7

I'm attempting to run bower install inside a docker container, passed as a command in the docker-compose.yml

Relevant code in the docker-compose.yml:

services:
  assets:
    build: ./src
    command: >
      sh -c '
      bower install --allow-root;
      '

The bower.json has the following dependency:

{
  "name": "projectname",
  "version": "version",
  "dependencies": {
    "remote-repo": "ssh://git@remoterepo.url/repo.git#branch"
  }
}

This remote repo is private. The host machine has the correct SSH credentials to pull from that remote.

I have tried passing SSH credentials from my host machine to the docker container 4 or 5 different ways but every attempt nets me the same error message:

docker_1   | bower repo#branch          ECMDERR Failed to execute "git 
ls-remote --tags --heads ssh://git@remoterepo.url/repo.git", exit code 
of #128 Host key verification failed. fatal: Could not read from 
remote repository.  Please make sure you have the correct access 
rights and the repository exists.

When I exec directly into the container, and attempt a git clone, it asks me if I'm sure I want to add the remote to known_hosts, and then it asks for my passphrase for my ssh key (as is expected on a first attempt to connect to a remote).

I had followed the steps in this stackoverflow response to try and bypass the prompt: https://stackoverflow.com/a/23411161/4736263

And even went so far as to throw everything at it via ssh that I could, adding these steps to my Dockerfile under RUN commands: https://serverfault.com/questions/132970/can-i-automatically-add-a-new-host-to-known-hosts/316100#316100

As it stands now, my install script (that runs docker-compose up, among other things), includes this line:

cp $HOME/.ssh/id_rsa src/id_rsa

And I have confirmed that the id_rsa is being copied correctly into the directory where the Dockerfile is (specifically, src inside my app)

And my Dockerfile contains this:

# Make ssh dir
RUN mkdir /root/.ssh/

# Copy over private key, and set permissions
ADD id_rsa /root/.ssh/id_rsa

# Create known_hosts
RUN touch /root/.ssh/known_hosts

# Add remote's key
RUN ssh-keygen -R remoterepo.url
RUN ssh-keygen -R remoterepoIP
RUN ssh-keygen -R remoterepo.url,remoterepoIP
RUN ssh-keyscan -H remoterepo.url,remoterepoIP >> /root/.ssh/known_hosts
RUN ssh-keyscan -H remoterepoIP >> /root/.ssh/known_hosts
RUN ssh-keyscan -H remoterepo.url >> /root/.ssh/known_hosts

Is there any way to get bower inside a docker container to access a private remote repo? I feel like I've tried everything (and I've been attempting different things all week).

Hugo y
  • 1,421
  • 10
  • 20
Kate Donaldson
  • 101
  • 11

1 Answers1

0

The only way this configuration seems to work is:

1) Create a read-only key for the docker container in the private repo
2) Put the read-only creds and known_hosts into the repo in the directory with the Dockerfile
3) Adjust permissions on the id_rsa file

I tried adjusting permissions on the copied-from-the-host credentials, but that still gave permission denied error. The only way this was solved was by creating a special read-only key in our private repo for just this container.

This doesn't really solve the initial problem, but it gets us where we need to be. Our implementation is to .gitignore the credentials and pass them to users another way, which prevents the secrets being stored in the repo.

I took the copy command out of our install script, so the final result in the Dockerfile is here:

# Make ssh dir
RUN mkdir /root/.ssh/

# Copy over private key, and set permissions
COPY id_rsa /root/.ssh/id_rsa
COPY known_hosts /root/.ssh/known_hosts
RUN chmod 600 /root/.ssh/id_rsa

And the private key lives in the same directory as Dockerfile.

I suspect the problem still lies in needing to put a passphrase in - there's a wee comment on the prior StackOverflow article from 2014 that says this: can't use a passphrase protected one apparently

Hopefully this helps someone.

Kate Donaldson
  • 101
  • 11