From eaac83671f3acbe68b17a2b30c43921d6a2560b5 Mon Sep 17 00:00:00 2001 From: dw-ec <3630207+dw-ec@users.noreply.github.com> Date: Wed, 7 Jun 2023 16:15:58 +0100 Subject: [PATCH 1/5] Allow use of ssh-agent instead of mounting SSH key --- examples/docker-compose-agent.yaml | 29 +++++++++++++++++++++++++++++ examples/docker-compose.yaml | 5 +++-- run.sh | 6 +++++- 3 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 examples/docker-compose-agent.yaml diff --git a/examples/docker-compose-agent.yaml b/examples/docker-compose-agent.yaml new file mode 100644 index 0000000..330049d --- /dev/null +++ b/examples/docker-compose-agent.yaml @@ -0,0 +1,29 @@ +version: '3.6' + +# example docker-compose which connects our local node container to the prod +# database which sits in a traditional datacentre via an SSH tunnel +services: + + node: + image: node:latest + volumes: + - ./app:/app + links: + - dbtunnel + + dbtunnel: + build: + context: ../ + restart: always + expose: + - "3306/tcp" + environment: + - LOCAL_PORT=3306 + - REMOTE_PORT=3306 + - REMOTE_SERVER_IP=10.10.36.74 + - SSH_BASTION_HOST=24.342.228.122 + - SSH_USER=dbtunnel + - SSH_PORT=22 + - SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock + volumes: + - /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock diff --git a/examples/docker-compose.yaml b/examples/docker-compose.yaml index 2d981c1..4b5aea3 100644 --- a/examples/docker-compose.yaml +++ b/examples/docker-compose.yaml @@ -12,7 +12,8 @@ services: - dbtunnel dbtunnel: - image: jujhars13/docker-ssh-tunnel + build: + context: ../ restart: always expose: - "3306/tcp" @@ -24,4 +25,4 @@ services: - SSH_USER=dbtunnel - SSH_PORT=22 volumes: - - ~/.ssh/example/dbtunnel:/ssh_key/id_rsa:ro \ No newline at end of file + - ~/.ssh/example/dbtunnel:/ssh_key/id_rsa:ro diff --git a/run.sh b/run.sh index 9fdd5d1..ce61fc5 100755 --- a/run.sh +++ b/run.sh @@ -24,6 +24,10 @@ fi echo "starting SSH proxy $LOCAL_PORT:$REMOTE_SERVER_IP:$REMOTE_PORT on $SSH_USER@$SSH_BASTION_HOST:$SSH_PORT" +if [ -z ${SSH_AUTH_SOCK+x} ] ; then + SSH_IDENTITY=" -i /ssh_key/id_rsa" +fi + /usr/bin/ssh \ -NTC -o ServerAliveInterval=60 \ -o GatewayPorts=true \ @@ -32,4 +36,4 @@ echo "starting SSH proxy $LOCAL_PORT:$REMOTE_SERVER_IP:$REMOTE_PORT on $SSH_USER -L $LOCAL_PORT:$REMOTE_SERVER_IP:$REMOTE_PORT \ $SSH_USER@$SSH_BASTION_HOST \ -p $SSH_PORT \ --i /ssh_key/id_rsa +${SSH_IDENTITY:-} From cebb881668f177292025c52f03905071cd475740 Mon Sep 17 00:00:00 2001 From: dw-ec <3630207+dw-ec@users.noreply.github.com> Date: Wed, 7 Jun 2023 16:28:22 +0100 Subject: [PATCH 2/5] Add note about SSH_AUTH_SOCK forwarding --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 33faad5..5cac370 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,12 @@ jujhars13/docker-ssh-tunnel mongo --host localhost --port 27017 ``` +## Forwarding ssh-agent socket + +Mounting your private ssh key doesn't work if it's protected by a passphrase. Instead you can forward your ssh-agent via SSH_AUTH_SOCK, by mounting the special (seemingly non-existent) socket /run/host-services/ssh-auth.sock within the container, and setting the environment variable appropriately. + +See [the docker-compose example](./examples/docker-compose-agent.yaml) for more. + ## TODO - [x] add example `docker-compose.yml` to `/examples` @@ -76,4 +82,4 @@ mongo --host localhost --port 27017 ## Version - 2022-08-11 - `v1.8` - Removes Bash, Bumps Alpine to `v3.16` -- 2021-09-12 - `v1.8` - Bumps Alpine to `v3.15` \ No newline at end of file +- 2021-09-12 - `v1.8` - Bumps Alpine to `v3.15` From e1535c52b94cb78884c679a803ac3b72cebf71ce Mon Sep 17 00:00:00 2001 From: dw-ec <3630207+dw-ec@users.noreply.github.com> Date: Tue, 27 Jun 2023 14:56:14 +0100 Subject: [PATCH 3/5] Simplify documentation for ssh-agent forwarding --- README.md | 13 ++++++++++++- examples/docker-compose-agent.yaml | 29 ----------------------------- examples/docker-compose.yaml | 5 ++--- 3 files changed, 14 insertions(+), 33 deletions(-) delete mode 100644 examples/docker-compose-agent.yaml diff --git a/README.md b/README.md index 5cac370..2995042 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,18 @@ mongo --host localhost --port 27017 Mounting your private ssh key doesn't work if it's protected by a passphrase. Instead you can forward your ssh-agent via SSH_AUTH_SOCK, by mounting the special (seemingly non-existent) socket /run/host-services/ssh-auth.sock within the container, and setting the environment variable appropriately. -See [the docker-compose example](./examples/docker-compose-agent.yaml) for more. +Use the following options with the `docker run` command above to enable this: + +``` +-e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \ +-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \ +``` + +You can omit the following option: +``` +-v ~/.ssh/id_rsa:/ssh_key/id_rsa:ro \ +``` + ## TODO diff --git a/examples/docker-compose-agent.yaml b/examples/docker-compose-agent.yaml deleted file mode 100644 index 330049d..0000000 --- a/examples/docker-compose-agent.yaml +++ /dev/null @@ -1,29 +0,0 @@ -version: '3.6' - -# example docker-compose which connects our local node container to the prod -# database which sits in a traditional datacentre via an SSH tunnel -services: - - node: - image: node:latest - volumes: - - ./app:/app - links: - - dbtunnel - - dbtunnel: - build: - context: ../ - restart: always - expose: - - "3306/tcp" - environment: - - LOCAL_PORT=3306 - - REMOTE_PORT=3306 - - REMOTE_SERVER_IP=10.10.36.74 - - SSH_BASTION_HOST=24.342.228.122 - - SSH_USER=dbtunnel - - SSH_PORT=22 - - SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock - volumes: - - /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock diff --git a/examples/docker-compose.yaml b/examples/docker-compose.yaml index 4b5aea3..2d981c1 100644 --- a/examples/docker-compose.yaml +++ b/examples/docker-compose.yaml @@ -12,8 +12,7 @@ services: - dbtunnel dbtunnel: - build: - context: ../ + image: jujhars13/docker-ssh-tunnel restart: always expose: - "3306/tcp" @@ -25,4 +24,4 @@ services: - SSH_USER=dbtunnel - SSH_PORT=22 volumes: - - ~/.ssh/example/dbtunnel:/ssh_key/id_rsa:ro + - ~/.ssh/example/dbtunnel:/ssh_key/id_rsa:ro \ No newline at end of file From 6da4627461148900984177bf75773cf312960e99 Mon Sep 17 00:00:00 2001 From: dw-ec <3630207+dw-ec@users.noreply.github.com> Date: Tue, 27 Jun 2023 15:09:08 +0100 Subject: [PATCH 4/5] Remove extraneous newline --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2995042..a0f7787 100644 --- a/README.md +++ b/README.md @@ -93,4 +93,4 @@ You can omit the following option: ## Version - 2022-08-11 - `v1.8` - Removes Bash, Bumps Alpine to `v3.16` -- 2021-09-12 - `v1.8` - Bumps Alpine to `v3.15` +- 2021-09-12 - `v1.8` - Bumps Alpine to `v3.15` \ No newline at end of file From 8a1122b12b48a7ca9b30bb2790c8c1d5f19f9a6d Mon Sep 17 00:00:00 2001 From: dw-ec <3630207+dw-ec@users.noreply.github.com> Date: Mon, 31 Jul 2023 17:24:08 +0100 Subject: [PATCH 5/5] Change local auth sock parameter to be more cross-platform --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a0f7787..f9033c7 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ Use the following options with the `docker run` command above to enable this: ``` -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \ --v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \ +-v ${SSH_AUTH_SOCK}:/run/host-services/ssh-auth.sock \ ``` You can omit the following option: @@ -93,4 +93,4 @@ You can omit the following option: ## Version - 2022-08-11 - `v1.8` - Removes Bash, Bumps Alpine to `v3.16` -- 2021-09-12 - `v1.8` - Bumps Alpine to `v3.15` \ No newline at end of file +- 2021-09-12 - `v1.8` - Bumps Alpine to `v3.15`