docker
SSH config from target is not inherited when target is build as part of another target
Contributing guidelines
- [X] I've read the contributing guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... the documentation does not mention anything about my problem
- [X] ... there are no open or closed issues that are related to my problem
Description
Unfortunately due to the inconsistent behavior I'm unable to give a reproducible example, but I can explain it according to one.
In my larger build, what sometimes happens is that uses-ssh will be build as part of copies-from-uses-ssh. In this case, it seems that the SSH agent is not correctly forwarded to uses-ssh and an error will appear due to no SSH keys existing.
The issue can be fixed by, in docker-bake.hcl adding ssh to the copies-from-uses-ssh. Even though copies-from-uses-ssh does not use ssh itself.
target "copies-from-uses-ssh" {
ssh = "default"
...
}
I assume that what's going wrong is incorrect forwarding of the SSH agent when it's started as a build as part of another target. I have a larger build with some dependencies between images (for which bake works amazing) and I have to solve this issue by adding the ssh config to every image. If I didn't, my CI/CD pipelines would randomly fail when the target was build as part of another target.
The issue is popping up when for instance running yarn install with images that need to be pulled from a private registry.
Expected behaviour
If the SSH agent is specified in the uses-ssh target, it's always correctly forwarded, without having to add the SSH agent to every target that might use uses-ssh as context.
Actual behaviour
The output from docker buildx bake release will sometimes look like shown below. Here, uses-ssh is build as part of copies-from-uses-ssh.
[copies-from-uses-ssh uses-ssh 3/3] RUN --mount=type=ssh ssh-add -L
In this case, it'll generate an error:
0.455 Error connecting to agent: No such file or directory
------
use_ssh.Dockerfile:5
--------------------
3 |
4 | RUN apk add --no-cache openssh-client
5 | >>> RUN --mount=type=ssh ssh-add -L
--------------------
ERROR: failed to solve: process "/bin/sh -c ssh-add -L" did not complete successfully: exit code: 2
Buildx version - NOTE: Updated this to correspond with the buildx version on the build servers
github.com/docker/buildx v0.10.4 c513d34049e499c53468deac6c4267ee72948f02
Docker info
No response
Builders list
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
default * docker
default default running v0.11.6+0a15675913b7 linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/amd64/v4, linux/386
Configuration
group "release" {
targets = [
"copies-from-uses-ssh"
]
}
target "uses-ssh" {
dockerfile = "./use_ssh.Dockerfile"
ssh = ["default"]
}
target "copies-from-uses-ssh" {
dockerfile = "./copies_from_use_ssh.Dockerfile"
contexts = {
uses-ssh = "target:uses-ssh"
}
}
# syntax=docker/dockerfile:1.4
FROM alpine:3.18.3
RUN apk add --no-cache openssh-client
RUN --mount=type=ssh ssh-add -L
# syntax=docker/dockerfile:1.4
FROM alpine:3.18.3
COPY --from=uses-ssh --link / /
docker buildx bake release --no-cache
Build logs
No response
Additional info
No response
Hi, i think this issue not only affects ssh mounts but also secrets. Say you'd want to pass the private key as a secret instead of your ssh socket.
group "release" {
targets = [
"copies-from-uses-ssh"
]
}
target "uses-ssh" {
dockerfile = "./use_ssh.Dockerfile"
secret = [
{
type = "file"
id = "private_key"
src = "${HOME}/.ssh/id_ed25519"
}
]
}
target "copies-from-uses-ssh" {
dockerfile = "./copies_from_use_ssh.Dockerfile"
contexts = {
uses-ssh = "target:uses-ssh"
}
}
# syntax=docker/dockerfile:1.4
# use-ssh.Dockerfile
FROM alpine:3.18.3
RUN apk add --no-cache openssh-client
RUN --mount=type=secret,id=private_key,target=/root/.ssh/id_ed25519,required=true ls -la /root/.ssh
It would sometimes error out in copies-from-uses-ssh with
ERROR: secret private_key not found
I am running buildx version
github.com/docker/buildx v0.26.1 1a8287f
