Re-Use SSH Config Inside Docker Containers with WSL2
Avdi Grimm
Posted on November 8, 2020
Docker and WSL have been getting more and more chummy lately. The Docker Desktop WSL2 backend integrates Docker containers with the “official” integrated Windows/Linux ecosystem (boy that still feels a little weird to write…) and gains performance perks in the process.
However, I ran into some trouble recently getting SSH to work inside of a Docker container. As I’ve written about before, I like to bind-in my credentials from my host machine, rather than proliferating credentials into containers. When a container needs to SSH out to the wider world, that means binding in my .ssh
directory from the host, e.g. with a docker-compose.yml
:
volumes:
- type: bind
source: ${HOME}${USERPROFILE}/.ssh
target: /home/${DEV_USER:-abapa}/.ssh
Only one problem: volumes mounted from the Windows side are mounted via drvfs
, which by default projects all files as having mode 777 on the Linux side. And SSH will refuse to use certificate files that are world-writeable.
After a bunch of research and some trial-and-error, I found a solution that’s working right now (2020-10-24). Recent versions of drvfs
allow NTFS-hosted files to have fake Linux-side effective permissions attached to them, via NTFS extended attributes. And the docker-desktop
distro that Docker Desktop installs has this feature enabled:
PS> wsl -d docker-desktop
# cat /etc/wsl.conf
[automount]
root = /mnt/host
crossDistro = true
options = "metadata"
Notice the options = "metadata"
line in /etc/wsl.conf
.
So the trick was to open a WSL terminal in that distro and set the desired effective owner and file permissions:
PS> wsl -d docker-desktop
caroline:/tmp/docker-desktop-root/mnt/host/c/Users/avdi_000/.ssh# chown -R 1000:1000 .
caroline:/tmp/docker-desktop-root/mnt/host/c/Users/avdi_000/.ssh# chmod -R u=rwX .
These aren’t “real” file attributes, since Windows has a very different permissions model from Linux. But they get saved as file attributes and treated as the effective file permissions inside WSL distros with metadata enabled.
Notes:
-
-R
makes the change recursive through directories. - User/group 1000 are a common default user/group ID for containers.
- File mode
u=rwX
recursively sets files to readable/writeable by owner, and directories read/write/traversable by owner.
Posted on November 8, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.