On OS X user always has to enter passphrase for protected SSH key

[udondan]

Silo forwards the SSH socket into the container. Docker for Mac does currently not support mounting sockets into a container. Therefore the users ssh key (which gets mounted) is used. If this key is protected by a passphrase the user will always have to unlock the key on every silo call.

The original problem is described here:

• #410 - $SSH_AUTH_SOCK is not being forwarded to docker
• #483 - Support for sharing unix sockets

There is an experimental workaround we might want to look into, as it seems the problem is not going to be addressed anytime soon on Docker side: https://github.com/uber-common/docker-ssh-agent-forward

[dMopp]

ssh-add does not help ?

[udondan]

We're doing an ssh-add and that's where the passphrase is requested. Since the Silo container is not persistent the authentication-agent won't know about the previously added key when the container is started again. Therefore you need to enter the passphrase every time ansible/ansible-playbook is invoked.

[woneill]

Using the docker-ssh-agent-forward work around has been working pretty well for me esp. since I'm using gpg-agent with ssh-support mode. Once I've setup the forward, I use this ~/.ansible-silo file:

silo_ssh_key_forwarding() {
  if command -v pinata-ssh-mount >/dev/null 2>&1; then
    forwarding_status=$(docker inspect -f '{{.State.Running}}' pinata-sshd)
    if [ "$forwarding_status" == 'true' ]; then
      return=$(pinata-ssh-mount)
      echo "${return}"
      return
    fi
  fi

  # Original silo_ssh_key_forwarding()
  local auth_sock_link_dir auth_sock_dir return=""

  if [[ ! -z "${SSH_AUTH_SOCK}" ]]; then
    if [[ -L "${SSH_AUTH_SOCK}" ]]; then
      auth_sock_link_dir="$(dirname "$(cd "${SSH_AUTH_SOCK}" && pwd -P)")"
      return+="--volume \"${auth_sock_link_dir}\":\"${auth_sock_link_dir}\" "
    fi
    auth_sock_dir="$(dirname "${SSH_AUTH_SOCK}")"
    return+="--volume \"${auth_sock_dir}\":\"${auth_sock_dir}\" "
    return+="--env SSH_AUTH_SOCK"
  fi
  echo "${return}"
}

[udondan]

@woneill Using your function since a while and pinata works reliably for me and my team.

May I use your function as is to include in the next Silo release? Or if you like, send a PR so you're credited appropriately for the contribution.

[woneill]

Awesome! Feel free to use the function as-is since I likely found it elsewhere and wouldn't want to claim credit inappropriately.

I'm interested in seeing how you suggest new users setup pinata. That's been a stumbling block for me when encouraging people to use docker in general.

[udondan]

Thanks @woneill, documentation for this is pending but I just added the function.

BTW, I am using a fork from Uber as the original is not working for me: https://github.com/uber-common/docker-ssh-agent-forward

[udondan]

2.2.0 just got released with your function. Thanks again. 😸