Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
build: add SSH agent socket forwarder (`docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK`) #1419
Signed-off-by: Akihiro Suda firstname.lastname@example.org
- What I did
This commit adds SSH agent socket forwarder (
$ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ...
This feature requires the daemon with
Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder.
However, the experimental
The Dockerfile for the Dockerfile frontend is available at https://github.com/moby/buildkit/tree/master/frontend/dockerfile/cmd/dockerfile-frontend .
An example Dockerfile with
# syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh email@example.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here
- How I did it
- How to verify it
- Description for the changelog
build: add SSH agent socket forwarder (
- A picture of a cute animal (not mandatory but encouraged)
@@ Coverage Diff @@ ## master #1419 +/- ## ========================================== - Coverage 54.26% 54.21% -0.06% ========================================== Files 289 289 Lines 19331 19353 +22 ========================================== + Hits 10490 10492 +2 - Misses 8165 8185 +20 Partials 676 676
@AkihiroSuda @tiborvass @vdemeester Are we sure about this syntax. I don't have better ideas but didn't give it that much thought when I added this in
@tonistiigi I think the word
A CI could do
In order to allow that granularity, we need a default ID... and I'm fine with
I would call this something like "forward-ssh" or "ssh-agent".
Had the same thought as Brian, but only was able to have a very brief look…
On 6 Oct 2018, at 20:28, Brian Goff ***@***.***> wrote: I would call this something like "forward-ssh" or "ssh-agent". Other than that, I wonder if there's some magic we can do with the flag parser to have the flag value be optional and rather treat it like a book flag that can potentially have a string value. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub, or mute the thread.
cpuguy83 left a comment
Spoke with @tiborvass on this at length.
What happens here is buildkit (in the client) determines if the value is a socket or a regular file and creates an agent accordingly. The buildkit daemon can later send a request for the agent with the requested key.
I still think the flag name could be a bit more descriptive
As for magic, in the CLI flag... if it's even possible to do it, we can add it later without breaking anything.
Thanks @cpuguy83 ! Just to clarify, the magic referred to is to be able to parse
Oct 9, 2018
8 of 9 checks passed
referenced this pull request
Oct 11, 2018
The ssh socket is owned and accessibly by root only, e.g.
# syntax=docker/dockerfile:1.0.0-experimental FROM alpine RUN apk add --no-cache openssh-client \ && adduser -h /example -S example example USER example RUN --mount=type=ssh ssh-add -l
(Docker version 18.09.0, build 4d60db4)