7

I'm using the suggestion from this post to implement Docker secrets so that I can use a local SSH key to authenticate access to Github for my containers. I'm on MacOS and not using Docker swarm. Here is my setup:

docker-compose.yml

version: '3.1'

services:
  [servicename]:
    secrets:
     - ssh_private_key

[...]

secrets:
  ssh_private_key:
    file: ~/.ssh/id_rsa

Dockerfile

FROM python:3.7 as intermediate

RUN mkdir /root/.ssh/ 
RUN ln -s /run/secrets/ssh_private_key /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./

RUN pip install --no-cache-dir -r requirements_private_repos.txt

When I attempt to run docker-compose build and use the SSH key to pull from private remote repositories, I get the following error:

Permission denied (publickey).
fatal: Could not read from remote repository.

I'm able to remote into the docker image and see that the secret is being created and populated in /run/secrets/ssh_private_key.

Why is the link not working when used in the Dockerfile? If docker secrets isn't the right method, is there a better way to share an SSH key from MacOS to Docker?

Morgan
  • 574
  • 9
  • 28

1 Answers1

7

You cannot use runtime secrets on the build phrase. You can either use multi-stage builds to copy the secret to the image so it will be discarded on the next stage or use the new build-time secrets that were introduced on Docker 18.09.

For the multi-stage method you could do the following:

FROM python:3.7 as intermediate

COPY id_rsa /root/.ssh/id_rsa # your private key must be on the build context
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./

RUN pip install --no-cache-dir -r requirements_private_repos.txt

FROM python:3.7

COPY --from=intermediate XXXX YYYY # copy your modules, this image won't have the ssh private key

For the new method you could do the following, havent tried this method myself (a ssh-agent running on the host is needed):

FROM python:3.7 as intermediate

RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
COPY requirements_private_repos.txt ./

RUN --mount=type=ssh pip install --no-cache-dir -r requirements_private_repos.txt

Then build your image with:

docker build --ssh default . -t myimage

Check the documentation for more information on the new method:

https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information

codestation
  • 2,938
  • 1
  • 22
  • 22