ssh-agent mount failure on macOS 12.3

[illeatmyhat]

**OS: ** macOS 12.3 "Monterey"

Description I can't pull from internal GitHub repos on macOS. Other coworkers using Fedora have indicated they don't have any issues. Basically, I have this person on stack overflow's exact problem

Create a dockerfile

FROM registry.access.redhat.com/ubi8/s2i-core:latest
RUN --mount=type=ssh yum install -y openssh-clients && ssh-add -l

Run podman build . --ssh default Result:

Could not open a connection to your authentication agent.
Error: error building at STEP "RUN --mount=type=ssh yum install -y openssh-clients && ssh-add -l": error while running runtime: exit status 2

Output of podman version if reporting a podman build issue:

Client:       Podman Engine
Version:      4.0.3
API Version:  4.0.3
Go Version:   go1.18
Built:        Fri Apr  1 08:28:59 2022
OS/Arch:      darwin/amd64

Server:       Podman Engine
Version:      4.0.3
API Version:  4.0.3
Go Version:   go1.18
Built:        Fri Apr  1 11:21:54 2022
OS/Arch:      linux/amd64

Output of cat /etc/*release:

zsh: no matches found: /etc/*release

Output of uname -a:

Darwin foobar.home 21.4.0 Darwin Kernel Version 21.4.0: Mon Feb 21 20:34:37 PST 2022; root:xnu-8020.101.4~2/RELEASE_X86_64 x86_64

Output of cat /etc/containers/storage.conf:

cat: /etc/containers/storage.conf: No such file or directory

[rhatdan]

If you podman machine ssh does it work for you?

[rhatdan]

@flouthoc does the --ssh work agross podman --remote?

[illeatmyhat]

How would that work? I'm used to using docker so I'm not sure if there's some special ritual to mounting the host's ssh agent onto the podman machine

[flouthoc]

@rhatdan Issue could be at podman-machine's ssh-agent setup itself. I'll try reproducing this.

[flouthoc]

I think problem is that SSH_AUTH_SOCK which ssh-agent uses to communicate exists on host and not on machine. I'm just curious if this ever worked on podman machine before.

I think we would need to mount SSH_AUTH_SOCK from host->machine

Maybe this issue can be moved to podman, since this has to implemented on podman side. This might need mount to work between host and machine on macOS.

[rhatdan]

Yes this is definitely a Podman issue, not a Buildah issue.

[fiburonsk]

Is this possibly something as simple as just enabling ForwardAgent Yes in the ~/.ssh/config on the mac side? Then the agent should be available to the podman vm after running podman machine ssh

[rishabhj1717]

I had faced a similar issue, and had to execute eval "$(ssh-agent -s)" on the mac side to solve it.

[flouthoc]

@rishabhj1717 I must be missing some but did you only do eval "$(ssh-agent -s)" on macOS side or even configured ForwardingAgent on machine side. I'm confused because the build is invoked on a VM so it can't reach agent running on host unless and until some is done and afaik podman does not do anything to configure it.

But anyways does it work for you ? If yes could you help sharing how did you verify if its working.

[rishabhj1717]

On my macos side I only had to do eval "$(ssh-agent -s)", and I verified if this helped by executing podman machine ssh , as I was unable to execute podman ssh earlier.

[kbeswick]

@rishabhj1717's workaround doesn't seem to work. Curious if anyone else has any workarounds, or if this is something that will make it into a future podman release?

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[retrry]

I'm still having this issue. It should not be stale.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[hellemo]

I experience the same problem on Windows 10. Is it not supported, or can it be added to this issue (or should I open a new issue for windows)?

[madhukar93]

@flouthoc I'd be interested in taking this up, any pointers on how to get started?

[flouthoc]

Hi @madhukar93 thanks for the interest I'll go through the issue and update back :)

[retrry]

Is this issue on podman roadmap? At least for me is is the last issue which blocks me from fully moving to podman.

[rhatdan]

@flouthoc any update.

[flouthoc]

https://github.com/containers/podman/issues/14074#issuecomment-1114983858

Maybe this issue can be moved to podman, since this has to implemented on podman side. This might need mount to work between host and machine on macOS.

@rhatdan might need a macOS exposure for this one and we gotta make sure mounting works there.

[cnorthfield]

This could do with being on the roadmap if it's not already. Is there an update?

[ghost]

Hoping this is still active, having the same issue on Mac OSX 13.5

podman version:

Client:       Podman Engine
Version:      4.5.1
API Version:  4.5.1
Go Version:   go1.20.4
Git Commit:   9eef30051c83f62816a1772a743e5f1271b196d7
Built:        Fri May 26 11:10:12 2023
OS/Arch:      darwin/amd64

Server:       Podman Engine
Version:      4.6.0
API Version:  4.6.0
Go Version:   go1.20.6
Built:        Fri Jul 21 08:23:26 2023
OS/Arch:      linux/amd64

I am able to successfully podman machine ssh without any of the above workarounds but am unable to mount the host SSH keys into the container to resolve private repos

[ghost]

It sounds like this is not supported today as per this duplicate - https://github.com/containers/podman/issues/15524

@flouthoc or whoever else owns the process - Is this on the roadmap and how would I check?

[archoversight]

Docker for Mac has an ssh-auth.sock that is located at /run/host-services/ssh-auth.sock that forwards the requests to the users ssh-agent running on the macOS host.

See https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

[atomicules]

Fwiw, this approach seems to work on macOS if wanting to do git and ssh:

Dockerfile:

RUN --mount=type=secret,id=sshkey \
  export GIT_SSH_COMMAND="ssh -i /run/secrets/sshkey" && \
  git clone git@...

Build command:

podman build . --secret id=sshkey,src=/path/to/private_ssh_key

[jwalzer]

Fwiw, this approach seems to work on macOS if wanting to do git and ssh:

RUN --mount=type=secret,id=sshkey \
  export GIT_SSH_COMMAND="ssh -i /run/secrets/sshkey" && \
  git clone git@...

This only works if the key has no passphrase. It is not connecting to the ssh-agent.

ssh-agent is also used for hardware tokens so in more sophisticated environments, getting ssh-agent access is necessary

Thats currently a real downer here. I want to avoid installing docker on my machine

[jacobfriedman]

I'm surprised this hasn't been fixed in 2 years.

[rhatdan]

PRs welcome. Podman is a Huge community project, with limited maintainers working on different priorities. PRs from community is always encouraged.

[Nezteb]

ssh support was added to podman-compose 1.3.0: https://github.com/containers/podman-compose/pull/1058

However, in testing both podman build and podman-compose build, I've been unable to get an image build to successfully clone a private repo.

I've tried various methods mentioned in Docker docs:

• https://docs.docker.com/desktop/features/networking/#ssh-agent-forwarding
• https://docs.docker.com/reference/compose-file/build/#ssh
• https://docs.docker.com/reference/dockerfile/#run---mounttypessh

More context: I am using 1Password for SSH key management, but it works fine when using Docker or Docker Desktop.

[containerscrew]

I have "developed" my own solution to use SSH_AUTH_SOCK, in case you need it :)

https://gist.github.com/containerscrew/c5ca74843e377e05dba0a0572361e31e