如何将本地机器的 SSH 密钥传递给 docker 容器？

Question

I'm trying to build a docker image from Dockerfile and one of the steps that need to be taken is installing a dependency that is only available via private Gitlab repository. This means the container will need to have access to SSH keys to do the clone. I know this isn't the most secure approach, however this is only going to be an intermediate container that is going to be removed once all of the components necessary to run the app are in place.

The problem is, that I cannot, whatever I try, get ssh agent inside docker to establish the connection. I get:

npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR! 
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.

The same thing happens if I try to simply clone the repository without running npm install . Here is the Dockerfile I use:

FROM risingstack/alpine:3.4-v6.9.4-4.2.0


RUN apk update

RUN apk add openssh

ARG SSH_KEY

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 700 /root/.ssh && \
    ssh-keyscan github.com > /root/.ssh/known_hosts

# Add the keys and set permissions
RUN echo "$SSH_KEY" > /root/.ssh/id_rsa && \
    chmod 700 /root/.ssh/id_rsa && \


RUN eval "$(ssh-agent -s)" && ssh-add /root/.ssh/id_rsa && ssh -o StrictHostKeyChecking=no git@github.com || true && npm install

and the command (I pass the private key as build argument):

docker build -t test  --build-arg SSH_KEY="$(cat ~/.ssh/id_rsa)" .

Answer 1

This works for me :

Using this workaround : https://stackoverflow.com/a/47544999/3957754 to pass files as build args

Dockerfile

ARG SSH_KEY
ENV SSH_KEY=$SSH_KEY

# Make ssh dir
RUN mkdir /root/.ssh/
 
# Create id_rsa from string arg, and set permissions

RUN echo "$SSH_KEY" > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
 
# Create known_hosts
RUN touch /root/.ssh/known_hosts

# Add git providers to known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
RUN ssh-keyscan gitlab.com >> /root/.ssh/known_hosts

Build

docker build -t some-app --build-arg SSH_KEY="$(cat ~/file/outside/build/context/id_rsa)" .

With this, you can perform git clone git@github.com... (gitlab, or bitbucket) at build stage or at run stage using ENTRYPOINT ["docker-entrypoint.sh"] .

Update

This could works if you need to pass any file as parameter to your container

Answer 2

I'd clone it on the host, using the ssh-agent you already have running, before you run docker build .

If you really have to have the private key in the image (which you've acknowledged is dangerous) then you should be able to have it at its default location $HOME/.ssh/id_rsa where you have it in your code; don't try to launch an ssh-agent. You could also inject a $HOME/.ssh/config file if your problem is aggressive host key checking, or a $HOME/.ssh/known_hosts file that has the host key already. Since all of these are files you might find it easier to have them in the Docker build tree and COPY them into $HOME/.ssh .

Answer 3

build a docker image from Dockerfile and one of the steps that need to be taken is installing a dependency that is only available via private Gitlab repository

Like described in much more detail in my answer to How to mount host volumes into docker containers in Dockerfile during build , Docker also provides SSH agent forwarding. This uses the --ssh flag in the docker build command, along with --mount=type=ssh in any Dockerfile's RUN command for which you want SSH authentication to be delegated to the agent on the host.