git 如何将本地机器的 SSH 密钥传递给 docker 容器?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/51732269/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to pass local machine's SSH key to docker container?
提问by Micha? Szyd?owski
I'm trying to build a docker image from Dockerfile and one of the steps that need to be taken is installing a dependency that is only available via private Gitlab repository. This means the container will need to have access to SSH keys to do the clone. I know this isn't the most secure approach, however this is only going to be an intermediate container that is going to be removed once all of the components necessary to run the app are in place.
我正在尝试从 Dockerfile 构建一个 docker 镜像,需要采取的步骤之一是安装一个只能通过私有 Gitlab 存储库使用的依赖项。这意味着容器需要访问 SSH 密钥才能进行克隆。我知道这不是最安全的方法,但是这只是一个中间容器,一旦运行应用程序所需的所有组件都到位,它将被删除。
The problem is, that I cannot, whatever I try, get ssh agent inside docker to establish the connection. I get:
问题是,无论我怎么尝试,我都无法在 docker 中获取 ssh 代理来建立连接。我得到:
npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
The same thing happens if I try to simply clone the repository without running npm install. Here is the Dockerfile I use:
如果我尝试简单地克隆存储库而不运行npm install. 这是我使用的 Dockerfile:
FROM risingstack/alpine:3.4-v6.9.4-4.2.0
RUN apk update
RUN apk add openssh
ARG SSH_KEY
# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
chmod 700 /root/.ssh && \
ssh-keyscan github.com > /root/.ssh/known_hosts
# Add the keys and set permissions
RUN echo "$SSH_KEY" > /root/.ssh/id_rsa && \
chmod 700 /root/.ssh/id_rsa && \
RUN eval "$(ssh-agent -s)" && ssh-add /root/.ssh/id_rsa && ssh -o StrictHostKeyChecking=no [email protected] || true && npm install
and the command (I pass the private key as build argument):
和命令(我将私钥作为构建参数传递):
docker build -t test --build-arg SSH_KEY="$(cat ~/.ssh/id_rsa)" .
采纳答案by David Maze
I'd clone it on the host, using the ssh-agent you already have running, before you run docker build.
在您运行docker build.
If you really have to have the private key in the image (which you've acknowledged is dangerous) then you should be able to have it at its default location $HOME/.ssh/id_rsawhere you have it in your code; don't try to launch an ssh-agent. You could also inject a $HOME/.ssh/configfile if your problem is aggressive host key checking, or a $HOME/.ssh/known_hostsfile that has the host key already. Since all of these are filesyou might find it easier to have them in the Docker build tree and COPYthem into $HOME/.ssh.
如果您确实必须在图像中拥有私钥(您已经承认这是危险的),那么您应该能够将其$HOME/.ssh/id_rsa放在代码中的默认位置;不要尝试启动 ssh-agent。$HOME/.ssh/config如果您的问题是积极的主机密钥检查,或者$HOME/.ssh/known_hosts已经具有主机密钥的文件,您也可以注入一个文件。由于所有这些都是文件,您可能会发现将它们放在 Docker 构建树中并将COPY它们放入$HOME/.ssh.
回答by JRichardsz
This works for me :
这对我有用:
Using this workaround : https://stackoverflow.com/a/47544999/3957754to pass files as build args
使用此解决方法:https: //stackoverflow.com/a/47544999/3957754将文件作为构建参数传递
Dockerfile
文件
ARG SSH_KEY
ENV SSH_KEY=$SSH_KEY
# Make ssh dir
RUN mkdir /root/.ssh/
# Create id_rsa from string arg, and set permissions
RUN echo "$SSH_KEY" > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
# Create known_hosts
RUN touch /root/.ssh/known_hosts
# Add git providers to known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
RUN ssh-keyscan gitlab.com >> /root/.ssh/known_hosts
Build
建造
docker build -t some-app --build-arg SSH_KEY="$(cat ~/file/outside/build/context/id_rsa)" .
With this, you can perform git clone [email protected]...(gitlab, or bitbucket) at build stage or at run stage using ENTRYPOINT ["docker-entrypoint.sh"].
有了这个,您可以在构建阶段或运行阶段使用git clone [email protected]...(gitlab 或 bitbucket)执行ENTRYPOINT ["docker-entrypoint.sh"]。
