Code
2024-01-17 10:00:07

用dockerfile克隆私有git repo

我从周围的各种工作dockerfile中复制了这段代码,这里是我的:

FROM ubuntu

MAINTAINER Luke Crooks "luke@pumalo.org"

# Update aptitude with new repo
RUN apt-get update

# Install software 
RUN apt-get install -y git python-virtualenv

# Make ssh dir
RUN mkdir /root/.ssh/

# Copy over private key, and set permissions
ADD id_rsa /root/.ssh/id_rsa
RUN chmod 700 /root/.ssh/id_rsa
RUN chown -R root:root /root/.ssh

# Create known_hosts
RUN touch /root/.ssh/known_hosts

# Remove host checking
RUN echo "Host bitbucket.org\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config

# Clone the conf files into the docker container
RUN git clone git@bitbucket.org:Pumalo/docker-conf.git /home/docker-conf

这就给出了误差

Step 10 : RUN git clone git@bitbucket.org:Pumalo/docker-conf.git /home/docker-conf
 ---> Running in 0d244d812a54
Cloning into '/home/docker-conf'...
Warning: Permanently added 'bitbucket.org,131.103.20.167' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
2014/04/30 16:07:28 The command [/bin/sh -c git clone git@bitbucket.org:Pumalo/docker-conf.git /home/docker-conf] returned a non-zero code: 128

这是我第一次使用dockerfiles,但从我所读到的(以及从工作配置中获得的)我不明白为什么这行不通。

我的id_rsa与我的dockerfile在同一个文件夹中,是我的本地密钥的副本,可以克隆这个repo没有问题。

编辑:

在我的dockerfile我可以添加:

RUN cat /root/.ssh/id_rsa

它会打印出正确的密钥,所以我知道它被正确复制了。

我也试着按照诺亚的建议去做:

RUN echo "Host bitbucket.org\n\tIdentityFile /root/.ssh/id_rsa\n\tStrictHostKeyChecking no" >> /etc/ssh/ssh_config

不幸的是,这也行不通。

当前回答

你通常不希望在docker构建中执行私有回购的git克隆。在这里进行克隆需要将私有ssh凭证放在映像中,以便稍后由访问映像的任何人提取它们。

Instead, the common practice is to clone the git repo from outside of docker in your CI tool of choice, and simply COPY the files into the image. This has a second benefit: docker caching. Docker caching looks at the command being run, environment variables it includes, input files, etc, and if they are identical to a previous build from the same parent step, it reuses that previous cache. With a git clone command, the command itself is identical, so docker will reuse the cache even if the external git repo is changed. However, a COPY command will look at the files in the build context and can see if they are identical or have been updated, and use the cache only when it's appropriate.

BuildKit有一个专为ssh提供的功能,允许您仍然拥有密码保护的ssh密钥,结果如下:

# syntax=docker/dockerfile:experimental
FROM ubuntu as clone
LABEL maintainer="Luke Crooks <luke@pumalo.org>"

# Update aptitude with new repo
RUN apt-get update \
 && apt-get install -y git

# Make ssh dir
# Create known_hosts
# Add bitbuckets key
RUN mkdir /root/.ssh/ \
 && touch /root/.ssh/known_hosts \
 && ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

# Clone the conf files into the docker container
RUN --mount=type=ssh \
    git clone git@bitbucket.org:User/repo.git

你可以用:

$ eval $(ssh-agent)
$ ssh-add ~/.ssh/id_rsa
(Input your passphrase here)
$ DOCKER_BUILDKIT=1 docker build -t your_image_name \
  --ssh default=$SSH_AUTH_SOCK .

同样,它被注入到构建中,而从未写入映像层,从而消除了凭据可能意外泄漏的风险。

BuildKit也有一个特性,允许你传递一个ssh密钥作为挂载,永远不会写入到映像:

# syntax=docker/dockerfile:experimental
FROM ubuntu as clone
LABEL maintainer="Luke Crooks <luke@pumalo.org>"

# Update aptitude with new repo
RUN apt-get update \
 && apt-get install -y git

# Make ssh dir
# Create known_hosts
# Add bitbuckets key
RUN mkdir /root/.ssh/ \
 && touch /root/.ssh/known_hosts \
 && ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

# Clone the conf files into the docker container
RUN --mount=type=secret,id=ssh_id,target=/root/.ssh/id_rsa \
    git clone git@bitbucket.org:User/repo.git

你可以用:

$ DOCKER_BUILDKIT=1 docker build -t your_image_name \
  --secret id=ssh_id,src=$(pwd)/id_rsa .

请注意,这仍然要求ssh密钥不受密码保护,但您至少可以在一个阶段运行构建,删除COPY命令,并避免ssh凭据成为映像的一部分。

如果您打算将凭据添加到构建中,请考虑使用多阶段构建来执行此操作,并且只将这些凭据放置在早期阶段,并且永远不会标记和推送到构建主机之外。结果如下所示:

FROM ubuntu as clone

# Update aptitude with new repo
RUN apt-get update \
 && apt-get install -y git
# Make ssh dir
# Create known_hosts
# Add bitbuckets key
RUN mkdir /root/.ssh/ \
 && touch /root/.ssh/known_hosts \
 && ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

# Copy over private key, and set permissions
# Warning! Anyone who gets their hands on this image will be able
# to retrieve this private key file from the corresponding image layer
COPY id_rsa /root/.ssh/id_rsa

# Clone the conf files into the docker container
RUN git clone git@bitbucket.org:User/repo.git

FROM ubuntu as release
LABEL maintainer="Luke Crooks <luke@pumalo.org>"

COPY --from=clone /repo /repo
...

