How to automate of entering pass-phrases into docker containers with bash scripts?

Question

I need to know how to automate the process of entering pass-phrases for private keys within docker containers.

I have a problem with setting up my web application container with docker. During in the setup process, I have to run composer install within my container and there is a dependency which needs to clone a private git repository. In that case it requires to use my private key and the key is secured with a pass-phrase. Because of that, when running composer install it needs to provide the pass-phrase to clone the repository. There is no issue with that flow when I running these commands within the container manually.

But I'm planning to automate this whole process with a bash script, and when I run my bash script within the host machine, it's not asking for the pass-phrase and exit with a "Permission denied (publickey)" error.

How do I automate the complete process with bash script without exiting from the script? I'm searching a way of something like that is prompting for the pass-phrase at the time of cloning that private repository or any other working solution.

Answer 1

Usually the answer is "don't". The password entered during the build would be part of the image, often in the layer history. If you don't mind the password being included in the image, then it depends on the command being run. Sometimes you can echo p4ssw0rd | git clone ... echo p4ssw0rd | git clone ... , but other times the command will intentionally strip out the piped in input and force a prompt for security. Other commands have options to include the password on the command prompt with a flag. Some people will handle prompts like this with an "expect" script that watches the output and sends the password when prompted. Each of these will put the password inside the image.

For your specific scenario, one option is to add a keypair that doesn't require a password to git. Another option is to checkout the code outside of the docker build, and COPY the repo into the image instead of letting git check it out.

If you absolutely need to include the password in the image, then look into a multi-stage build. Inject your password during the first stage, and then copy the result into the second stage so that the image you push does not include the password in the image layers.

Answer 2

You can use secrets to manage any sensitive data which a container needs at runtime but you don't want to store in the image or in source control.

Note: Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to run as a service. Stateful containers can typically run with a scale of 1 without changing the container code.

Check https://docs.docker.com/engine/swarm/secrets/#how-docker-manages-secrets

Answer 3

I found the answer for my question and it is so simple as setting -it flag into docker exec command in the bash script which calls the composer install . I skipped that flag intentionally because it's run within a bash script and I was not noticed that would be required an interactive mode to prompt for the pass-phrase .

Anyhow, after modified the bash script like below, the issue is solved.

docker exec -it {container_name} composer install

And after looking at the above answers, I felt that I've not given the complete picture regarding the issue. So I thought, I need to add some explanations here. The structure of the bash script is as below;

1. Start the containers with docker-compose
   In this case my application code was placed outside of the web app container as a docker volume to be able to managed easily.
2. Install PHP dependencies into web app container with above docker exec command
3. Run database migrations with again related docker exec commands

So, my issue was with the 2nd step when installing composer packages. There was one package which needed to be cloned from a private git repository during the composer install . For that to be cloned, my private key is used and since it's protected with a pass-phrase and there was missing the required flags ( -it ) for the interactive mode of docker exec command, the bash script was exit with an error. After setting the -it flags now issue is fixed.