I created a container with a .sh script as entry file. Also, the dockerfile create a new user, with its home as working dir. The .sh script itself is in the working dir of the new user.
At run time ( docker run
) I can see that the container executes the .sh, so the build is successfully.
My problem is that this container need to clone a private github repo.
Before you close/vote for close /mark as duplicated this question, let me ask your help because I've googled and read over 50 different SO questions about this problem but I've not found a working example. My question is both about approach to the problem and how to implement it
My problem is that the git clone
command tell me:
Cloning into 'tools'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I think that I should create a private key and add it to my keys into my Github profile, but I cannot manually add a new ssh key at every run. Right?
Probably, I should create a new key at build time and add it to my github repo. The image will always be private, so no security issues from this side. But how to do this?
Is there any other way to accomplish this task?
For example I tried to copy my working private rsa key at runtime:
docker run -it --rm my_image:git_cloning -v ~/.ssh/id_rsa:/realtebo/.ssh/id_rsa:ro
Anyway I got this:
Cloning into 'tools'...
The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
At build time I avoided the "add key problem" doing a github keyscan
RUN mkdir ~/.ssh \
&& echo >> ~/.ssh/known_hosts \
&& ssh-keyscan github.com >> ~/.ssh/known_hosts
But anyway I got this at runtime:
Cloning into 'tools'...
Warning: Permanently added the RSA host key for IP address '192.30.253.113' to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I solved, finally.
I will include my final Dockerfile with step-by-step explanation
FROM <base_image>
In this case, I started from a custome image but in origin it's based on official ubuntu:16_04
RUN useradd -ms /bin/bash realtebo
As first action, I create the new non-root user; reader should remember that without any modification in the base OS images, the container will have only the root
user.
COPY id_rsa /home/realtebo/.ssh/
COPY id_rsa.pub /home/realtebo/.ssh/
I copied my public and private keys into the Dockerfile folder. Witht these commands I effectively installed them for the new user
Remember:
COPY
works only with files/dirs in the same dir (context) of the Dockerfile!Also: The public key must be added to your Github SSH Keys wallet
RUN chown realtebo:realtebo /home/realtebo \
&& chown realtebo:realtebo /home/realtebo/.ssh \
&& chown realtebo:realtebo /home/realtebo/.ssh/*
The systen will need to access these keys as the new user, so I needed these chown
commands (using only 1 layer).
USER realtebo
From this point, I continue doing action using the new user
RUN echo >> ~/.ssh/known_hosts \
&& ssh-keyscan github.com >> ~/.ssh/known_hosts \
&& cd /home/realtebo \
&& git clone git@github.com:realtebo/my-private-tool.git tools
The first line create an empty known_hosts
file (if not present), or append nothing to it if it's already present. This file will be used from git
when retreiving the host ip from github.com
at the clone
moment. This hostname is actually binded from their DNS systems to multiple IPs.
The second line import all known host public keys into our known_hosts
file.
3rd line change working dir to the user's home.
4th line finally do the real cloning of my tool into the tools
subdir
I would suggest to use a deploy key instead of a users one, so you can control the containers access to the repositories without exposing your own key, if possible.
I have done something similar sharing the ssh-agent socket like this too:
docker run \ --volume $SSH_AUTH_SOCK:/ssh-agent \ --env SSH_AUTH_SOCK=/ssh-agent
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.