Docker and WSL have been getting more and more chummy lately. The Docker Desktop WSL2 backend integrates Docker containers with the “official” integrated Windows/Linux ecosystem (boy that still feels a little weird to write…) and gains performance perks in the process.
However, I ran into some trouble recently getting SSH to work inside of a Docker container. As I’ve written about before, I like to bind-in my credentials from my host machine, rather than proliferating credentials into containers. When a container needs to SSH out to the wider world, that means binding in my .ssh
directory from the host, e.g. with a docker-compose.yml
:
volumes:
- type: bind
source: ${HOME}${USERPROFILE}/.ssh
target: /home/${DEV_USER:-abapa}/.ssh
Only one problem: volumes mounted from the Windows side are mounted via drvfs
, which by default projects all files as having mode 777 on the Linux side. And SSH will refuse to use certificate files that are world-writeable.
After a bunch of research and some trial-and-error, I found a solution that’s working right now (2020-10-24). Recent versions of drvfs
allow NTFS-hosted files to have fake Linux-side effective permissions attached to them, via NTFS extended attributes. And the docker-desktop
distro that Docker Desktop installs has this feature enabled:
PS> wsl -d docker-desktop
# cat /etc/wsl.conf
[automount]
root = /mnt/host
crossDistro = true
options = "metadata"
Notice the options = "metadata"
line in /etc/wsl.conf
.
So the trick was to open a WSL terminal in that distro and set the desired effective owner and file permissions:
PS> wsl -d docker-desktop
caroline:/tmp/docker-desktop-root/mnt/host/c/Users/avdi_000/.ssh# chown -R 1000:1000 .
caroline:/tmp/docker-desktop-root/mnt/host/c/Users/avdi_000/.ssh# chmod -R u=rwX .
These aren’t “real” file attributes, since Windows has a very different permissions model from Linux. But they get saved as file attributes and treated as the effective file permissions inside WSL distros with metadata enabled.
Notes:
-
-R
makes the change recursive through directories. - User/group 1000 are a common default user/group ID for containers.
- File mode
u=rwX
recursively sets files to readable/writeable by owner, and directories read/write/traversable by owner.
Top comments (1)
Have you seen this section I did on Cross-Platform SSH solutions with Docker? I've tested it with Docker, Compose, Docker Sync, etc for Ruby & Node (with Yarn) and so far everything has been working well.
dev.to/aws-heroes/serverless-docke...