我有一个应用程序,执行各种有趣的东西与Git(像运行Git克隆& Git推送),我试图docker-ize它。

我遇到了一个问题,虽然我需要能够添加一个SSH密钥到容器的容器“用户”使用。

我试着把它复制到/root/。ssh/,更改$HOME,创建一个git ssh包装器,仍然没有运气。

以下是Dockerfile供参考:

#DOCKER-VERSION 0.3.4                                                           

from  ubuntu:12.04                                                              

RUN  apt-get update                                                             
RUN  apt-get install python-software-properties python g++ make git-core openssh-server -y
RUN  add-apt-repository ppa:chris-lea/node.js                                   
RUN  echo "deb http://archive.ubuntu.com/ubuntu precise universe" >> /etc/apt/sources.list
RUN  apt-get update                                                             
RUN  apt-get install nodejs -y                                                  

ADD . /src                                                                       
ADD ../../home/ubuntu/.ssh/id_rsa /root/.ssh/id_rsa                             
RUN   cd /src; npm install                                                      

EXPOSE  808:808                                                                 

CMD   [ "node", "/src/app.js"]

App.js运行git命令,比如git pull


当前回答

您可以使用多级构建来构建容器 你可以这样做:-

阶段1使用ssh构建映像

FROM ubuntu as sshImage
LABEL stage=sshImage
ARG SSH_PRIVATE_KEY
WORKDIR /root/temp

RUN apt-get update && \
    apt-get install -y git npm 

RUN mkdir /root/.ssh/ &&\
    echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa &&\
    chmod 600 /root/.ssh/id_rsa &&\
    touch /root/.ssh/known_hosts &&\
    ssh-keyscan github.com >> /root/.ssh/known_hosts

COPY package*.json ./

RUN npm install

RUN cp -R node_modules prod_node_modules

阶段2:构建容器

FROM node:10-alpine

RUN mkdir -p /usr/app

WORKDIR /usr/app

COPY ./ ./

COPY --from=sshImage /root/temp/prod_node_modules ./node_modules

EXPOSE 3006

CMD ["npm", "run", "dev"] 

在你的合成文件中添加env属性:

   environment:
      - SSH_PRIVATE_KEY=${SSH_PRIVATE_KEY}

然后像这样从构建脚本传递参数:

docker-compose build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)"

并移除中间容器,以确保安全。 这将帮助你干杯。

其他回答

最简单的方法是,获得一个发射台帐户并使用:ssh-import-id

在我的情况下,我有一个问题与nodejs和'npm I '从一个远程存储库。我修复了添加'node'用户到nodejs容器和700到~/。容器中的SSH。

Dockerfile:

USER node #added the part
COPY run.sh /usr/local/bin/
CMD ["run.sh"]

run.sh:

#!/bin/bash
chmod 700 -R ~/.ssh/; #added the part

docker-compose.yml:

nodejs:
      build: ./nodejs/10/
      container_name: nodejs
      restart: always
      ports:
        - "3000:3000"
      volumes:
        - ../www/:/var/www/html/:delegated
        - ./ssh:/home/node/.ssh #added the part
      links:
        - mailhog
      networks:
        - work-network

在那之后,它开始工作

你也可以在主机和容器之间链接你的.ssh目录,我不知道这种方法是否有任何安全隐患,但它可能是最简单的方法。像这样的东西应该工作:

$ sudo docker run -it -v /root/.ssh:/root/.ssh someimage bash

记住docker使用sudo运行(除非你不这样做),如果是这种情况,你将使用根ssh密钥。

从docker API 1.39+(检查API版本和docker版本)开始,docker构建允许——ssh选项与代理套接字或键一起允许docker引擎转发ssh代理连接。

建造的命令

export DOCKER_BUILDKIT=1
docker build --ssh default=~/.ssh/id_rsa .

Dockerfile

# syntax=docker/dockerfile:experimental
FROM python:3.7

# Install ssh client (if required)
RUN apt-get update -qq
RUN apt-get install openssh-client -y

# Download public key for github.com
RUN --mount=type=ssh mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# Clone private repository
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject

更多信息:

https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---mounttypessh

一个简单而安全的方法来实现这一点,而不需要将密钥保存在Docker镜像层中,或通过ssh_agent体操:

As one of the steps in your Dockerfile, create a .ssh directory by adding: RUN mkdir -p /root/.ssh Below that indicate that you would like to mount the ssh directory as a volume: VOLUME [ "/root/.ssh" ] Ensure that your container's ssh_config knows where to find the public keys by adding this line: RUN echo " IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config Expose you local user's .ssh directory to the container at runtime: docker run -v ~/.ssh:/root/.ssh -it image_name Or in your dockerCompose.yml add this under the service's volume key: - "~/.ssh:/root/.ssh"

你最终的Dockerfile应该包含如下内容:

FROM node:6.9.1

RUN mkdir -p /root/.ssh
RUN  echo "    IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config

VOLUME [ "/root/.ssh" ]

EXPOSE 3000

CMD [ "launch" ]