Docker:无法在运行时克隆github私有rebo
[英]Docker: Unable to clone a github private rebo inside at run time
问题描述
I created a container with a .sh script as entry file. 
我创建了一个带有.sh脚本作为条目文件的容器。 Also, the dockerfile create a new user, with its home as working dir. 此外,dockerfile创建一个新用户,其home为工作目录。 The .sh script itself is in the working dir of the new user. .sh脚本本身位于新用户的工作目录中。
At run time ( docker run ) I can see that the container executes the .sh, so the build is successfully. 在运行时( docker run ),我可以看到容器执行.sh,因此构建成功。
My problem is that this container need to clone a private github repo. 我的问题是这个容器需要克隆一个私有的github repo。
Before you close/vote for close /mark as duplicated this question, let me ask your help because I've googled and read over 50 different SO questions about this problem but I've not found a working example.
My problem is that the git clone command tell me: 我的问题是git clone命令告诉我:
Cloning into 'tools'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I think that I should create a private key and add it to my keys into my Github profile, but I cannot manually add a new ssh key at every run. 我认为我应该创建一个私钥并将其添加到我的密钥中添加到我的Github配置文件中,但我不能在每次运行时手动添加新的ssh密钥。 Right? 对?
Probably, I should create a new key at build time and add it to my github repo. 可能,我应该在构建时创建一个新密钥并将其添加到我的github仓库中。 The image will always be private, so no security issues from this side. 图像将始终是私有的,因此这方面没有安全问题。 But how to do this? 但是怎么做呢?
Is there any other way to accomplish this task? 有没有其他方法可以完成这项任务?
For example I tried to copy my working private rsa key at runtime: 例如,我试图在运行时复制我的工作私有rsa键:
docker run -it --rm my_image:git_cloning -v ~/.ssh/id_rsa:/realtebo/.ssh/id_rsa:ro
Anyway I got this: 无论如何我得到了这个:
Cloning into 'tools'...
The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
At build time I avoided the "add key problem" doing a github keyscan 在构建时,我避免了执行github密钥扫描的“添加密钥问题”
RUN mkdir ~/.ssh \
&& echo >> ~/.ssh/known_hosts \
&& ssh-keyscan github.com >> ~/.ssh/known_hosts
But anyway I got this at runtime: 但无论如何我在运行时得到了这个:
Cloning into 'tools'...
Warning: Permanently added the RSA host key for IP address '192.30.253.113' to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
2 个解决方案
解决方案1
0 已采纳 2017-01-19 12:45:21
I solved, finally. 我终于解决了。
I will include my final Dockerfile with step-by-step explanation 我将包含我的最终Dockerfile以及逐步说明
FROM <base_image>
In this case, I started from a custome image but in origin it's based on official ubuntu:16_04 在这种情况下,我从一个客户形象开始,但在起源它是基于官方的ubuntu:16_04
RUN useradd -ms /bin/bash realtebo
As first action, I create the new non-root user; 作为第一个动作,我创建了新的非root用户; reader should remember that without any modification in the base OS images, the container will have only the root user. 读者应该记住,如果没有对基本操作系统映像进行任何修改,容器将只有root用户。
COPY id_rsa /home/realtebo/.ssh/
COPY id_rsa.pub /home/realtebo/.ssh/
I copied my public and private keys into the Dockerfile folder. 我将公钥和私钥复制到Dockerfile文件夹中。 Witht these commands I effectively installed them for the new user 通过这些命令,我有效地为新用户安装了它们
Remember:
COPYworks only with files/dirs in the same dir (context) of the Dockerfile!COPY仅适用于Dockerfile的同一目录(上下文)中的文件/目录!Also: The public key must be added to your Github SSH Keys wallet
RUN chown realtebo:realtebo /home/realtebo \
&& chown realtebo:realtebo /home/realtebo/.ssh \
&& chown realtebo:realtebo /home/realtebo/.ssh/*
The systen will need to access these keys as the new user, so I needed these chown commands (using only 1 layer). 系统需要以新用户身份访问这些密钥,因此我需要这些chown命令(仅使用1层)。
USER realtebo
From this point, I continue doing action using the new user 从这一点开始,我继续使用新用户进行操作
RUN echo >> ~/.ssh/known_hosts \
&& ssh-keyscan github.com >> ~/.ssh/known_hosts \
&& cd /home/realtebo \
&& git clone git@github.com:realtebo/my-private-tool.git tools
The first line create an empty known_hosts file (if not present), or append nothing to it if it's already present. 第一行创建一个空的known_hosts文件(如果不存在),或者如果它已经存在则不附加任何内容。 This file will be used from git when retreiving the host ip from github.com at the clone moment. 当在clone时刻从github.com中检索主机ip时,将从git使用此文件。 This hostname is actually binded from their DNS systems to multiple IPs. 该主机名实际上是从其DNS系统绑定到多个IP。
The second line import all known host public keys into our known_hosts file. 第二行将所有已知的主机公钥导入我们的known_hosts文件。
3rd line change working dir to the user's home. 第3行将工作目录更改为用户的家。
4th line finally do the real cloning of my tool into the tools subdir 第4行终于将我的工具真正克隆到tools子目录中
解决方案2
0 2017-01-22 12:54:51
I would suggest to use a deploy key instead of a users one, so you can control the containers access to the repositories without exposing your own key, if possible. 我建议使用部署密钥而不是用户密钥,这样您就可以控制容器对存储库的访问,而不会暴露您自己的密钥。
I have done something similar sharing the ssh-agent socket like this too: 我也做了类似的事情,像这样共享ssh-agent套接字:
docker run \ --volume $SSH_AUTH_SOCK:/ssh-agent \ --env SSH_AUTH_SOCK=/ssh-agent
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.