ssh-add in docker - Could not open a connection to your authentication agent

Laurent GRENIER picture Laurent GRENIER · Dec 6, 2018 · Viewed 9.7k times · Source

I am trying to create a docker image for my Python flask API.

I need git to install dependencies and I have already installed git in docker few times. But here, I cannot understand what I'm doing wrong.

With the docker:

FROM python:3.6-slim

ARG ssh_prv_key
ARG ssh_pub_key

RUN apt-get update && \
    apt-get install -y openssh-server &&\
    apt-get install -y git

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 0700 /root/.ssh && \
    ssh-keyscan github.com > /root/.ssh/known_hosts

# Add the keys and set permissions
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    echo "$ssh_pub_key" > /root/.ssh/id_rsa.pub && \
    chmod 600 /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa.pub && \
    echo "StrictHostKeyChecking no " > /root/.ssh/config


RUN eval "$(ssh-agent -s)"
RUN ssh-add /root/.ssh/id_rsa

RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

COPY requirements.txt /usr/src/app/
RUN pip3 install --no-cache-dir -r requirements.txt

# Remove SSH keys
RUN rm -rf /root/.ssh/

COPY ./my_api /usr/src/app

# Expose the Flask port
EXPOSE 5000

CMD [ "python", "./app.py" ]

I execute the command:

docker build --build-arg ssh_prv_key=.keys/id_rsa --build-arg ssh_pub_key=.keys/id_rsa.pub -t my-api -f Dockerfile . 

Which gives me the error below:

Step 7/16 : RUN eval "$(ssh-agent -s)"
 ---> Running in be450cc39533
Agent pid 9
Removing intermediate container be450cc39533
 ---> fb101226dc5f
Step 8/16 : RUN ssh-add /root/.ssh/id_rsa
 ---> Running in 4288e93db584
Could not open a connection to your authentication agent.
The command '/bin/sh -c ssh-add /root/.ssh/id_rsa' returned a non-zero code: 2

A PID is retrieved by the eval function for the ssh-agent but I cannot connect to it.

SOLVED

I finally found what I was doing wrong. First of all, my build args wasn't correct. The correct docker build command is as follow:

docker build --build-arg ssh_prv_key="$(cat .keys/id_rsa)" --build-arg ssh_pub_key="$(cat .keys/id_rsa.pub)" -t my-api -f Dockerfile . 

Also, and I don't know why, git handle correctly my ssh keys without usage of

RUN eval "$(ssh-agent -s)"
RUN ssh-add /root/.ssh/id_rsa  

The commands above resulting into an could not connect to your agent error.

Then, the right file is

FROM python:3.6-slim

ARG ssh_prv_key
ARG ssh_pub_key

RUN apt-get update && \
    apt-get install -y git

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 0700 /root/.ssh && \
    ssh-keyscan github.com > /root/.ssh/known_hosts

# Add the keys and set permissions
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
    echo "$ssh_pub_key" > /root/.ssh/id_rsa.pub && \
    chmod 600 /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa.pub


RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

COPY requirements.txt /usr/src/app/
RUN pip3 install --no-cache-dir -r requirements.txt

# Remove SSH keys
RUN rm -rf /root/.ssh/

COPY ./my_api /usr/src/app

# Expose the Flask port
EXPOSE 5000

CMD [ "python", "./app.py" ]

Answer

Ahmed Eldakhli picture Ahmed Eldakhli · Dec 6, 2018

I believe the issue related to ssh configuration in your container, the default ssh strategy in Ubuntu is to refuse the root remote login.

To enable it, add the below line to your Dockerfile.

RUN echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

This line edits the /etc/ssh/sshd_config file to permit root login, but you need to restart sshd service, to do so, you have to add the below line also in your Dockerfile.

RUN systemctl restart sshd

Also if you trust the certificate, just add -K flag to ssh-add.

RUN ssh-add -k /root/.ssh/id_rsa

The -k option is used When loading keys into or deleting keys from the agent, process plain private keys only and skip certificates.

I hope this can help.
Best Regards,