Forward SSH Agent from Host into FPM Container

[davidalger]

Docker Desktop now allows users to access the host’s SSH agent inside containers as of Docker Desktop 2.2.0.0 (released 2020-01-21) and later.

Reference docker/for-mac#410 and https://docs.docker.com/docker-for-mac/release-notes/#docker-desktop-community-2200

Last month I began researching how to do this. It requires a bit of effort to work around permissions issues with forwarding the socket since it is owned by root in the VM used on macOS but FPM containers are running as uid 1000. To work towards solving this, I added socat to FPM images in Feburary and then implemented the necessary forward to the docker-entrypoint script: a5df7fef

This PR adds the necessary docker-compose configuration to successfully forward the ssh-agento into php-fpm and php-debug containers on both macOS and Linux hosts across Magento 1, Magento 2 and Laravel environment types.

Simplest way to test this (and see it working) is to attempt a connection to Github (assuming your public key is authorized on Github that is):

$ ssh -T git@github.com
Hi davidalger! You've successfully authenticated, but GitHub does not provide shell access.

Another way to see it work is to simply run ssh-add -l once inside a php-fpm container to list keys in the agent. For example

davidalger@hylfing:11:17 AM:/sites/example$ warden shell
www-data@example-php-fpm:04:17 PM:/var/www/html$ ssh-add -l
error fetching identities for protocol 1: agent refused operation
2048 SHA256:CYCgnAYUJ7NebFrZ8WMzqTE4AXek+iTxwno/0V6GUJI davidmalger@gmail.com (RSA)

Note that agent refused operation in the output of ssh-add is not indicative of a problem. As long as the keys in the agent on the host are listed and it's output isn't something such as Could not open a connection to your authentication agent or Error connecting to agent: No such file or directory it means it's working as expected.

[erikhansen]

I've not been this happy about a new feature being added to a tool I use in some time. Thanks for spending the time to figure this out!

[erikhansen]

This doesn't seem to be working for me. However don't worry about looking into this just for me. But if anyone else reports this, it might be worth looking into.

• I'm using macOS Mojave 10.14.6 (could this be the problem?).

• I'm using Docker Desktop 2.2.0.5.

• I've upgraded to Warden 0.4.0

   $ warden -v
   Warden version 0.4.0
  

• I ensured my SSH key was unlocked:

   eval `ssh-agent` && ssh-add
  

• I created a brand new environment and tested:

erikhansen:12:28 PM:/server/sites$ ssh -T git@github.com
Hi erikhansen! You've successfully authenticated, but GitHub does not provide shell access.

cd /server/sites
mkdir exampleproject
warden env-init exampleproject magento2
warden env up -d
warden shell

www-data@exampleproject-php-fpm:05:27 PM:/var/www/html$ ssh -T git@github.com
The authenticity of host 'github.com (140.82.112.4)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,140.82.112.4' (RSA) to the list of known hosts.
Permission denied (publickey).

[davidalger]

When is the last time you pulled latest images? Could you run this and try again:

warden env pull
warden env up -d

I ask this in order to make sure you have the changes from this commit in the image being used to create the containers on your system: a5df7fef

[erikhansen]

@davidalger That did the trick! I was able to start an existing magento2 environment (without destroying the existing images via warden env down -v) and successfully run ssh -T git@github.com. Thanks!