为了强制docker运行git克隆,即使之前的代码行已经被缓存了,你可以注入一个构建ARG,它会随着每个构建而改变,从而打破缓存。它看起来像:

# inject a datestamp arg which is treated as an environment variable and
# will break the cache for the next RUN command
ARG DATE_STAMP
# Clone the conf files into the docker container
RUN git clone git@bitbucket.org:User/repo.git

然后在docker build命令中注入更改参数:

date_stamp=$(date +%Y%m%d-%H%M%S)
docker build --build-arg DATE_STAMP=$date_stamp .
2019-04-19 12:32:16

其他回答

现在你可以使用Buildkit选项——ssh默认当你构建你的容器;在构建之前,您需要将SSH部署密钥添加到SSH -agent。

以下是从头开始的完整流程:

在部署服务器上创建密钥对。只需运行ssh-keygen -t ecdsa将密钥对存储到~/.ssh 添加生成的公钥(。Pub扩展)在你的git提供商网站(gitlab, github..) 将密钥添加到ssh-agent(一个基本上比处理每个文件更容易管理密钥的程序)

eval $(ssh-agent)
ssh-add /path/to/your/private/key

把这个添加到Dockerfile中:

# this 3 first lines add your provider public keys to known_host 
# so git doesn't get an error from SSH.

RUN mkdir -m 700 /root/.ssh && \
  touch -m 600 /root/.ssh/known_hosts && \
  ssh-keyscan your-git-provider.com > /root/.ssh/known_hosts 


# now you can clone with --mount=type=ssh option, 
# forwarding to Docker your host ssh agent

RUN mkdir -p /wherever/you/want/to/clone && cd /wherever/you/want/to/clone && \
  --mount=type=ssh git clone git@gitlab.com:your-project.git

现在你终于可以构建Dockerfile了(启用buildkit)

DOCKER_BUILDKIT=1 docker build . --ssh default

因为你目前不能通过控制台参数来构建docker-compose,这个解决方案还不能用于docker-compose,但应该很快就可以了(它已经在github上完成了,并作为合并请求提出)

2021-04-28 03:20:30

我的密钥是密码保护,这是导致问题的原因,一个工作文件现在列出如下(为未来的谷歌人提供帮助)

FROM ubuntu

MAINTAINER Luke Crooks "luke@pumalo.org"

# Update aptitude with new repo
RUN apt-get update

# Install software 
RUN apt-get install -y git
# Make ssh dir
RUN mkdir /root/.ssh/

# Copy over private key, and set permissions
# Warning! Anyone who gets their hands on this image will be able
# to retrieve this private key file from the corresponding image layer
ADD id_rsa /root/.ssh/id_rsa

# Create known_hosts
RUN touch /root/.ssh/known_hosts
# Add bitbuckets key
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

# Clone the conf files into the docker container
RUN git clone git@bitbucket.org:User/repo.git
2014-05-01 15:43:21

您应该为Docker映像创建新的SSH密钥集,因为您可能不想在其中嵌入您自己的私钥。要使其工作,您必须将该密钥添加到git存储库中的部署密钥中。以下是完整的食谱:

使用ssh-keygen -q -t rsa -N " -f repo-key生成ssh密钥,这将为您提供repo-key和repo-key。酒吧的文件。 添加repo-key。发布到存储库部署密钥。 在GitHub上,进入[您的存储库]->设置->部署密钥 在Dockerfile中添加如下内容: ADD repo-key / 运行\ Chmod 600 /repo-key && \ echo "IdentityFile /repo-key" >> /etc/ssh/ssh_config && \ echo -e "StrictHostKeyChecking no" >> /etc/ssh/ssh_config && \ .使用实例 //你的git克隆命令在这里…

注意,上面关闭了StrictHostKeyChecking,所以您不需要.ssh/known_hosts。尽管我可能更喜欢上面答案中的ssh-keyscan解决方案。

2014-09-22 15:25:21

没有必要摆弄ssh配置。使用包含环境变量的配置文件(不是Dockerfile),并让shell脚本在运行时更新docker文件。你可以在dockerfile中保留令牌,并且可以通过https进行克隆(不需要生成或传递ssh密钥)。

进入设置>个人访问令牌

生成一个启用了回收作用域的个人访问令牌。 像这样克隆:git克隆https://MY_TOKEN@github.com/user-or-org/repo

一些评论者指出,如果您使用共享Dockerfile,这可能会将您的访问密钥暴露给项目中的其他人。虽然这可能是也可能不是你的特定用例所关心的问题,这里有一些你可以处理的方法:

使用shell脚本接受参数,这些参数可能包含作为变量的键。用sed或类似的方法替换Dockerfile中的一个变量,即使用sh rundocker.sh MYTOKEN=foo调用脚本,它将替换https://{{MY_TOKEN}}@github.com/user-or-org/repo。请注意,您也可以使用配置文件(.yml或任何您想要的格式)来完成相同的任务,但是使用环境变量。 仅为该项目创建一个github用户(并生成一个访问令牌)

2015-04-06 02:05:58

对于bitbucket存储库,生成应用程序密码(bitbucket设置->访问管理->应用程序密码,见图片),具有对repo和project的读访问权限。

那么你应该使用的命令是:

git clone https://username:generated_password@bitbucket.org/reponame/projectname.git
2017-03-01 09:26:59

推荐文章

aliyun

最新文章

标签

2025 code 京ICP备15047053号-1