Access denied for SSH_AUTH_SOCK

[hellt]

What happened?

I am using devpod on macOS where docker is provided by OrbStack. When I launch my devpod with using local VSCode as an IDE, the application that I run in my container reports that it does not have permission to dial the SSH_AUTH_SOCK socket.

WARN[0000] failed to open SSH_AUTH_SOCK: dial unix /tmp/vscode-ssh-auth-sock-386236167: connect: permission denied 

My app runs as root.

The socket is correctly mapped to a path available to a sudo user:

❯ file /tmp/vscode-ssh-auth-sock-386236167                                       
/tmp/vscode-ssh-auth-sock-386236167: symbolic link to /tmp/auth-agent1151507429/listener.sock

❯ ls -la /tmp/vscode-ssh-auth-sock-386236167                                   
lrwxrwxrwx 1 vscode vscode 39 Dec  5 14:25 /tmp/vscode-ssh-auth-sock-386236167 -> /tmp/auth-agent1151507429/listener.sock

❯ ls -la /tmp/auth-agent1151507429/listener.sock                                   
srwxr-xr-x 1 vscode vscode 0 Dec  5 14:25 /tmp/auth-agent1151507429/listener.sock

❯ file /tmp/auth-agent1151507429/listener.sock                                   
/tmp/auth-agent1151507429/listener.sock: socket

I can not quite figure out why my app can not access to the SSH_AUTH_SOCK unix socket... Everything works fine when I run the devcontainer from VSCode direcly (without devpo)

Another demonstration of this socket not being accesible to a root user is:

❯ whoami
vscode

❯ ssh-add -l
4096 SHA256:abc somekey (RSA)

❯ sudo su
root ➜ .../default/workspaces/srl-acl-lab/content (main) $ ssh-add -l
Error connecting to agent: Permission denied

What did you expect to happen instead?

The SSH_AUTH_SOCK is accessible.

How can we reproduce the bug? (as minimally and precisely as possible)

My devcontainer.json:

{
    "image": "ghcr.io/srl-labs/containerlab/devcontainer-dood-slim:0.60.0-rc1",
    "runArgs": [
        "--network=host",
        "--pid=host",
        "--privileged"
    ],
    "mounts": [
        "type=bind,src=/run/docker/netns,dst=/run/docker/netns",
        "type=bind,src=/var/lib/docker,dst=/var/lib/docker",
        "type=bind,src=/lib/modules,dst=/lib/modules"
    ],
    "workspaceFolder": "${localWorkspaceFolder}",
    "workspaceMount": "source=${localWorkspaceFolder},target=${localWorkspaceFolder},type=bind"
}

Local Environment:

• DevPod Version: 0.6.3
• Operating System: mac
• ARCH of the OS: ARM64

DevPod Provider:

• Local/remote provider: docker via orbstack

[pascalbreuninger]

Hey @hellt, it looks like VSCodes setting remote.SSH.enableAgentForwarding conflicts with DevPods agent fowrarding.
I'll keep this issue open to investigate further but the short term fix is to disable the VSCode setting

[hellt]

Hey @hellt, it looks like VSCodes setting remote.SSH.enableAgentForwarding conflicts with DevPods agent fowrarding.

I'll keep this issue open to investigate further but the short term fix is to disable the VSCode setting

Noted, thanks Pascal. Unfortunately to apply the workaround I will have to create a separate devcontainer json as I don't want to lose the ssh forwarding config when the devcontainer is launched as a native vscode devcontainer.

Would be great to solve this in a streamlined way