Search code examples
gitdockergitlabopensshssh-agent

git Permission denied on Docker container with private key

I created a Docker container and run it via shell script which contains this execution:

docker run --rm -it \
        --user $(id -u):$(id -g) \
        --network host \
        -e USER=$USER \
        -e HOME=$HOME \
        -h $HOSTNAME \
        -v /tmp:/tmp \
        -v /home/$USER:/home/$USER \
        -v ~/.ssh:/home/$USER/.ssh:ro \
        -e USERNAME=$USERNAME \
        -w /home/$USER \
        $IMAGE_NAME \
        /bin/bash

Therefore, I think there is neither right access nor key existence issue. However, if I go to my git working directory which has been cloned with ssh before. I cannot authenticate.

git pull -v
git@mygitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Printing out the output of ssh -tv git@mygitlab.com I see these differences: Without Docker container

...
debug1: Will attempt key: /home/xxx/.ssh/id_ed25519 ED25519 SHA256:20AHxx agent
debug1: Will attempt key: gitlab ED25519 SHA256:fEqoFK agent
debug1: SSH2_MSG_EXT_INFO received
....
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/xxx/.ssh/id_ed25519 ED25519 SHA256:20AHxx agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: gitlab ED25519 SHA256:fEqoFK agent
debug1: Server accepts key: gitlab ED25519 SHA256:fEqoFK agent
debug1: Authentication succeeded (publickey).

In the Docker container:

...
debug1: Will attempt key: /home/xxx/.ssh/id_ed25519 ED25519 SHA256:20AHxx
debug1: Will attempt key: /home/xxx/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/xxx/.ssh/id_rsa
debug1: Offering public key: /home/xxx/.ssh/id_ed25519 ED25519 SHA256:20AHxx
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/xxx/.ssh/id_xmss
debug1: No more authentication methods to try.
git@mygitlab.com: Permission denied (publickey).

Shall I need something to do with the ssh-agent?

Solution

  • In this particular case, you can just pass the SSH_AUTH_SOCK environment variable across your docker instance by (as you noted in a comment) adding:

    -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK

    In more general cases, where you don't have the same /tmp and /home mounts in the Docker instance, this won't work, so more generally you might have to have another ssh key, or do something fancier to pass the agent communications link through. But here you're running in the same networking space, on the same file system, so it suffices to get your inner "virtual machine"1 to use your outer (real) machine's ssh agent to get the private key.

    1A Docker instance is more like a FreeBSD "jail" than a true VM. Both, however, provide a sort of "poor man's VM".