4

So I'm trying to create an image, which adds a SSH private key to /tmp, runs ssh-agent on it, does a git clone and then deletes the key again.

This is the idea I'm trying to accomplish

Dockerfile:

FROM node:4.2.4
MAINTAINER Me

CMD ["/bin/bash"]

ENV GIT_SSL_NO_VERIFY=1
ENV https_proxy="httpsproxy"
ENV http_proxy="httpproxy"
ENV no_proxy="exceptions"

ADD projectfolder/key /tmp/
RUN ssh-agent /tmp

WORKDIR /usr/src/app

RUN git clone git@gitlab.private.address:something/target.git

RUN rm /tmp/key

WORKDIR /usr/src/app/target

RUN npm install

EXPOSE 3001

Now the problem lies within the build-process. I use the following command to build:

docker build -t samprog/targetimage:4.2.4 -f projectfolder/dockerfile .

The layers up to "ADD projectfolder/key /tmp/" work just fine, though the "RUN ssh-agent /tmp" layer doesn't want to cooperate.

Error code:

Step 9 : RUN ssh-agent /tmp/temp
 ---> Running in d2ed7c8870ae
/tmp: Permission denied
The command '/bin/sh -c ssh-agent /tmp' returned a non-zero code: 1

Any ideas? Since I thought it was a permission issue, where the directory was already created by the parent image, I created a /tmp/temp and put the key in there. Doesn't work either, same error.

I'm using Docker version 1.10.3 on SLES12 SP1

Community
  • 1
  • 1
samprog
  • 2,454
  • 1
  • 13
  • 18
  • 1
    try with user root add `USER root` before `RUN ssh-agent /tmp/temp` – VladoDemcak Oct 07 '16 at 17:38
  • Finally had time to test it. Adding `USER root` before `mkdir /tmp/temp` and `RUN ssh-agent /tmp/temp` sadly does seem to change the output of `/tmp/temp: Permission denied` – samprog Oct 12 '16 at 06:18
  • Possible duplicate of [Using SSH keys inside docker container](https://stackoverflow.com/questions/18136389/using-ssh-keys-inside-docker-container) – vhs Sep 17 '19 at 05:01

3 Answers3

3

I did it. What I did is, I got rid of ssh-agent. I simply copied the ~/.ssh- directory of my docker-host into the /root/.ssh of the image and it worked.

Do not use the ~ though, copy the ~/.ssh-directory inside the projectfolder first and then with the dockerfile inside the container.

Final dockerfile looked as follows:

FROM node:4.2.4
MAINTAINER me

CMD["/bin/bash"]

ENV GIT_SSL_NO_VERIFY=1
ENV https_proxy="httpsproxy"
ENV http_proxy="httpproxy"
ENV no_proxy="exceptions"

ADD projectfolder/.ssh /root/.ssh

WORKDIR /usr/src/app

RUN git clone git@gitlab.private.address:something/target.git

RUN rm -r /root/.ssh

WORKDIR /urs/src/app/target

RUN npm set registry http://local-npm-registry
RUN npm install

EXPOSE 3001

The dockerfile still has to be improved on efficiency and stuff, but it works! Eureka!

The image now has to be squashed and it should be safe to use, though we only use it in our local registry.

samprog
  • 2,454
  • 1
  • 13
  • 18
  • 2
    The problem with the above is that even though you have an "rm -r /root/.ssh" the private key still exists in the container layers after "ADD projectfolder/.ssh /root/.ssh" and before the "rm" layer. If you want to do this securely, use ssh-agent forwarding. – Severun Nov 02 '18 at 19:14
1

I have faced with the same problem with maven:3-alpine. It was solved when I properly installed openssh-client:

RUN apk --update add openssh-client

Then copied keys with known hosts to the image:

ADD id_rsa /root/.ssh/
ADD id_rsa.pub /root/.ssh/
ADD known_hosts /root/.ssh/

And ran git clone command inline (with ssh-agent and ssh-add):

RUN eval $(ssh-agent -s) \
  && ssh-add \
  && git clone ssh://git@private.address:port/project/project.git

Complete docker file:

FROM maven:3-alpine
RUN apk update
RUN apk add python
RUN apk add ansible
RUN apk add git
RUN apk --update add openssh-client

ADD id_rsa /root/.ssh/
ADD id_rsa.pub /root/.ssh/
ADD known_hosts /root/.ssh/

RUN eval $(ssh-agent -s) \
  && ssh-add \
  && git clone ssh://git@private.address:port/project/project.git

ADD hosts /etc/ansible/hosts
RUN ansible all -m ping --ask-pass
user3235602
  • 81
  • 3
0

I had the same issue while executing any bash command when building my Dockerfile. I solved by adding RUN chmod -R 777 ./ like suggested in the answer of this question. I think this is a workaround, I'm not sure why docker in ubuntu has permission issues when building a container.

Roxana Tapia
  • 115
  • 9