Docker: Unable to clone a github private rebo inside at run time

Question

I created a container with a .sh script as entry file. Also, the dockerfile create a new user, with its home as working dir. The .sh script itself is in the working dir of the new user.

At run time ( docker run ) I can see that the container executes the .sh, so the build is successfully.

My problem is that this container need to clone a private github repo.

Before you close/vote for close /mark as duplicated this question, let me ask your help because I've googled and read over 50 different SO questions about this problem but I've not found a working example. My question is both about approach to the problem and how to implement it

My problem is that the git clone command tell me:

Cloning into 'tools'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I think that I should create a private key and add it to my keys into my Github profile, but I cannot manually add a new ssh key at every run. Right?

Probably, I should create a new key at build time and add it to my github repo. The image will always be private, so no security issues from this side. But how to do this?

Is there any other way to accomplish this task?

For example I tried to copy my working private rsa key at runtime:

docker run -it --rm my_image:git_cloning -v ~/.ssh/id_rsa:/realtebo/.ssh/id_rsa:ro

Anyway I got this:

Cloning into 'tools'...
The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

At build time I avoided the "add key problem" doing a github keyscan

RUN mkdir ~/.ssh \
    && echo >>  ~/.ssh/known_hosts \
    && ssh-keyscan github.com >> ~/.ssh/known_hosts 

But anyway I got this at runtime:

Cloning into 'tools'...
Warning: Permanently added the RSA host key for IP address '192.30.253.113' to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Answer 1

I solved, finally.

I will include my final Dockerfile with step-by-step explanation

FROM <base_image>

In this case, I started from a custome image but in origin it's based on official ubuntu:16_04

RUN useradd -ms /bin/bash realtebo

As first action, I create the new non-root user; reader should remember that without any modification in the base OS images, the container will have only the root user.

COPY id_rsa /home/realtebo/.ssh/
COPY id_rsa.pub /home/realtebo/.ssh/

I copied my public and private keys into the Dockerfile folder. Witht these commands I effectively installed them for the new user

Remember: COPY works only with files/dirs in the same dir (context) of the Dockerfile!

Also: The public key must be added to your Github SSH Keys wallet

RUN chown realtebo:realtebo /home/realtebo \
    && chown realtebo:realtebo /home/realtebo/.ssh \
    && chown realtebo:realtebo /home/realtebo/.ssh/*

The systen will need to access these keys as the new user, so I needed these chown commands (using only 1 layer).

USER realtebo

From this point, I continue doing action using the new user

RUN echo >>  ~/.ssh/known_hosts \
    && ssh-keyscan github.com >> ~/.ssh/known_hosts \
    && cd /home/realtebo \
    && git clone git@github.com:realtebo/my-private-tool.git tools 

The first line create an empty known_hosts file (if not present), or append nothing to it if it's already present. This file will be used from git when retreiving the host ip from github.com at the clone moment. This hostname is actually binded from their DNS systems to multiple IPs.

The second line import all known host public keys into our known_hosts file.

3rd line change working dir to the user's home.

4th line finally do the real cloning of my tool into the tools subdir

Answer 2

I would suggest to use a deploy key instead of a users one, so you can control the containers access to the repositories without exposing your own key, if possible.

I have done something similar sharing the ssh-agent socket like this too:

docker run \
--volume $SSH_AUTH_SOCK:/ssh-agent \
--env SSH_AUTH_SOCK=/ssh-agent