Hi all, I’m trying to get an ansible-navigator container to use my ssh keys on my Mac with Tahoe. I understand that it’s just supposed to work, and I know there’s issues with doing this on a Mac. I’ve tried to understand the various workarounds but I’m very new to containers and I’m not quite getting it. I’ve tried it both with Docker and Podman, and am still getting Permission denied (publickey) when attempting to run a playbook on a remote server. Does anyone have a tried-and-true method to make this work? Thanks!
Hi @jasmartin
I’m using SSH agent forwarding with Ansible Navigator on MacOS. I’m using OrbStack which exposes the same SSH agent bind mount as Docker on Mac documented here: How-tos | Docker Docs
Then I use it in my ansible navigator config file under container-options: home-ops/ansible/ansible-navigator.yml at main · dbrennand/home-ops · GitHub
Hope this helps! 
Thanks Daniel, I’m still running into problems.
What I did:
- I copied your execution-environment.yml, requirements.txt, requirements.yml, and custom_entrypoint.sh files into a test_ee directory
- I updated execution-environment.yml so the image is named “test_ee” and the volume is my 1password agent.sock file.
---
ansible-navigator:
execution-environment:
container-engine: docker
image: test_ee
container-options:
# SSH keys from 1Password are added to the SSH agent.
# See: https://developer.1password.com/docs/ssh/agent/compatibility/#ssh-auth-sock
# OrbStack creates the same path as Docker to bind the host's SSH agent socket into
# the Execution Environment. See below links:
# https://docs.docker.com/desktop/features/networking/#ssh-agent-forwarding
# https://docs.orbstack.dev/docker/#ssh-agent-forwarding
# This allows the Execution Environment to access the 1Password SSH agent socket.
- "--volume=/Users/jasmartin/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock:/agent.sock"
environment-variables:
# We don't set the SSH_AUTH_SOCK to /agent.sock here because of observations seen in
# https://github.com/ansible/ansible-navigator/issues/1591#issuecomment-2816701294
# The variable precedence in this file is overridden by ansible-runner.
# To workaround this issue, as we're already using a custom entrypoint script
# (see ee/custom_entrypoint.sh), we override the SSH_AUTH_SOCK there instead.
pass:
# This environment variable is passed to the Execution Environment to authenticate
# the op CLI. See ee/custom_entrypoint.sh for further details.
- ONEPASSWORD_SERVICE_ACCOUNT_TOKEN
- In the test_ee directory, I ran:
ansible-builder build --tag test_ee --container-runtime docker - I created a inventory/hosts.yaml with:
all:
hosts:
10.220.82.37
which is an IP I can ssh to with my key.
- I made a test_remote.yml playbook:
- name: Gather and print facts
hosts: all
become: true
gather_facts: true
tasks:
- name: Print facts
ansible.builtin.debug:
var: ansible_facts
- I run the playbook in the ee with:
ansible-navigator run test_remote.yml -i inventory --execution-environment-image test_ee --mode stdout --pull-policy missing --enable-prompts -K -u jasmartin --ce docker -vvvv --log-level debug
And still get:
[ERROR]: Task failed: Failed to connect to the host via ssh: Warning: Permanently added '10.220.82.37' (ED25519) to the list of known hosts.
jasmartin@10.220.82.37: Permission denied (publickey).
fatal: [10.220.82.37]: UNREACHABLE! => {
"changed": false,
"msg": "Task failed: Failed to connect to the host via ssh: Warning: Permanently added '10.220.82.37' (ED25519) to the list of known hosts.\r\njasmartin@10.220.82.37: Permission denied (publickey).",
"unreachable": true
}
Hi @jasmartin
You can remove the section:
environment-variables:
# We don't set the SSH_AUTH_SOCK to /agent.sock here because of observations seen in
# https://github.com/ansible/ansible-navigator/issues/1591#issuecomment-2816701294
# The variable precedence in this file is overridden by ansible-runner.
# To workaround this issue, as we're already using a custom entrypoint script
# (see ee/custom_entrypoint.sh), we override the SSH_AUTH_SOCK there instead.
pass:
# This environment variable is passed to the Execution Environment to authenticate
# the op CLI. See ee/custom_entrypoint.sh for further details.
- ONEPASSWORD_SERVICE_ACCOUNT_TOKEN
Unless you also want to use the community.general.onepassword lookup – Fetch field values from 1Password — Ansible Community Documentation lookup plugin eventually.
I use zshell so in my ~/.zshrc file I have the SSH_AUTH_SOCK environment variable exported as per instructions from SSH client compatibility | 1Password Developer :
export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
If you’re using bash then add it to your ~/.bashrc file. Make sure to source the file afterwards.
If you’re using Docker on Mac, you will just need the same contents as what I had under container-options:
container-options:
- "--volume=/run/host-services/ssh-auth.sock:/agent.sock"
Now that I think of it, I don’t think I’ve ever tried it with ansible-navigator run - I always create a shell inside the EE and then run the playbook: ansible-navigator exec -- /bin/bash