Docker can't find ssh

wysp3r · April 11, 2024, 5:22am

I expect I’m missing something in my configuration, or some symlink somewhere that would allow Docker to find ssh where it expects it to be. I’m hoping someone here is more familiar with docker/ssh on NixOS and can help me fix my ability to pull from private GitHub repositories.

When trying to build an image for a private repo, I get an error like the following:

docker build git@github.com:<org>/<repo>.git --ssh default

 => ERROR [internal] load git source git@github.com:<org>/<repo>  0.0s
------
 > [internal] load git source git@github.com:<org>/<repo>.git:
0.029 ssh -F /dev/null -o UserKnownHostsFile=/var/lib/docker/tmp/2678581424: line 1: ssh: command not found
0.024 fatal: Could not read from remote repository.
0.024
0.024 Please make sure you have the correct access rights
0.024 and the repository exists.
------
ERROR: failed to solve: failed to read dockerfile: failed to load cache key: error fetching default branch for repository git@github.com:<org>/<repo>.git: exit status 128

I actually need it for maintaining a docker-compose setup, but this is the simplest thing that reproduces the error.

This is docker itself attempting to use ssh agent forwarding via BuildKit, not a container just not having ssh installed.
This seems to be a different error from ones many people seem to get for ssh agent forwarding not doing the interactive login process.
Adding keys with ssh-add doesn’t fix the issue.
ssh: command not found seems to suggest it can’t locate it, but I can’t figure out where it’s looking. ssh is installed for all users via services.openssh.enable in configuration.nix, is on my $PATH, and otherwise works fine; which ssh returns /run/current-system/sw/bin/ssh.
systemctl status sshd.service shows that it’s running, listening on port 22.
$SSH_AUTH_SOCK points to /run/user/1000/ssh-agent, which does exist.

I think the only things in my configuration that are relevant are:

services.openssh.enable = true;
programs.ssh.startAgent = true;

virtualisation.docker = {
  enable = true;
  enableOnBoot = true;
  logDriver = "json-file";
};

nix-info -m:

 - system: `"x86_64-linux"`
 - host os: `Linux 6.8.4, NixOS, 24.05 (Uakari), 24.05.20240406.ff0dbd9`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"nixos"`
 - nixpkgs: `/nix/store/j10523yhkcc34478azkgcl70yzcx6j2j-source`

docker version:

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.22.1
 Git commit:        v24.0.5
 Built:             Thu Jan  1 00:00:00 1970
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.22.1
  Git commit:       v24.0.5
  Built:            Tue Jan  1 00:00:00 1980
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.14
  GitCommit:        v1.7.14
 runc:
  Version:          1.1.8
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:

ssh -V:

OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024

Thanks in advance for any help.

wysp3r · April 13, 2024, 10:42pm

This has turned out to maybe not be a NixOS issue.

Running:

docker buildx create --name=container --driver=docker-container --use --bootstrap

And then running with:

docker build "git@github.com:<org>/<repo>.git" --builder container

allowed it to fetch the repo. Near as I can tell, for whatever reason, the container used by buildkit seems to have actually been missing ssh.