21

I'm trying to clone private git repository from github. I did a Dockerfile like this:

FROM ubuntu:12.04

RUN apt-get update
RUN apt-get install -y git
RUN mkdir -p /root/.ssh/
ADD ./id_rsa /root/.ssh/id_rsa
RUN git clone git@github.com:usr/repo.git

I use this repo with this key just fine locally, so it seems I'm missing something inside docker.

One more thing I may be missing is that both ~ and $HOME inside docker point to / instead of /root, but I'm not sure if that can be related.

Konstantine Rybnikov
  • 2,457
  • 1
  • 22
  • 29

4 Answers4

23

What's the output of the build process?

Random guess: try to chmod 600 the private key.

If it still doesn't work, try to RUN ssh -v git@github.com (after adding the key); the output should explain what's happening.

crizCraig
  • 8,487
  • 6
  • 54
  • 53
jpetazzo
  • 14,874
  • 3
  • 43
  • 45
  • Thank you. The problem was that it couldn't open tty to ask me about "known_hosts" yes/no. `-v` for showing debug info is a great advice. – Konstantine Rybnikov Oct 28 '13 at 22:01
  • How did you actually solve it? By adding the host to known_hosts in the Dockerfile? – Stan Bondi Jan 13 '14 at 06:43
  • 3
    One possibility would be to use `ssh-keyscan github.com >> ~/.ssh/known_hosts`, yes! Or do a first login attempt with `-o StrictHostKeyChecking=no` (which will result in the same thing, but will be idempotent). – jpetazzo Jan 13 '14 at 22:37
  • I don't understand the Dockerfile build process very well, but is every step completed in a different container? `docker build --rm=false -t peterbecich/parkinsons .` ... ``Step 13 : RUN eval `ssh-agent -s` ---> Using cache ---> 685501debd36`` ... `Step 14 : RUN ssh-add /root/.ssh/pdl_resources_for_docker ---> Running in daee32024ba9 Could not open a connection to your authentication agent.` `ssh-add` tries to find the agent, which is in a different container. So it fails. – Peter Becich Jul 29 '14 at 02:46
  • Figured it out. This seems to be the reason people fit commands into one Dockerfile RUN line: `RUN eval "$(ssh-agent)" && ssh-agent -s` – Peter Becich Aug 05 '14 at 03:54
17

RUN ssh-keyscan github.com >> ~/.ssh/known_hosts

The keyscan works great since it accepts the host. The following complete answer worked:

RUN mkdir -p /root/.ssh
RUN cp /var/my-app/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts

Also as mentioned:

RUN ssh -v git@github.com

^ Great way to debug the flow. That's how I realized I needed the keyscan >> known_hosts

Dan Sabin
  • 896
  • 1
  • 9
  • 14
2

(Will probably not fit your needs)

There is another approach: https://stackoverflow.com/a/29464430/990356

Go to Settings > Personal access tokens and generate a personal access token with repo scope enabled. Now you can do git clone https://MY_TOKEN@github.com/user-or-org/repo

Pros:

  • very simple approach
  • token can be easily revoked

Cons:

  • if someone has access to the Dockerfile he has access to the token

To fix this, you can use an environment variable to store the token

Community
  • 1
  • 1
tanguy_k
  • 11,307
  • 6
  • 54
  • 58
1

Below approach is using https with Personal Access Token, and it works like charm.

ARG git_personal_token
RUN git config --global url."https://${git_personal_token}:@github.com/".insteadOf "https://github.com/"
RUN git clone https://github.com/your/project.git /project

Then, supply a docker argument as below.

docker build --build-arg git_personal_token={your_token} .

Basic idea is from https://medium.com/paperchain/fetching-private-github-repos-from-a-docker-container-273f25ec5a74

Youngjae
  • 24,352
  • 18
  • 113
  • 198