Search code examples
dockerssh-keysboot2docker

How can I mount a user's existing .ssh directory into a Docker container?

I'm using boot2docker on Windows 7. VirtualBox is mounting my Windows ~/.ssh directory from Windows (c:\Users\Me\.ssh) inside the boot2docker VM (/c/Users/Me/.ssh).

My Dockerfile is configuring an image to be used as a development environment. It copies to the container a set of SSH keys and a config that are used for automatic deployment. This works fine. When the container starts up, it automatically clones a git repository within the image without prompts.

I'm now trying to use the same image but allow for the user to mount via docker run -v ... their own .ssh directory so they can optionally use their own SSH keys instead. When I do that by adding in -v /home/myself/.ssh:/home/guest/.ssh to the command that runs the container, I get the SSH warning about the permissions being too open:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/guest/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/guest/.ssh/id_rsa

I tried adding into the ENTRYPOINT script a line to chmod -R 700 /home/guest/.ssh but it appears that that is either ineffective or it is executed before the volume is mounted.

I also tried changing the permissions of /home/guest/.ssh from within the running container and was unable to do so. I get no error when running chmod -R 700 /home/guest/.ssh but the permissions do not change.

I saw in another question about Docker volume permissions the suggestion that the questioner use ACLs, but I didn't know if that was a good idea, or if it would even work.

Regardless, what is the simplest way to allow a user to use their own SSH keys and SSH config inside a Docker container?

Solution

  • Slightly kludgy, but you could copy the .ssh files into a new directory and chmod them, in the startup of the shell.

    I.e. give the container the SSH files via a volume, but use the shell ~/.profile to copy them to ~/.ssh.