SSH Agent Forwarding With MacOS and Docker Desktop

[timway]

ISSUE TYPE

• Bug Report

SUMMARY

The SSH agent is not correctly mounted when using MacOS and Docker Desktop with Ansible Navigator.

ANSIBLE-NAVIGATOR VERSION

% ansible-navigator --version
ansible-navigator 3.4.0

CONFIGURATION

In one of the cases you can try to configure ansible-navigator.yml to mount the volume and configure the ENV variable as described in the Docker Desktop documentation.

---
ansible-navigator:
  execution-environment:
    environment-variables:
      set:
        SSH_AUTH_SOCK: /run/host-services/ssh-auth.sock
    volume-mounts:
      - src: /run/host-services/ssh-auth.sock
        dest: /run/host-services/ssh-auth.sock

LOG FILE

Warning: Issues were found while applying the settings.
   Hint: Command provided: '--mode stdout run playbook.yml --inventory hosts'

  Error: The following execution-environment.volume-mounts entry could not be parsed:  {'src': '/run/host-services/ssh-auth.sock',
         'dest': '/run/host-services/ssh-auth.sock'} (Settings file). Errors were found: Source: '/run/host-services/ssh-auth.sock'
         does not exist.
   Hint: The value of execution-environment.volume-mounts should be a list of dictionaries and valid keys are 'src', 'dest' and
         'options'.

   Note: Configuration failed, using default log file location. (/Users/abcd/efgh/ansible-navigator.log)
         Log level set to debug
   Hint: Review the hints and log file to see what went wrong.

STEPS TO REPRODUCE

• Using MacOS, Python provided by MacOS, Ansible Navigator installed
• Configure a target machine with SSH key based authentication using a key with a passphrase
• Add the SSH key to the agent
• Try to use ansible-navigator

EXPECTED RESULTS

Ideally, it detects the container runtime and automatically mounts the SSH agent into the container correctly.

ACTUAL RESULTS

• With no configuration it runs the playbook but is missing the credentials provided by the SSH agent
• With configuration in the ansible-navigator.yml to add the volume for /run/host-services/ssh-auth.sock it fails because the volume does not exist on the host running ansible-navigator
  • Should ansible-navigator be validating the bind mount paths or should we leave that up to the container runtime?

ADDITIONAL INFORMATION

https://docs.docker.com/desktop/networking/#ssh-agent-forwarding

[timway]

This appears to be an issue with ansible-runner and not ansible-navigator directly. I'll file an issue and potentially try to write a PR for it over there.

https://github.com/ansible/ansible-runner/blob/aef73cf7265b807c877697e74585f74d58459366/src/ansible_runner/config/_base.py#L372-L374

[timway]

ansible/ansible-runner#1293 is the PR in ansible-runner. A similar fix will be needed for the volume check in ansible-navigator. Alternatively, should the volume check be removed for ansible-navigator all together?

[ekartsonakis]

Hi @timway. I've posted a question here #1621 which seems to be highly related with this issue. Could you please take a look and let me know if you have any idea?
Thank you!