如何使用bash脚本自动将密码输入docker容器?
[英]How to automate of entering pass-phrases into docker containers with bash scripts?
问题描述
I need to know how to automate the process of entering pass-phrases for private keys within docker containers. 
我需要知道如何自动化在Docker容器中输入私钥的通行短语的过程。
I have a problem with setting up my web application container with docker. 我在使用docker设置Web应用程序容器时遇到问题。 During in the setup process, I have to run composer install within my container and there is a dependency which needs to clone a private git repository. 在设置过程中,我必须在容器中运行composer install ,并且存在一个需要克隆私有git存储库的依赖项。 In that case it requires to use my private key and the key is secured with a pass-phrase. 在这种情况下,它需要使用我的私钥,并且该密钥使用密码短语进行保护。 Because of that, when running composer install it needs to provide the pass-phrase to clone the repository. 因此,在运行composer install ,需要提供密码短语来克隆存储库。 There is no issue with that flow when I running these commands within the container manually. 当我在容器中手动运行这些命令时,该流程没有问题。
But I'm planning to automate this whole process with a bash script, and when I run my bash script within the host machine, it's not asking for the pass-phrase and exit with a "Permission denied (publickey)" error. 但是,我计划使用bash脚本来自动化整个过程,并且当我在主机上运行bash脚本时,它并不需要密码并且退出并出现“权限被拒绝(公共密钥)”错误。
How do I automate the complete process with bash script without exiting from the script? 如何在不退出脚本的情况下使用bash脚本自动完成整个过程? I'm searching a way of something like that is prompting for the pass-phrase at the time of cloning that private repository or any other working solution. 我正在寻找一种类似的方式,在克隆该私有存储库或任何其他工作解决方案时会提示输入密码。
3 个解决方案
解决方案1
3 2018-08-03 13:36:27
Usually the answer is "don't". 通常答案是“不要”。 The password entered during the build would be part of the image, often in the layer history. 在构建期间输入的密码通常是图像的一部分,通常在图层历史中。 If you don't mind the password being included in the image, then it depends on the command being run. 如果您不介意映像中包含密码,则取决于正在运行的命令。 Sometimes you can echo p4ssw0rd | git clone ... 有时您可以echo p4ssw0rd | git clone ... echo p4ssw0rd | git clone ... , but other times the command will intentionally strip out the piped in input and force a prompt for security. echo p4ssw0rd | git clone ... ,但有时该命令将有意剥离输入中的管道并强制提示安全性。 Other commands have options to include the password on the command prompt with a flag. 其他命令具有在命令提示符处带有标志的密码选项。 Some people will handle prompts like this with an "expect" script that watches the output and sends the password when prompted. 某些人会使用“期望”脚本处理此类提示,该脚本会监视输出并在出现提示时发送密码。 Each of these will put the password inside the image. 这些都将密码放入图像中。
For your specific scenario, one option is to add a keypair that doesn't require a password to git. 对于您的特定情况,一种选择是添加不需要git密码的密钥对。 Another option is to checkout the code outside of the docker build, and COPY the repo into the image instead of letting git check it out. 另一个选择是在docker构建之外签出代码,然后将存储库COPY到映像中,而不是让git签出。
If you absolutely need to include the password in the image, then look into a multi-stage build. 如果您绝对需要在映像中包含密码,请查看多阶段构建。 Inject your password during the first stage, and then copy the result into the second stage so that the image you push does not include the password in the image layers. 在第一阶段输入密码,然后将结果复制到第二阶段,以使您推送的图像在图像层中不包含密码。
解决方案2
1 2018-08-03 13:33:16
You can use secrets to manage any sensitive data which a container needs at runtime but you don't want to store in the image or in source control. 您可以使用机密信息来管理容器在运行时需要的任何敏感数据,但是您不想将其存储在映像或源代码管理中。
Note: Docker secrets are only available to swarm services, not to standalone containers. 注意:Docker机密仅可用于群集服务,不适用于独立容器。 To use this feature, consider adapting your container to run as a service. 要使用此功能,请考虑调整容器以使其作为服务运行。 Stateful containers can typically run with a scale of 1 without changing the container code. 有状态容器通常可以在不更改容器代码的情况下以1的比例运行。
Check https://docs.docker.com/engine/swarm/secrets/#how-docker-manages-secrets 检查https://docs.docker.com/engine/swarm/secrets/#how-docker-manages-secrets
解决方案3
1 2018-08-04 11:01:26
I found the answer for my question and it is so simple as setting -it flag into docker exec command in the bash script which calls the composer install . 我找到了问题的答案,它很简单, -it在调用composer install的bash脚本中将-it标志设置到docker exec命令中即可。 I skipped that flag intentionally because it's run within a bash script and I was not noticed that would be required an interactive mode to prompt for the pass-phrase . 我故意跳过了该标志,因为它是在bash脚本中运行的,并且没有注意到没有交互模式来提示输入pass-phrase 。
Anyhow, after modified the bash script like below, the issue is solved. 无论如何,在修改了如下所示的bash脚本后,问题就解决了。
docker exec -it {container_name} composer install
And after looking at the above answers, I felt that I've not given the complete picture regarding the issue. 在查看了以上答案之后,我感到我尚未完全了解该问题。 So I thought, I need to add some explanations here. 所以我想,我需要在这里添加一些解释。 The structure of the bash script is as below; bash脚本的结构如下:
- Start the containers with docker-compose 使用docker-compose启动容器
In this case my application code was placed outside of the web app container as adocker volumeto be able to managed easily.在这种情况下,我的应用程序代码作为docker volume放在了Web应用程序容器的外部,以docker volume。 - Install PHP dependencies into web app container with above
docker execcommand使用上面的docker exec命令将PHP依赖项安装到Web应用程序容器中 - Run database migrations with again related
docker execcommands使用再次相关的docker exec命令运行数据库迁移
So, my issue was with the 2nd step when installing composer packages. 所以,我的问题是安装作曲家软件包时的第二步。 There was one package which needed to be cloned from a private git repository during the composer install . 在composer install期间,有一个软件包需要从私有git存储库中克隆。 For that to be cloned, my private key is used and since it's protected with a pass-phrase and there was missing the required flags ( -it ) for the interactive mode of docker exec command, the bash script was exit with an error. 对于要克隆的密钥,使用了我的私钥,并且由于它受到pass-phrase的保护,并且缺少docker exec命令的交互模式所需的标志( -it ),因此bash脚本退出并出现错误。 After setting the -it flags now issue is fixed. 设置-it标志后,现在已解决问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.