如何通过Docker机密共享SSH密钥以访问私有Github存储库?
[英]How to share SSH key through Docker secrets to access private Github repos?
问题描述
I'm using the suggestion from this post to implement Docker secrets so that I can use a local SSH key to authenticate access to Github for my containers. 
我使用的是从建议这个职位实行多克的秘密 ,这样我可以使用本地SSH密钥为我的容器验证用户访问Github上。 I'm on MacOS and not using Docker swarm. 我在MacOS上,没有使用Docker swarm。 Here is my setup: 这是我的设置:
docker-compose.yml docker-compose.yml
version: '3.1'
services:
[servicename]:
secrets:
- ssh_private_key
[...]
secrets:
ssh_private_key:
file: ~/.ssh/id_rsa
Dockerfile Docker文件
FROM python:3.7 as intermediate
RUN mkdir /root/.ssh/
RUN ln -s /run/secrets/ssh_private_key /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./
RUN pip install --no-cache-dir -r requirements_private_repos.txt
When I attempt to run docker-compose build and use the SSH key to pull from private remote repositories, I get the following error: 当我尝试运行docker-compose build并使用SSH密钥从私有远程存储库中提取时,出现以下错误:
Permission denied (publickey).
fatal: Could not read from remote repository.
I'm able to remote into the docker image and see that the secret is being created and populated in /run/secrets/ssh_private_key . 我能够远程访问docker映像,并看到正在/run/secrets/ssh_private_key创建并填充了/run/secrets/ssh_private_key 。
Why is the link not working when used in the Dockerfile? 在Dockerfile中使用链接时,为什么链接不起作用? If docker secrets isn't the right method, is there a better way to share an SSH key from MacOS to Docker? 如果docker secrets不是正确的方法,是否有更好的方法将Mac OS上的SSH密钥共享给Docker?
1 个解决方案
解决方案1
5 已采纳 2019-05-13 17:02:12
You cannot use runtime secrets on the build phrase. 您不能在构建短语上使用运行时机密。 You can either use multi-stage builds to copy the secret to the image so it will be discarded on the next stage or use the new build-time secrets that were introduced on Docker 18.09. 您可以使用多阶段构建将机密复制到映像,以便在下一阶段将其丢弃,也可以使用Docker 18.09中引入的新的构建时机密。
For the multi-stage method you could do the following: 对于多阶段方法,您可以执行以下操作:
FROM python:3.7 as intermediate
COPY id_rsa /root/.ssh/id_rsa # your private key must be on the build context
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./
RUN pip install --no-cache-dir -r requirements_private_repos.txt
FROM python:3.7
COPY --from=intermediate XXXX YYYY # copy your modules, this image won't have the ssh private key
For the new method you could do the following, havent tried this method myself (a ssh-agent running on the host is needed): 对于新方法,您可以执行以下操作,自己还没有尝试过此方法(需要在主机上运行ssh-agent):
FROM python:3.7 as intermediate
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./
RUN --mount=type=ssh pip install --no-cache-dir -r requirements_private_repos.txt
Then build your image with: 然后使用以下方法构建图像:
docker build --ssh default . -t myimage
Check the documentation for more information on the new method: 查看文档以获取有关新方法的更多信息:
https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.