Problem: SSH issue when using SSH Keys with Static YAML Inventory #3553
Description
Issue
Kubernetes
Semaphore 2.16.47 (via artifacthub)
SSH Agent Socket Binding Error and Panic When Using SSH Keys with Static YAML Inventory
Description
When associating an SSH key with a static YAML inventory in Semaphore, the playbook execution fails with a socket binding error followed by a panic during cleanup.
Error Details
Primary Error
Failed to install inventory: listening on socket "/tmp/semaphore/project_1/ssh-agent-3-978svj180y.sock": listen unix /tmp/semaphore/project_1/ssh-agent-3-978svj180y.sock: bind: errno 524
Why the Root-Owned Parent Directory Broke Semaphore’s SSH Agent
🔍 Context
Semaphore runs inside a Kubernetes pod and stores temporary data under:
/tmp/semaphore/project_1/
When using a key from the Semaphore keystore, Semaphore launches its own ssh-agent and tries to create a Unix socket:
/tmp/semaphore/project_1/ssh-agent-xxx.sock
❗ Root Cause
The directory structure looked like this:
/tmp/semaphore → owned by root
/tmp/semaphore/project_1 → owned by semaphore user
Even though permissions were wide (0777), the parent directory being owned by root caused Kubernetes to block the creation of a Unix domain socket inside it.
Why?
- Unix sockets require a secure parent directory.
- Kubernetes enforces additional namespace and cgroup restrictions.
- A non-root process (
semaphore) cannot safely create a socket under a root-owned directory. - This triggers errno 524, meaning a timeout or namespace restriction.
🎯 Consequence
Semaphore’s internal ssh-agent could not start, so any inventory using a keystore key failed before Ansible even ran.