1

I am trying to clone a repository inside a docker image using a docker file. I am running in Ubuntu 18.04 with docker version 20.10.17. I know docker files are automatic and do not allow user input. Therefore I need to clone via ssh. I started with:

ssh-keygen
ssh-add -k ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub | xclip -sel clip

I then pasted the key into bitbucket as a new key. I left the passphrase and all as blank when doing this. Not sure if that is the start of my issues. Now to the docker file.

I have tried multiple ways. Using the below docker file gives me an error when trying to do the actual git clone:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @
WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0755 for '/root/.ssh/id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/root/.ssh/id_rsa": bad permissions git@bitbucket.org: Permission denied (publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

The docker file is:

FROM ubuntu:18.04 AS intermediate

ENV HOME /root
ARG DEBIAN_FRONTEND=noninteractive

VOLUME /home/user/.ssh/id_rsa /root/.ssh/id_rsa

RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \
    apt-get update && apt-get upgrade -y && apt-get -y --no-install-recommends install \
    build-essential \
    cmake \
    ssh \
    git

RUN chmod 700 /root/.ssh #&& \#
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN chmod 400 /root/.ssh/id_rsa
RUN git clone git@bitbucket.org:company/myRepo.git

FROM ubuntu:18.04
LABEL Description="Build environment"

ENV HOME /root

SHELL ["/bin/bash", "-c"]

ARG DEBIAN_FRONTEND=noninteractive

COPY --from=intermediate myRepo /git/myRepo

I have even tried adding the ssh key directly to the docker file and creating the id_rsa file and location. I get the same error except the permission is now 0644. Here is the other version of my docker file:

FROM ubuntu:18.04 AS intermediate

ENV HOME /root

ARG SSH_PRIVATE_KEY="ssh-rsa AAA..."

ARG DEBIAN_FRONTEND=noninteractive

RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \
    apt-get update && apt-get upgrade -y && apt-get -y --no-install-recommends install \
    build-essential \
    cmake \
    ssh \
    git

RUN mkdir /root/.ssh/
RUN chmod 755 /root/.ssh
RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa

RUN ssh-keygen -f ~/.ssh/id_rsa -p
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

RUN chmod 400 /root/.ssh/id_rsa
RUN git clone git@bitbucket.org:company/myRepo.git

FROM ubuntu:18.04
LABEL Description="Build environment"

ENV HOME /root

SHELL ["/bin/bash", "-c"]

ARG DEBIAN_FRONTEND=noninteractive

COPY --from=intermediate myRepo /git/myRepo

I followed instructions to set up the file to use an SSH key to clone the repo from here.

I was getting issues about formatting for the key. That led me to adding the ssh-keygen RUN command that supposedly will force proper formatting. This was found here.

As for solving the permission issue, I have seen plenty of threads about inserting chmod, but the permissions I set don't even seem to show up properly. I checked here to try and solve the permission issue.

torek
  • 448,244
  • 59
  • 642
  • 775
notARobot
  • 61
  • 7
  • This isn't a Git issue, it's purely docker+ssh. – torek Sep 09 '22 at 17:21
  • 1
    With your final solution, your `id_rsa` file remains on the host computer and never gets copied into the image, right? I assume that what VOLUME does, but is that volume only mounted during the docker build, and removed in the final image? That's a pretty cool approach. – joanis Sep 09 '22 at 17:22
  • That should be the case. Anything done in the intermediate stage should just be discarded in the final image. That was my understanding from the first link I posted. – notARobot Sep 09 '22 at 18:05
  • 1
    Does this answer your question? [How to add ssh passphrase to Docker and removed it after it was used?](https://stackoverflow.com/questions/64023920/how-to-add-ssh-passphrase-to-docker-and-removed-it-after-it-was-used) – masseyb Sep 11 '22 at 10:39

1 Answers1

0

Actually found the answer to my question. Credit goes to user "questionto42standswithUkraine" here.

I copied the file ~/.ssh/id_rsa to the directory with my docker file.

*edit This was at the top of my docker file in the intermediate step

COPY id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa

*end edit

I ultimately ended up with

RUN touch /root/.ssh/known_hosts && ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts && \
  git clone git@bitbucket.org:company/myRepo.git

Worked perfectly.

notARobot
  • 61
  • 7
  • Wait, so here you *are* copying id_rsa into your container? If it stays there in the end, or even just exists in a layer, that's a pretty big security hole, since you would be giving away your secret with the docker file itself. – joanis Sep 09 '22 at 17:25
  • If done in the intermediate stage, it should just get tossed out. Otherwise, can just remove /root/.ssh/ completely before the dockerfile exits if not doing a multi-stage build. – notARobot Sep 09 '22 at 18:01
  • My understanding is that each Docker stage actually stays in the image when you're done, unless you squash them. I don't actually know how to do that, but I'm pretty sure that's what happens because if you install stuff and clean up the install caches in different RUN lines, the final image is not smaller, but if you do the clean up in the same RUN line, then the image actually shrinks. So someone with the right know-how will be able to find your id_rsa file, even if you delete it in RUN line at the end. – joanis Sep 09 '22 at 18:04
  • If you could create, use and then delete the id_rsa file all in the same RUN command, then I think that might be safe. – joanis Sep 09 '22 at 18:06
  • 1
    See the comment from @questionto41standswithUkraine below their answer here https://stackoverflow.com/a/66648403/3216427 where they express similar security concerns and suggest a solution. – joanis Sep 09 '22 at 18:09
  • By the way, this is probably not elegant, but the solution I use to the problem of embedding private repos in an image is to have a pre-docker-build script that I run outside docker ahead of time, where I clone/fetch what I need as myself, and then I ADD those cloned sandboxes into the image, instead of trying to clone them from within. Less elegant, I know, but way simpler! And guaranteed to be safe. – joanis Sep 09 '22 at 18:13