2

I have a Dockerfile with the following RUN instruction:

RUN pip install -r ./private_requirements.txt

The private_requirements.txt file is an ssh URL pointing to a GitLab repository:

git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0

When I do docker build when the RUN instruction is evaluated, I got the following output:

> [intermediate 9/9] RUN pip install git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0:
#13 0.574 Collecting git+ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0
#13 0.574   Cloning ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0 (to revision v19.0) to /tmp/pip-req-build-ck2o3z6p
#13 0.574   Running command git clone -q 'ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0' /tmp/pip-req-build-ck2o3z6p
#13 1.018   Warning: Permanently added the ECDSA host key for IP address '172.65.251.78' to the list of known hosts.
#13 1.286   Load key "/root/.ssh/id_rsa": invalid format
#13 1.425   git@gitlab.com: Permission denied (publickey,keyboard-interactive).
#13 1.426   fatal: Could not read from remote repository.
#13 1.426
#13 1.426   Please make sure you have the correct access rights
#13 1.426   and the repository exists.
#13 1.428 WARNING: Discarding git+ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0. Command errored out with exit status 128: git clone -q 'ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0' /tmp/pip-req-build-ck2o3z6p Check the logs for full command output.
#13 1.428 ERROR: Command errored out with exit status 128: git clone -q 'ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0' /tmp/pip-req-build-ck2o3z6p Check the logs for full command output.
------
executor failed running [/bin/sh -c pip install git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0]: exit code: 1

I already added my public key to gitlab profile keys

bgarcial
  • 2,915
  • 10
  • 56
  • 123

3 Answers3

3

The RUN pip install -r ./private_requirements.txt tries to access your git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0 from inside the container.
But the container doesn't have access to your ssh keys!

You could copy your private key to the docker container - not really recommended for security reasons.

But docker doesn't support mounting in the build step, therefore it's tricky to forward ssh keys, but it's possible.
See the answer at SO:SSH agent forwarding during docker build or another answer from Dan Pav

jeb
  • 78,592
  • 17
  • 171
  • 225
  • 1
    for anyone stumbling onto this, since 18.09 it's easy to forward ssh keys to docker during build. The linked answer/question has been updated. – Macke Jun 07 '21 at 10:52
1

Check your error

#13 1.286   Load key "/root/.ssh/id_rsa": invalid format

Go there and check your private key. It should have the form

-----BEGIN OPENSSH PRIVATE KEY-----
......
......
......
......
......
......
......=
-----END OPENSSH PRIVATE KEY-----

It can be that you have copied in id_rsa the content of the public key and not the private key itself.

Public key must be saved in the same folder /root/.ssh/id_rsa.pub . It must be a different file with the name id_rsa.pub

Panagiotis Bougioukos
  • 15,955
  • 2
  • 30
  • 47
0

As @jeb mentioned in his answer the container does not have access to my private key which give access to gitlab repository. That was quite logical and I was not seeing it.

That I did was define at the Dockerfile the SSH_PRIVATE_KEY environment variable

ARG SSH_PRIVATE_KEY

And pass the SSH_PRIVATE_KEY variable content during the build time and it works:

> docker build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/gitlab_id_rsa)" . -t my-image-name:latest
bgarcial
  • 2,915
  • 10
  • 56
  • 123
  • That ARG will be part the image though? – Macke Jun 04 '21 at 13:31
  • @Macke Indeed `SSH_PRIVATE_KEY` is an environment variable defined in the `Dockerfile` having its respective value – bgarcial Jun 07 '21 at 08:55
  • So, not very secure. Better options exist these days. --ssh arg to 'docker build', f.ex. – Macke Jun 07 '21 at 10:52
  • Yes the ssh key was remaining within the container. We used it to authenticate with a gitlab repo to consume a private package there. But we are not doing this anymore. Now this package is in Azure devops as an artifact, and we are fetching it by using a token with key-rings. But looking how to address this based on your advise I found [here](https://stackoverflow.com/a/30992047/2773461) interesting recommendations, like create volumes to store the keys. – bgarcial Jun 07 '21 at 12:53
  • 1
    But I can see here [docker buildkit](https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds) propose a `--ssh` flag to do a kind of ssh mount to forward this kind of connections, perhaps is the best way now? – bgarcial Jun 07 '21 at 12:56
  • 1
    yes, that is the preferred way and is how I solved it. Mainly writing that here in case someone else stumbled on this answer and is on a more recent Docker version. – Macke Jun 08 '21 at 07:12
  • 1
    Indeed is good to point out the best solution. Thanks for your clarification. – bgarcial Jun 08 '21 at 07:17