Forward gpg-agent to container

Phil Pennock gnupg-users at
Tue Jun 12 00:43:33 CEST 2018

On 2018-06-10 at 18:05 +0200, Benjamin Kircher wrote:
> This gives me
>   gpg: can't connect to the agent: IPC connect call failed
> from within the container.
> Command lines that led to this output are:
>   $ docker run --volume $(gpgconf --list-dirs agent-extra-socket):/root/.gnupg/S.gpg-agent --entrypoint=sh -ti --rm fedora:latest

Did you do something to start the agent in the parent Linux host before
trying to forward the socket?

I can run that Docker image just fine, using the same approach, and
things work for me.

But once you're isolating processes between different virtual operating
systems, none of GnuPG's facilities for auto-launching processes will
help you.


    gpg-connect-agent /bye

in the non-Docker environment before starting the Docker commands.  That
command will ensure that the agent is running, then disconnect from the
running agent.

It might be that you have SELinux preventing the volume mount; if
tacking ':z' onto the end of the volume spec works, that would be the

  docker run -it --rm \
    --volume $(gpgconf --list-dirs agent-extra-socket):/root/.gnupg/S.gpg-agent:z \
    --entrypoint=sh fedora:latest


I am not using Linux with SELinux to run Docker anywhere, so can't be of
any further help in debugging if this is the cause; warning notes online
suggest extreme caution is warranted when using the `z` mount option,
you'll need to test carefully to make sure that GnuPG _outside_ of
Docker still works afterwards.  (If not ... `gpgconf --kill gpg-agent`
and continue on).


More information about the Gnupg-users mailing list