2

I'm trying to make a script that will build a bunch of docker images and push them to a private repository.

From the documentation, the docker build command seems to accept git urls: very nice indeed.

All the repos are private and everyone in the company have ssh keys setup to access the git repos via ssh like git clone git@github.com:/my-org/my-repo.git

I assumed that providing such url would work as well as it seems to be a very common use case. Turns out it doesn't.

I googled around for a solution and found a git ticket about url formatting so I tried all the following:

  • ssh://git@github.com:/my-org/my-repo.git
  • ssh://git@github.com/my-org/my-repo.git
  • ssh://git@github.com:my-org/my-repo.git
  • git@github.com:/my-org/my-repo.git
  • git@github.com/my-org/my-repo.git
  • git@github.com:my-org/my-repo.git

Th last one in this list is the most promising as I'm getting the following output:

$ docker build -t registry.example.com:5000/my-repo:latest --ssh=default git@github.com:my-org/my-repo.git

[+] Building 0.9s (1/1) FINISHED                                                                                                                                                             
 => ERROR [internal] load git source git@github.com:my-org/my-repo.git                                                                                                     0.9s
------                                                                                                                                                                                       
 > [internal] load git source git@github.com:my-org/my-repo.git:                                                                                                                
#1 0.551 Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts.
#1 0.896 git@github.com: Permission denied (publickey).
#1 0.898 fatal: Could not read from remote repository.
#1 0.898 
#1 0.898 Please make sure you have the correct access rights
#1 0.898 and the repository exists.
------
failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to load cache key: failed to fetch remote git@github.com:my-org/my-repo.git: exit status 128

Before someone asks: yes the repo exists and I can clone it :)

I was assuming the "cloning" part of the process would be done "locally" using my own ssh keys before sending the context out for docker to build. Apparently it is not the case.

Is it a supported feature and if so how to make it work?

EDIT: I realised I forgot to give some context.

I'm running Docker Desktop on macOS big sur

Docker version 20.10.8, build 3967b7d

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.6.1-docker)
  compose: Docker Compose (Docker Inc., v2.0.0-rc.3)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 9
  Running: 8
  Paused: 0
  Stopped: 1
 Images: 28
 Server Version: 20.10.8
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e25210fe30a0a703442421b0f60afac609f950a3
 runc version: v1.0.1-0-g4144b63
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.47-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 3.842GiB
 Name: docker-desktop
 ID: 77LC:Z2AY:K6AA:OXAY:3JYQ:RSSL:RCJZ:GOSK:FUTG:DAPY:WIKK:BB7A
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 105
  Goroutines: 93
  System Time: 2021-09-16T08:47:27.924652162Z
  EventsListeners: 4
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  <REDACTED>
 Live Restore Enabled: false
ddegasperi
  • 662
  • 9
  • 12
Nico J.
  • 167
  • 2
  • 10

2 Answers2

1

Docker for Mac does not run natively on your machine, but in a VirtualMachine. It looks like the git clone command is executed inside the VirtualMachine

My assumption is based on this log entry: #1 0.551 Warning: Permanently added the RSA host key for IP address '140.82.121.3' to the list of known hosts.

So in order to have access to your private repository via ssh, you need to store the ssh keypair in Docker's VirtualMachine as well.

EDIT To connect to the VirtualMachine open a terminal and run docker run -it --privileged --pid=host justincormack/nsenter1

ddegasperi
  • 662
  • 9
  • 12
  • Yeah I knew it was running a vm on mac but I never got the chance to actually dig inside the vm. I don't even know if it's possible... any clue on how i'd do that? – Nico J. Sep 16 '21 at 09:42
  • 1
    Found this command `docker run -it --privileged --pid=host justincormack/nsenter1` from this post https://stackoverflow.com/questions/39739560/how-to-access-the-vm-created-by-dockers-hyperkit – ddegasperi Sep 16 '21 at 09:44
1

Is your SSH key added to the ssh-agent that is being forwarded when you set --ssh=default? To check run ssh-add -l and if it doesn't show your key then add it with something like ssh-add -k ~/.ssh/id_rsa

Tõnis Tiigi
  • 104
  • 2
  • It usually works yeah. I actually don't need ssh *inside* the builder. the `--ssh` thing was more a desperate attempt to forward my creds to docker without success – Nico J. Sep 17 '21 at 08:00