Forwarded SSH Agent does not appear in container

[juliettepaul]

Actual Behavior

If you enable agent forwarding for lima-vm, the SSH_AUTH_SOCK does not get passed thru to your containers run with nerdctl

Steps to Reproduce

Edit $HOME/Application Support/rancher-desktop/lima/override.yaml to contain the following:

ssh: 
   forwardAgent: true

Run any container with nerdctl run and see that SSH_AUTH_SOCK environment variable is not set.

Result

# echo $SSH_AUTH_SOCK

The environment variable is unset.

Expected Behavior

I expect if agent forwarding is enabled that it will show up inside the container. If that is not a great default, then an option to pass to nerdctl that does this would be great.

Additional Information

I was working around this issue with this command:

ssh_auth_sock=$(LIMA_HOME="$HOME/Library/Application Support/rancher-desktop/lima" "/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl" shell 0 printenv SSH_AUTH_SOCK)

and then running my container with -v $ssh_auth_sock:$ssh_auth_sock --env=SSH_AUTH_SOCK=$ssh_auth_sock

Rancher Desktop Version

1.2.1

Rancher Desktop K8s Version

I have this disabled but set to 1.22.7 (stable)

Which container runtime are you using?

containerd (nerdctl)

What operating system are you using?

macOS

Operating System / Build Version

macOS Monterey Version 12.3.1

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

N/A

Windows User Only

No response

[Davincible]

Also experiencing this issue. Does work with the latest 'normal' nerdctl version, not with the rancher version

[juliettepaul]

I'm not sure a doc entry will fix this issue if that is what you meant by referencing this @jandubois. I think there are some changes that can be done to pass through the ssh_auth_sock from the lima VM to the containers being run. Let me know if you need more details, happy to provide anything helpful

[ryancurrah]

We have also ran into this issue it would be very appreciated if it was handled for us. Or at least a better way to get the auth sock location.

[Noksa]

Still the issue

[ryancurrah]

It should be resolved with the latest version. Use the same hard coded path as Docker.

[Noksa]

@ryancurrah
I tried 1.7.0 just as I do it with docker --ssh=default.

Do you mean the same should work with 1.8.0?

[ryancurrah]

Yeah 1.8.0 as long as the latest version of Lima was bundled with Rancher.

[Noksa]

@ryancurrah Thanks, will try it soon and give feedback

[jandubois]

You will still need a ~/Library/Application\ Support/rancher-desktop/lima/_config/override.yaml file to enable it:

ssh:
  forwardAgent: true

We didn't want to enable it by default without providing an opt-out mechanism for the user. We need to create a proper Preferences setting for it.

[Noksa]

I tried 1.8.0 but got the same result:

❯ log (SPRINT2) ✘ nerdctl build --target export -o /Users/alexandr/gitlab/dcp --build-arg=DOCKER_REPOSITORY=bla-bla.com --ssh=default -f /Users/alexandr/gitlab/dcp/Dockerfile /Users/alexandr/gitlab/dcp
error: invalid empty ssh agent socket: make sure SSH_AUTH_SOCK is set
Error: exit status 1

My override config is as follows:

disk: "256GiB"
ssh:
  forwardAgent: true

[Noksa]

It works only if I specify SSH_AUTH_SOCK with the exact value from lima vm

❯ log (SPRINT2) ✘ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.ix6RpMuEov/Listeners
❯ log (SPRINT2) ✘ rdctl shell
lima-rancher-desktop:/Users/alexandr/gitlab/oobit/log$ echo $SSH_AUTH_SOCK
/tmp/ssh-XXXXPPNLHO/agent.3080
lima-rancher-desktop:/Users/alexandr/gitlab/oobit/log$ exit
❯ log (SPRINT2) ✘ nerdctl build --target export -o /Users/alexandr/gitlab/dcp --build-arg=DOCKER_REPOSITORY=bla-bla.com --ssh=default=/tmp/ssh-XXXXPPNLHO/agent.3080 -f /Users/alexandr/gitlab/dcp/Dockerfile /Users/alexandr/gitlab/dcp
[+] Building 0.6s (2/3)
 => [internal] load build definition from Dockerfile                                                                                                                                                             0.0s
 => => transferring dockerfile: 2.73kB                                                                                                                                                                           0.0s
 => [internal] load .dockerignore                                                                                                                                                                                0.0s
 => => transferring context: 211B                                                                                                                                                                                0.0s
 => resolve image config for docker.io/docker/dockerfile:1.4                                                                                                                                                     0.6s
...

Should it work with --ssh=default?

[jandubois]

Should it work with --ssh=default?

I guess we all think it should, but it doesn't because nerdctl runs as root inside the VM, and $SSH_AUTH_SOCK is only defined in the user environment. We should configure sudo to pass through this variable.

But you should be able to use the well-known address that @ryancurrah was alluding to: --ssh=default=/run/host-services/ssh-auth.sock. That way you don't have to determine the name at runtime, but can hard-code in your scripts. Lima will create a symlink from that location to the actual socket:

$ rdctl shell ls -l /run/host-services/ssh-auth.sock
lrwxrwxrwx    1 jan      root            30 Mar 17 21:08 /run/host-services/ssh-auth.sock -> /tmp/ssh-XXXXoDDcJa/agent.2887

[jandubois]

I've created PR #4222 to forward SSH_AUTH_SOCK to nerdctl, so nerdctl run --ssh default ... should work without having to specify the socket location at all.

You'll still need the override.yaml file with it, until we provide a preference setting to enable agent forwarding (see #4136).