d11wtq/docker-ssh-forward.bash

Based on @tomdavies post, i created this Dockerfile which uses the USER statement in order to have an unpriviledged container instead of su-exec:

FROM python:3.11.6-alpine

RUN apk --no-cache add --update \
    socat \
    sudo

RUN addgroup --gid 1001 -S ansible && adduser --uid 1001 -S ansible -G ansible -h /home/ansible
RUN echo 'ansible ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/create-ansible-agent-socket.sh' > /etc/sudoers
RUN echo 'socat UNIX-LISTEN:/home/ansible/.ssh/agent,fork,user=ansible,group=ansible,mode=777 UNIX-CONNECT:/root/.ssh/agent' > /usr/local/bin/create-ansible-agent-socket.sh
RUN chmod +x /usr/local/bin/create-ansible-agent-socket.sh
RUN echo 'sudo /usr/local/bin/create-ansible-agent-socket.sh & SSH_AUTH_SOCK=/home/ansible/.ssh/agent "$@"' > /entrypoint.sh

USER ansible
RUN mkdir -p /home/ansible/.ssh && chown ansible:ansible /home/ansible/.ssh

ENTRYPOINT [/bin/sh, /entrypoint.sh]

you run it then with

docker run -it -u ansible \
    -v "$SSH_AUTH_SOCK":/root/.ssh/agent \
    -e SSH_AUTH_SOCK=/root/.ssh/agent \
    name cmd

@benjertho After struggling for hours with the same problem (works on first shell login but after that fails), I tried a hack and it worked! Sharing here:

• Add an entrypoint line to dockerfile
  ENTRYPOINT ["/ros_entrypoint.sh"]

• In entrypoint script, add the following at the top:

# Dynamically set SSH_AUTH_SOCK if it's available in the mounted /tmp directory
if [ -n "$(find /tmp -type s -name 'agent.*' 2>/dev/null)" ]; then
  export SSH_AUTH_SOCK=$(find /tmp -type s -name 'agent.*' 2>/dev/null)
fi

• Add the following to your compose.yaml:

environment:
    - SSH_AUTH_SOCK=/tmp/ssh-agent
volumes:
    - /tmp:/tmp

Now the ssh auth sock will be set appropriately every time.

run docker -p  222:22 && apt install openssh-server &&  $(edit /etc/ssh/sshdconfig to enable root login)

on your mac of git bash

eval $(ssh-agent -s)
ssh-add 
ssh -A  toDockerContainer

Thanks! You pointed me in the right direction for a very similar problem. Here’s my take on it, implemented within a Makefile. This is very much specific to a mac os problem with a Docker Desktop solution.

# izumanetworks.com ai-edge-runner
run:
    @if [ -z "$(WORKSPACE_PATH)" ]; then \
        echo "Error: Please specify the path to map using MAP=/path/to/map"; \
        exit 1; \
    fi
    @if [ -z "$(SSH_AUTH_SOCK)" ]; then \
        echo "Error: SSH agent is not running. Please start it with 'eval $$(ssh-agent -s)' and add your key with 'ssh-add'."; \
        exit 1; \
    fi
    docker run -it \
        --name $(CONTAINER_NAME) \
        -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \
        -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \
        -v $(WORKSPACE_PATH):/izuma \
        --entrypoint /bin/bash \
        $(IMAGE_NAME)

The magic is that even though macOS doesn’t have a /run/blah/blah path, Docker Desktop creates /run/host-services/ssh-auth.sock as a special bridge to your host system’s SSH_AUTH_SOCK.

To test, run ssh-add -l inside the container to list your keys and ssh -T [email protected] to verify connectivity. This approach works seamlessly with Docker Desktop on macOS.

the latest official documentation helped me with docker-compose setup https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

That seems to be specific to Docker Desktop. What about Colima and/or Podman?

Did you ever figure this out on Podman specifically?