stackoom
  简体   繁体   中英

How to share SSH key through Docker secrets to access private Github repos?

 原文  2019-05-13 14:54:53       git/ macos/ docker/ ssh/ docker-compose

Question

I'm using the suggestion from this post to implement Docker secrets so that I can use a local SSH key to authenticate access to Github for my containers. I'm on MacOS and not using Docker swarm. Here is my setup:

docker-compose.yml 

version: '3.1'

services:
  [servicename]:
    secrets:
     - ssh_private_key

[...]

secrets:
  ssh_private_key:
    file: ~/.ssh/id_rsa

Dockerfile 

FROM python:3.7 as intermediate

RUN mkdir /root/.ssh/ 
RUN ln -s /run/secrets/ssh_private_key /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./

RUN pip install --no-cache-dir -r requirements_private_repos.txt

When I attempt to run docker-compose build and use the SSH key to pull from private remote repositories, I get the following error: 

Permission denied (publickey).
fatal: Could not read from remote repository.

I'm able to remote into the docker image and see that the secret is being created and populated in /run/secrets/ssh_private_key .

Why is the link not working when used in the Dockerfile? If docker secrets isn't the right method, is there a better way to share an SSH key from MacOS to Docker?

1 answers

solution1
 5 ACCPTED  2019-05-13 17:02:12

You cannot use runtime secrets on the build phrase. You can either use multi-stage builds to copy the secret to the image so it will be discarded on the next stage or use the new build-time secrets that were introduced on Docker 18.09.

For the multi-stage method you could do the following: 

FROM python:3.7 as intermediate

COPY id_rsa /root/.ssh/id_rsa # your private key must be on the build context
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./

RUN pip install --no-cache-dir -r requirements_private_repos.txt

FROM python:3.7

COPY --from=intermediate XXXX YYYY # copy your modules, this image won't have the ssh private key

For the new method you could do the following, havent tried this method myself (a ssh-agent running on the host is needed): 

FROM python:3.7 as intermediate

RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./

RUN --mount=type=ssh pip install --no-cache-dir -r requirements_private_repos.txt

Then build your image with: 

docker build --ssh default . -t myimage

Check the documentation for more information on the new method:

https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Change which ssh key github uses to clone and access repos on GitHub Docker: How to access to a private github repo using ssh? Github - Copying two repos with one SSH key How to clone all repos (including private repos) from GitHub? How can I view my public and private SSH key in Github? How can I use my github profile SSH key to modify all my repos? Why will Github API let me access but NOT list private repos? How to access private GitHub repositories in docker-compose? How to access github account after deleting the ssh key Share file by two github repos?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM