How to access GIT repo with my private key from Dockerfile

Question

I am trying to add a private key in my Docker container which has access to my private git repositories. The testing_git file is in the folder containing Dockerfile. I am trying to make a container which can pull git code on the fly.

This is my Dockerfile:

FROM ubuntu:14.04.1
WORKDIR ~/.ssh
RUN apt-get -y install ssh
WORKDIR /var/www/html
Run apt-get -y install git
RUN mkdir ~/.ssh
ADD id_rsa /home/id_rsa
RUN cat /home/id_rsa && mv /home/id_rsa ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa && eval "$(ssh-agent -s)"  && ssh-add ~/.ssh/id_rsa && ssh-add -l && ssh-add -L && echo "Host github.com\n\tIdentityFile ~/.ssh/id_rsa" >> /root/.ssh/config &&  git clone git@github.com:amitbadheka/Learning-Rails

Output:

Step 9 : RUN mkdir ~/.ssh
---> Using cache
---> 38f2824f41d6
Step 10 : ADD id_rsa /home/id_rsa
---> Using cache
---> afae372c6a40
Step 11 : RUN cat /home/id_rsa && mv /home/id_rsa ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa && eval "$(ssh-agent -s)"  && ssh-add ~/.ssh/id_rsa && ssh-add -l && ssh-add -L && echo "Host github.com\n\tIdentityFile ~/.ssh/id_rsa" >> /root/.ssh/config &&  git clone git@github.com:amitbadheka/Learning-Rails.git
---> Running in edd6778a0ae6
-----BEGIN RSA PRIVATE KEY-----
MY PRIVATE KEY
-----END RSA PRIVATE KEY-----
Agent pid 12
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
2048 69:41:88:d2:5f:22:fa:63:92:2b:f9:b8:a4:1e:3c:24 /root/.ssh/id_rsa (RSA)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrfPuszAriGJxGd16TVeWBvCt8lj88OlJ0fz5LYd2voWDUDnEmPDpvQUDZKQI+MlFfhPS+KN239XsL4X1+vdyj8xXzcBeUB+DUYW2bxZd0kLsmOPeJ0Htoat12fdjzIC/m+H+j6SkAwL+WrV/vH+tbjNZVrl+zcMvBsZipyrKHmJiwko/cqACRYGRXAAUahnVTfhQGXArqn3ioxNN5r6ZDPdv+xGZY4V9fTbHbDooEHaOz/EFu6xwoBFC2SBID3aKEQgS6C07/iRt1fJ8c8TPPvJt6vLJQ/h5LLsN2WRxDG+V5fCGqWKDdJWoyM+fOuCNOH1XTDka8d+2ZN2v+U1KX /root/.ssh/id_rsa
Cloning into 'Learning-Rails'...
**Host key verification failed.**
**fatal: Could not read from remote repository.**
Please make sure you have the correct access rights and the repository exists.
2014/12/15 18:20:47 The command [/bin/sh -c cat /home/id_rsa && mv /home/id_rsa ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa && eval "$(ssh-agent -s)"  && ssh-add ~/.ssh/id_rsa && ssh-add -l && ssh-add -L && echo "Host github.com\n\tIdentityFile ~/.ssh/id_rsa" >> /root/.ssh/config &&  git clone git@github.com:amitbadheka/Learning-Rails.git] returned a non-zero code: 128

So when I use the same key, I could access my repo.

Can anyone tell me what I am missing?

Please tell me you do not use that private key (id_rsa) for anything! — qkrijger, Dec 15 '14 at 17:32
@qkrijger github by the looks of it, the service that only requires the username "git" aha — Bradley Weston, Aug 15 '15 at 22:27

Ben Whaley · Accepted Answer · 2015-11-02T16:44:12.877

79

The error message Host key verification failed. is not complaining about your private key, but rather the host key for github.com. You can do this to add the github hostkey:

ssh-keyscan -t rsa github.com > ~/.ssh/known_hosts

Perhaps you have your reasons, but in general cloning the git repo in to the image is not the preferred way to run your code in a container. Instead, put a Dockerfile at the root of your repo, and within the Dockerfile use the ADD command to include your source code in the container.

As you have it written now, your private key is part of the Docker image. Anyone you share the image with will also have your private key.

edited Nov 02 '15 at 16:44

answered Dec 15 '14 at 16:42

Ben Whaley

32,811
7
87
85

2

Thank you for advice, I am experimenting with docker. I will keep that in mind – Amit Badheka Dec 15 '14 at 18:05
1

@BenWhaley , could you elaborate on why it's not preferred way to pull the code inside the container? – jeesus Feb 02 '17 at 10:38
I'm building a docker container for running cmake. During the build I have to clone the source from github, build it, and delete the source afterwards (and, in fact, the whole .ssh directory and my .gitconfig). I think this is fine. I have a small image that doesn't leak my private keys, as per the assertion by the poster. – Software Engineer Mar 31 '17 at 09:55
1

@EngineerDollery As far as I know, this only holds true if you are able to do all those steps in a single layer. Once you publish your image all layers needed to build this image (which is a pointer to the last layer) are published with it. so somebody that knows your Dockerfile or inspects every layer, can get those private keys. – karfau Jul 03 '17 at 07:47
2

Why in the world do I need to manually pull the host key, when normally it would just add the key automatically?? – Ray Foss Nov 28 '17 at 23:19
1

because you're usually prompted to confirm it on the first time. After that it's automatic (because confirmation causes the knownhosts file to be updated – user1158023 Jun 28 '18 at 13:53
@Ben Whaley, Thanks! As a general note, you can (and should only) use the ssh key in ways which won't put the ssh key in the layers of the image that's been created. – Cu7l4ss Jul 19 '18 at 07:29

How to access GIT repo with my private key from Dockerfile

1 Answers1

Linked