【问题标题】:Docker build dockerfile with SSH keys used during build process (for private Git repos)Docker 使用构建过程中使用的 SSH 密钥构建 dockerfile(用于私有 Git 存储库)
【发布时间】:2018-04-09 09:12:52
【问题描述】:

Docker-Compose v3

我正在努力安装由我的公司私有化的简单 GitHub 存储库。我们正在努力将我们的项目转移到 Docker。因此,我们目前正在使用 Docker 和 Docker-Compose 来构建和运行我们的容器。

但我们 90% 的项目使用私有存储库、自定义 Gem,并且我们最终将使用私有容器。

尽管通过 Habitus 将我的 SSH 密钥移动到容器上,在构建过程中手动复制它们并尝试安装卷,但我似乎无法安装我的存储库。但我所做的一切似乎都不起作用。

例如。 DockerFile

FROM ubuntu 

# Installing tons of libraries. Not all of these might be needed
RUN apt-get -y update && apt-get -y upgrade && apt-get -y install nodejs npm ruby curl openssh-server git php
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

# pulling id_rsa from local habitus network (this SUCCEEDS)
ARG host
RUN wget -O ~/.ssh/id_rsa http://$host:8080/v1/secrets/file/id_rsa && chmod 600 ~/.ssh/id_rsa

# checking the ssh files are installed (this FAILS)
RUN ssh -vvv -T git@git.my.company.com 

RUN gem install bundler
RUN bundle install

习惯命令

sudo habitus --build host=192.168.99.100 --secrets=true 

输出

OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Connecting to 192.168.99.100 [192.168.99.100] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to git.my.company.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:OkseSPnItLVT0phkACs7TwGA1CZb9nMBSwp5UxdkIf4
debug1: Host 'git.my.company.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

现在,我尝试了许多其他方法。对于每一种方法,我都遇到了同样的问题。我有时会在我通过 SSH 连接到服务器并检查我的 ~/.ssh/ 文件夹时让我的构建休眠几分钟。每次,所有文件都与我本地的文件匹配,确实成功捆绑安装了 Gems。那么,为什么它告诉我“无法打开 /dev/tty: ...”

它正在寻找密码。这是因为 docker 容器以“root”身份运行吗?我可以绕过这个吗?

你们如何在构建过程中将 SSH 密钥添加到 DockerFile,以便运行诸如“Bundle install”或“npm install”之类的命令?几天来,我一直在互联网上搜索我找到的所有解决方案,但我总是得到来自 SSH 尝试的相同响应。

【问题讨论】:

    标签: git docker ssh dockerfile


    【解决方案1】:

    对于 npm 私有模块,您可以查看官方文档。 Docker and private modules

    至于红宝石,你可以找到类似的解决方案here

    【讨论】:

    • 这些解决方案对我有用,但它们看起来非常烦人,因为我必须让 20 多个用户使用他们自己的带有令牌的 .npmrc 文件。加上缓存大大增加了图像的大小。是否有任何“本机”方法可以在构建时为我的 DockeFile 提供正确的 SSH 密钥,然后在它开始运行之前将其删除?
    【解决方案2】:

    在要调用 ssh 的每一行上为 ssh 代理添加身份。

    RUN eval $(ssh-agent);ssh-add;ssh -vvv -T git@git.my.company.com 
    

    【讨论】:

      【解决方案3】:

      就像其他人在尝试 SSH 时不断遇到 Mac OS X 导致此错误一样:

      debug1: read_passphrase: can't open /dev/tty: No such device or address
      debug1: Trying private key: /root/.ssh/id_dsa
      debug1: Trying private key: /root/.ssh/id_ecdsa
      debug1: Trying private key: /root/.ssh/id_ed25519
      debug1: No more authentication methods to try.
      Permission denied (publickey).
      

      在进行任何 SSH 调用之前,您必须包含一个特殊的 ENV 变量。否则它会一直寻找密码。我相信这是以 root 身份运行 SSH 命令的一些奇怪的默认设置。

      ENV DEBIAN_FRONTEND noninteractive
      

      在你的命令结束时,你必须运行:

      RUN unset DEBIAN_FRONTEND 
      

      这是我的示例 docker 文件:

      FROM ubuntu
      
      RUN apt-get -y update && apt-get -y upgrade && apt-get -y install nodejs-legacy npm ruby curl openssh-server git php
      RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
      
      #### THE SETTING OF DEBIAN noninteractive ####
      ENV DEBIAN_FRONTEND noninteractive
      
      RUN gem install bundler
      RUN mkdir /website
      WORKDIR /website
      
      # I made this temporary SSH key folder in the relative path of my Dockerfile because that is a requirement of DockerFile. However, I plan on using Habitus to safely and conveniently wget my keys from a local server
      
      RUN mkdir /root/.ssh 
      COPY dockerkeys /root/.ssh
      
      RUN ssh -v -T git@git.my.company.com
      
      COPY . .
      
      RUN bundle install
      RUN composer install
      RUN npm install
      
      #### UNSETTING DEBIAN ENV ####
      RUN unset DEBIAN_FRONTEND 
      
      RUN bundle install
      RUN composer install
      RUN npm install
      
      CMD [ "npm", "start" ]
      

      我没有用其他图片测试过,但原理还是一样的。看起来您需要显式设置非交互式外壳。否则,它每次都会提示您输入 SSH 密钥的密码。

      【讨论】:

        【解决方案4】:

        尝试OnVault,用于构建 Docker 映像的秘密存储。它能够在运行时绑定 ssh 密钥,恰好在所需的构建步骤中,并在完成后立即将其删除(在将层提交到映像之前)。这不会在 docker 镜像中留下任何 ssh 密钥的痕迹,从而增强了安全性。

        一些优点:

        • 不再需要添加和删除 ssh 密钥
        • 使用 dockerfile 降低复杂性
        • 由于它绑定了整个 .ssh 文件夹,因此本地多个 GitHub 帐户的配置也可以在构建步骤中使用。
        • 它是一个二进制文件,可以与关键字ONVAULT一起使用。例如:RUN ONVAULT bundle install

        注意:它对我有用,而且很棒..!!,试一试;-)

        【讨论】:

          猜你喜欢
          • 2019-04-23
          • 1970-01-01
          • 2022-11-24
          • 2021-03-26
          • 1970-01-01
          • 2021-04-12
          • 2014-11-26
          • 1970-01-01
          • 2014-09-13
          相关资源
          最近更新 更多