Docker Desktop for Mac: SSH into the Docker VM

As you may know, Docker Desktop on macOS runs a Linux VM in the background to run containers on macOS (since containers are a Linux concept). However, that VM is well hidden from view and you typically only interact with it when you start Docker Desktop or when you need to clean up images in the VM itself.

Sometimes you’ll want to have a shell into that VM, but that turns out to be more complicated than I initially expected. There is however an easily accessible debug shell available.

  • First, open a terminal and use socat to open the debug shell socket to the VM using the following command:
$ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer
  • socat will print the line “PTY is /dev/ttys010“, to which you can then connect to using screen on another terminal window:
$ screen /dev/ttys0xx

So that will look something like this:

$ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer
2021/01/02 21:28:43 socat[23508] N opening connection to LEN=73 AF=1 "/Users/simon/Library/Containers/com.docker.docker/Data/debug-shell.sock"
2021/01/02 21:28:43 socat[23508] N successfully connected from local address LEN=16 AF=1 ""
2021/01/02 21:28:43 socat[23508] N successfully connected via
2021/01/02 21:28:43 socat[23508] N PTY is /dev/ttys010
2021/01/02 21:28:43 socat[23508] N starting data transfer loop with FDs [5,5] and [6,6]

$ screen /dev/ttys010
/ #
/ # uname -a
Linux docker-desktop 4.19.121-linuxkit #1 SMP Tue Dec 1 17:50:32 UTC 2020 x86_64 Linux

The VM is a very stripped down Alpine image with no package manager available, so you’ll have to make do with what is available.

Quit with CTRL-D, which will also close the socat socket. Thanks to Tatsushi for figuring it out in this GitHub Gist.

gopass: “gpg: decryption failed: No secret key”

For a few years now I have been using the pass password manager. It is a wonderfully simple way to manage passwords using PGP to encrypt passwords in text files. The same files can then be placed in a git repository, which makes replicating passwords easy.

For different reasons I am now migrating to gopass, a Go implementation of pass with a few additional features. I am using Homebrew to install gopass on my machine: brew install gopass. Theoretically, gopass should work out-of-the-box and is compatible with the old pass utility. So I was quite surprised to see an error message like this:

$ gopass github
Entry 'github' not found. Starting search...
Found exact match in 'github.com/simonkrenger'
gpg: decryption failed: No secret key

Error: failed to retrieve secret 'github.com/simonkrenger': Failed to decrypt

Strange. But decrypting the password file directly using PGP works fine:

$ gpg -d ~/.password-store/github.com/simonkrenger.gpg
[..]

If the above command using gpg does not work, check your keys using gpg --list-keys and gpg --list-secret-keys. Especially when migrating to GPG2, sometimes keys do not get imported into the new keyrings. In case you need to import the old keyring into the new format like so:

$ gpg --import ~/.gnupg/pubring.gpg
$ gpg --import ~/.gnupg/secring.gpg

But even after importing the keys, I still received gpg: decryption failed: No secret key. So after searching around I found that I need to set the GPG_TTY variable:

$ export GPG_TTY=$(tty)

It seems that not setting the GPG_TTY environment variable leads to the error above. Which is quite misleading. After setting this environment variable (and adding it to the .bash_profile), gopass works as expected.