13

I am trying to write a docker file for angular cli project but I have an external dependency which is a private repo on BitBucket so I need to pass my ssh key. I am trying to pass ssh keys using --build-arg

Now issues is, It's not adding those keys to ssh-agent and ask for the password instead.

I am using this command to run docker build -t ng-2-docker/client --build-arg ssh_prv_key="$(cat ~/.ssh/id_rsa)" --build-arg ssh_pub_key="$(cat ~/.ssh/id_rsa)" .

and this is my docker file

ARG ssh_prv_key
ARG ssh_pub_key

# Use an official Node runtime as a parent image
FROM node:8.9.4

# Specify working directory in docker container
WORKDIR /app

# Authorize SSH Host
RUN mkdir -p /ssh/
RUN chmod 0700 /ssh

# Add the keys and set permissions
RUN echo "$ssh_prv_key" > /ssh/id_rsa && echo "$ssh_pub_key" > /ssh/id_rsa.pub && chmod 600 /ssh/id_rsa && chmod 600 /ssh/id_rsa.pub

# add bitbucket to known hosts
RUN ssh-keyscan bitbucket.org > /ssh/known_hosts

# Copy SSH key to temp folder to pull new code
# ADD ~/.ssh/id_rsa /tmp/
# RUN ssh-agent /tmp
RUN ls -la /ssh

# check if ssh agent is running or not, if not, run
RUN eval `ssh-agent -s` && ssh-add /ssh/id_rsa

# Copy local files into the containers working directory
COPY package.json /app

# Install dependencies inside container
RUN npm i

# Copy local files into the containers working directory
COPY . /app

# Execute Process
CMD ["npm", "docker:rogers:local"]

# Remove ssh key from temp
# RUN rm /tmp/id_rsa
RUN rm -rf /ssh

# expose port
EXPOSE 4200

and here is the output if I run the command mentioned above.

enter image description here

Usman Tahir
  • 2,513
  • 4
  • 24
  • 38
  • i thing its similar with this https://stackoverflow.com/questions/23391839/clone-private-git-repo-with-dockerfile/23411161#23411161 and this https://stackoverflow.com/questions/18136389/using-ssh-keys-inside-docker-container/24937401 – Fendi jatmiko Jan 16 '18 at 15:31
  • Gone through these already, `ADD id_rsa /root/.ssh/id_rsa` is a relative command, I can't use it, I can't put my docker file in same folder as my key, my docker file is part of the project – Usman Tahir Jan 16 '18 at 15:38

4 Answers4

7

I spent several days going through the same issue. ssh-keygen -p ensured the passphrase was empty, but I needed to ssh-agent and ssh-add in my Dockerfile to be able to pull from a private repo. Several of my peers told me they were able to make it work; I would copy what they had and still be asked for a passphrase. Finally I came across this issue. After manually inputting in the rsa key line by line and seeing it succeed, I realized it was because I was building the image and passing in the key via a make target, and the Makefile was processing the newlines as whitespaces. Ultimately it was just a matter of updating how the key was being cat as an argument so that it ran as bash instead to preserve the newlines.

Here was the build command inside my Makefile: 

make container:    
    docker build --rm \
    --build-arg ssh_prv_key="$$(cat ~/.ssh/id_rsa)" \
    --squash -f Dockerfile -t $(DOCKER_IMAGE) .

I will also note that I needed to include 

echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config

to one of my Dockerfile RUN commands as well

MeriBurgess
  • 71
  • 1
  • 3
  • This works! I went through a lot potential solutions but it turns out it is the Make file that screwed up the ssh key – Oldyoung Sep 24 '19 at 20:15
  • Same for me. I have lost many days, thank you for your hint here that finished the puzzle. In a Dockerfile, I echoed the private key into a file on the container, which destroyed the line format. Instead, I had to `COPY` it. See [Dockerfile: clone repo with passwordless private key. Errors: “authentication agent” or “read_passphrase: can't open /dev/tty”](https://superuser.com/questions/1633085/dockerfile-clone-repo-with-passwordless-private-key-errors-authentication-ag). – questionto42 Mar 16 '21 at 00:45
  • `RUN ssh-keyscan github.com > /root/.ssh/known_hosts` works in place of `echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config` and I think it's more secure – Marcos Pereira Apr 26 '21 at 18:10
5

Done this already, and my key is passphrase free right now but it's still asking

Then... if you don't have a passphrase associated to your private key, you should get rid of the Dockerfile lines:

# check if ssh agent is running or not, if not, run
RUN eval `ssh-agent -s` && ssh-add /ssh/id_rsa

You don't need an ssh agent if you don't have to memorize/cache a passphrase.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 1
    It just says `host key verification failed` This line wasn't a part of this script initially so I thought I need to add this key to ssh-agent. but that failed aswell – Usman Tahir Jan 17 '18 at 12:58
  • 1
    @UsmanTahir can you check the content of /ssh/id_rsa, jsut to make sure the double-quotes are not there? (the double quotes from echo "$ssh_prv_key") Also can you try puting those key contents in /root/.ssh? (if your container run with its internal root account) – VonC Jan 17 '18 at 13:49
  • 1
    This explains it: that I simply do not need `ssh-agent` and `ssh-add` when I do not have a password :). So easy. I have read it here at last, as a side-answer, after many rather wasted days. – questionto42 Mar 16 '21 at 00:49
1

From your screenshot, the git-ssh client isn't asking for your bitbucket password. Your private key file is encrypted with a passphrase. To use the private key, ssh will need the passphrase.

An option would be to remove the passphrase from the private key. You can edit your private key with ssh-keygen:

$ ssh-keygen -p

Source for ssh-keygen

rollstuhlfahrer
  • 3,988
  • 9
  • 25
  • 38
0

where token.txt is base64 encoded

RUN eval "$(ssh-agent -s)" && cat token.txt | base64 -d | ssh-add - > /dev/null
Pankaj Soni
  • 1