解决 Docker 容器中的 Go 依赖
[英]Resolving Go dependencies in Docker container
问题描述
I want to build my Go application during the Docker image build and set image entrypoint to built Go application.
我想在 Docker 镜像构建期间构建我的 Go 应用程序,并将镜像入口点设置为构建的 Go 应用程序。 Problem is that my Go application is subpackage of the main package and uses some other submodules from the main package.问题是我的 Go 应用程序是主包的子包,并使用主包中的其他一些子模块。 This main package is on Github as private repository so I cannot just go get inside the container.这个主包在 Github 上作为私有存储库,所以我不能直接go get容器。
I've tried to setup Glide dependency manager and get all dependencies outside of the container into the vendor/ directory but there is another problem - glide.lock would have to be updated after each commit in main private repository.我已经尝试设置 Glide 依赖管理器并将容器外的所有依赖项放入vendor/目录中,但还有另一个问题 - 在主私有存储库中每次提交后都必须更新 glide.lock。 This is not solution for me because I want to have other dependencies locked.这对我来说不是解决方案,因为我想锁定其他依赖项。
Is there any way to build application with latest version of main package dependency and locked versions of other dependencies?有没有办法用最新版本的主包依赖项和其他依赖项的锁定版本来构建应用程序?
2 个解决方案
解决方案1
1 2016-12-04 21:02:55
This isnt a Go question.这不是围棋问题。 It's a Docker and Security question.这是一个 Docker 和安全问题。
First off, it isnt ideal to build Go apps as part of the build.首先,在构建过程中构建 Go 应用程序并不理想。 Typically you would build the binary locallly on ur machine targeting the Dockerfile FROM you have set.通常,您会在您的机器上本地构建二进制文件,以您设置的 Dockerfile FROM目标。 There is zero reason not to, as there is a Go complier for every machine, and you can GOOS and GOARCH target any machine.没有理由不这样做,因为每台机器都有一个 Go 编译器,你可以 GOOS 和 GOARCH 以任何机器为目标。
But for your usecase, using a private repo, it is even more critical not to build within your container because regardless of how you get the code into your container to build, you'll have a container with private files or worse your ssh key.但是对于您的用例,使用私有存储库,更重要的是不要在容器中构建,因为无论您如何将代码放入容器中进行构建,您都会拥有一个包含私有文件的容器,或者更糟的是您的 ssh 密钥。 A container that you have to upload and host and run somewhere.您必须上传和托管并在某处运行的容器。
That is not ideal, however you look at it.不管你怎么看,这都不理想。
However, if you are determined to leak your code and/or key, you only have two options:但是,如果您决定泄露您的代码和/或密钥,您只有两种选择:
git clonethe private repo on your local/build machine yhat is authorized to access the private repo and useCOPYwithin ur Dockerfile to copy it.在你的本地/构建机器上git clone私有仓库 yhat 被授权访问私有仓库并在你的 Dockerfile 中使用COPY来复制它。Use Dockerfile
COPYto copy your local machine's SSH key that you have authorized for your remote repo, into the container so that you can RUN git commands (which you'll also need git and ssh installed).使用 Dockerfile COPY将您已为远程存储库授权的本地计算机的 SSH 密钥复制到容器中,以便您可以运行 git 命令(您还需要安装 git 和 ssh)。
Again, those are not ideal.同样,这些并不理想。 Build the Go app locally, target the container's type, and copy the binary over.在本地构建 Go 应用程序,定位容器的类型,然后复制二进制文件。 It really couldnt be easier.这真的再简单不过了。
As for dependency management, i've never used glide;至于依赖管理,我从未使用过 glide; but, i wrote a popular answer about versioning dependencies with /vendor .但是,我用/vendor写了一个关于版本依赖的流行答案。
解决方案2
-1 2016-12-06 17:57:34
If you only care about being able to go get your private repos from the docker container and do not mind to copy your id_rsa when building it, you can just add this to the beginning of your Dockerfile:如果您只关心能够从 docker 容器中go get您的私有存储库,并且不介意在构建它时复制您的 id_rsa,您可以将其添加到 Dockerfile 的开头:
RUN echo "[url \"git@github.com:\"]\n\tinsteadOf = https://github.com/" >> /root/.gitconfig
RUN mkdir /root/.ssh && echo "StrictHostKeyChecking no " > /root/.ssh/config
COPY id_rsa /root/.ssh/id_rsa
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.