I have been making end-user apps for myself and for folks at work that require such identity, in one case, ~/.ssh, and in another, ~/.gnupg.
My solution isn't particularly novel or clever, but it works well.
The docker image of the command-line app is the same for all users, and so lacks their identity built in.
The hack is to drive invocation of the docker image with a shell script that makes a temporary directory, copies in the necessary identity files from ~, and does a docker run that maps those identify files into the docker image.
After the docker image exits, the bash invocation script cleans up.
It's a hack, but it works surprisingly well. In my tests, it adds about 100ms of invocation latency for a python program. That is, running the docker image containing a python program that copies some files in as described is about 100ms slower than just running the same python program directly.
It would be nice to have a more elegant solution to this, but it's not too bad.
disclaimer: I am not a security expert. Reader beware!
If you're using ssh-agent, maybe you could bind-mount your host's $(dirname $SSH_AUTH_SOCK) into the container, and then set the SSH_AUTH_SOCK environment variable to point at it when you run the Docker container. That way you're not even sharing the private key with the container.
I imagine you could do the same with gpg-agent, too.
I think this is the common solution. It definitely feels like a hack, though.
I thought of the ssh-agent trick, but never thought of how to actually do it and moved on to other problems.
I would love to hear thoughts on better ways to fix this. Apologies for not responding earlier, as I really want this conversation to end somewhere. I just feel ashamed that I don't know how to continue it.
I do want to throw out there that this should not keep folks from trying docker. Please try it. Even better, suggest ways to advance this use case.
I have been making end-user apps for myself and for folks at work that require such identity, in one case, ~/.ssh, and in another, ~/.gnupg.
My solution isn't particularly novel or clever, but it works well.
The docker image of the command-line app is the same for all users, and so lacks their identity built in.
The hack is to drive invocation of the docker image with a shell script that makes a temporary directory, copies in the necessary identity files from ~, and does a docker run that maps those identify files into the docker image.
After the docker image exits, the bash invocation script cleans up.
It's a hack, but it works surprisingly well. In my tests, it adds about 100ms of invocation latency for a python program. That is, running the docker image containing a python program that copies some files in as described is about 100ms slower than just running the same python program directly.
It would be nice to have a more elegant solution to this, but it's not too bad.