5

Folks, After following a few threads on how to add ssh keys to the docker container for the application build phase, I am getting an interesting error:

Load key "/root/.ssh/id_rsa": invalid format

My Dockerfile:

RUN mkdir /root/.ssh/
ADD serviceBitbucketKey.ssh /root/.ssh/id_rsa
RUN chmod 400 /root/.ssh/id_rsa

RUN touch /root/.ssh/`known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN git ls-remote git@bitbucket.org:orgName/repo.git
RUN git config --global url.ssh://git@bitbucket.org/.insteadOf https://bitbucket.org/

I do know the key is fine... it was generated via

ssh-keygen -t rsa -b 4096 -f serviceBitbucketKey.ssh

Suggestions? Thanks!

Cmag
  • 14,946
  • 25
  • 89
  • 140
  • I’d suggest not packaging your image with keys, whoever gets a copy of the image may be able to obtain a copy from a container / the image / image layers. Running docker in experimental mode and using buildkit you can add the keys to a ssh-agent then mount the ssh-agent during the build. – masseyb Oct 07 '19 at 06:38
  • Any solution? I am a bit stuck right now and I need to push my container to google cloud however I have dependencies from private gitlabs.. – Emixam23 Nov 22 '19 at 22:23
  • @masseyb Using a [multistage](https://docs.docker.com/v17.09/engine/userguide/eng-image/multistage-build/) build in docker means you no longer need to worry about leaking secrets used in the build phase, instead you just need to make sure you're not using them in the final stage. It's a good pattern since you can reduce the size of your image by separating building from running. You probably don't need git to run your code. – Kevin Harker Jan 03 '20 at 01:30
  • @KevinHarker OP does not seem to be using a multi stage build and you can (should imho) avoid copying your keys during the build rather forward the SSH agent [using SSH to access private data in builds](https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds). This [example](https://stackoverflow.com/a/57741684/1423507) is multi stage and uses SSH during the build. – masseyb Jan 03 '20 at 07:44
  • @masseyb Since the OP didn't share the whole dockerfile it's unclear if they're using a multistage build. Using the ssh agent is a pain today and requires using the experimental features. I hope they make it easier in the coming releases. – Kevin Harker Jan 03 '20 at 17:29

2 Answers2

2

Try, assuming, as detailed in Adiii's answer, that the permissions are OK, to generate a key using the old PEM format (instead of the new OpenSSH one):

ssh-keygen -t rsa -P "" -C "your-email-address" -m PEM
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
1

I thing its permission issue if the key is valid, try with this

FROM alpine:3.7
#copy key
ADD serviceBitbucketKey.ssh /root/.ssh/id_rsa

#install git
RUN apk --no-cache update git

#set proper permission
RUN chmod 600 /root/.ssh/id_rsa && \
touch /root/.ssh/known_hosts && \
ssh-keyscan bitbucket.org > ~/.ssh/known_hosts
RUN git ls-remote git@bitbucket.org:myorg/myrepo.git
Adiii
  • 54,482
  • 7
  • 145
  • 148