TL;DR
- Would be nice to have a user other than root to perform commands in the container (bonus point if this user has a the same pid than the host user).
- Document ssh custom configuration.
I first wanted to authenticate on my server with my ssh key. Found that mounting the ssh agent socket as volume would be a reasonable solution.
To go further, for security purposes (forcing secure algorithms, servers signatures, etc.), I would like to be able to pass my host config and known_hosts files to the container.
This is what my docker run
command look so far:
docker run \
--name ansible-playbook \
-it --rm \
--volume $(pwd):/home/ansible/project \
-w /home/ansible/project \
--volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent \
--volume ${HOME}/.ssh/config:/root/.ssh/config:ro \
--volume ${HOME}/.ssh/known_hosts:/root/.ssh/known_hosts:ro \
williamyeh/ansible:ubuntu14.04 \
ansible-playbook"
When doing so with the current image, I hit a Bad owner or permissions on /root/.ssh/config
.
# ls -alh /root/.ssh
drwxr-xr-x 2 root root 4.0K Apr 29 05:11 .
drwx------ 3 root root 4.0K Apr 29 05:11 ..
-rw------- 1 1000 1000 1.6K Apr 29 05:11 config
-rw------- 1 1000 1000 8.3K Apr 25 05:17 known_hosts
Yep: files are mounted with the owner id from the host, which is not present in the container.
Therefore, I created a "custom image" to extend the behaviour as such:
FROM williamyeh/ansible:ubuntu14.04
RUN adduser -u 1000 --disabled-password ansible
USER ansible
... and now, I am able to use the following command successfully (note the slight changes in the volumes destinations):
docker run \
--name ansible-playbook \
-it --rm \
--volume $(pwd):/home/ansible/project \
-w /home/ansible/project \
--volume $SSH_AUTH_SOCK:/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent \
--volume ${HOME}/.ssh/config:/home/ansible/.ssh/config:ro \
--volume ${HOME}/.ssh/known_hosts:/home/ansible/.ssh/known_hosts:ro
${ansible_image} \
ansible-playbook"
Thanks for reading, happy to hear your thoughts on that.