stackoom
  简体   繁体   中英

Trying to pip install a private repo in a DockerFile

 原文  2019-07-24 16:17:48       python/ git/ docker/ ssh/ pip

Question

I'm trying to install a custom Python package to run in a Flask Server. The server will be in a Docker image. Therefore, I'm trying to do a manipulation of the sort of RUN pip install git+ssh://git@bitbucket.org:teamName/reponame.git@dev#egg=packageName However, nothing that I have tried works.

I've tried the two formats that I've found:

1) git+ssh://git@bitbucket.org:teamName/reponame.git@dev#egg=packageName

2) git+ssh://bitbucket.org/team/reponame.git@dev#egg=packageName

Both of these technic give a similar error: 

fatal: Could not read from remote repository.

  Please make sure you have the correct access rights
  and the repository exists.

or 

ssh: Could not resolve hostname bitbucket.org:TeamName: Name does not resolve
  fatal: Could not read from remote repository.

or 

root@bitbucket.org: Permission denied (publickey).
  fatal: Could not read from remote repository.

Even though my public key is set in BitBucket

Here is the Dockerfile: 

 Use an official Python runtime as a parent image
FROM python:3.6-alpine

#Preparation to pull from Github
ARG SSH_PRIVATE_KEY

RUN echo "Oh dang look at that ${SSH_PRIVATE_KEY}"

RUN apk update
RUN apk add --no-cache openssh \
    git

RUN mkdir /root/.ssh/
RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa

RUN chmod 600 /root/.ssh/id_rsa


RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

#install dependencies
RUN apk add --no-cache gcc \
    bash \
    tzdata \
    g++ \
    tiff-dev \
    openssl \
    poppler \
    poppler-dev \
    poppler-utils \
    && pip install --trusted-host pypi.python.org <THE_URL>
    && cp /usr/share/zoneinfo/America/that_place /etc/localtime \
    && echo "America/that_place" >  /etc/timezone \
    && date

# Set the working directory to /app
WORKDIR ./my_dir

# Make port 5000 available to the world outside this container
EXPOSE 5000

#Remove SSH
RUN rm /root/.ssh/id_rsa

# Define environment variable
ENV NAME __main__
ENV FLASK_APP app/app.py
ENV FLASK_RUN_HOST 0.0.0.0
ENV GOOGLE_APPLICATION_CREDENTIALS ./resources/google/credentials.json
ENV GOOGLE_CLOUD_BUCKET_NAME bucket_name

# Run app.py when the container launches
CMD ["flask", "run"]

The SSH key is passed as an Argument to the build with $(cat ./ssh/id_rsa)

1 answers

solution1
 1 ACCPTED  2019-07-26 20:44:22

You don't want to pass in an SSH key that way: it will end up inside the resulting image, so anyone who has access to the image will have access to your SSH key.

Options:

  1. Use BuildKit, which has built-in SSH agent forwarding ( https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds ).
  2. Technique I describe here, too complex to cover in short scope of answer: https://pythonspeed.com/articles/docker-build-secrets/
  3. If you're not worried about leaking your private SSH key, fix this setup. My guess is you also need to chmod 700 /root/.ssh .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question pip install from a private bitbucket repo tar.gz file Pip install package from private github repo in google cloud appengine pip install wheel version from private github repo pip install package from private github repo with deploy key in docker Pip install with requirements.txt from private repo prompting for password pip install from private repo but requirements from PyPi pip unable to install package - Dockerfile pip install from private repo but requirements from PyPi only installs private package pip install --process-dependency-links app.whl doesn't install private repo (forked library) pip install private package
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM