no-op)

3. In your docker-compose.yml, use volumes_from to copy the bind-mount from that container into your containers:

   test:
     image: busybox
     command: sh -c "stat $$SSH_AUTH_SOCK"
     volumes_from:
       - ssh-auth-sock
     environment:
       - SSH_AUTH_SOCK=/ssh-auth-sock

   $ docker-compose up
   Recreating sshauthsock_test_1
   Attaching to sshauthsock_test_1
   test_1 |   File: /ssh-auth-sock
   test_1 |   Size: 0          Blocks: 0          IO Block: 4096   socket
   test_1 | Device: 801h/2049d Inode: 784904      Links: 1
   test_1 | Access: (0755/srwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: (   50/   staff)
   test_1 | Access: 2015-12-03 14:50:01.000000000
   test_1 | Modify: 2015-12-03 14:50:01.000000000
   test_1 | Change: 2015-12-03 14:50:01.000000000
   test_1 |
   sshauthsock_test_1 exited with code 0

[nathanleclaire]

Going to close this as SSH forwarding works fine in Machine VMs, and getting it into a container is the issue.

[joecorcoran]

@aanand Your solution works, in that it gets SSH running inside the container. Not ideal though, in that the SSH session with forwarding enabled has to remain open, which makes the settings in docker-compose.yml very brittle.

Good to know that it's all fundamentally possible, but would be great as a proper Compose feature. Not exactly sure what that feature would look like. Thanks for your help everyone. 🙇