我从周围的各种工作dockerfile中复制了这段代码,这里是我的:
FROM ubuntu
MAINTAINER Luke Crooks "luke@pumalo.org"
# Update aptitude with new repo
RUN apt-get update
# Install software
RUN apt-get install -y git python-virtualenv
# Make ssh dir
RUN mkdir /root/.ssh/
# Copy over private key, and set permissions
ADD id_rsa /root/.ssh/id_rsa
RUN chmod 700 /root/.ssh/id_rsa
RUN chown -R root:root /root/.ssh
# Create known_hosts
RUN touch /root/.ssh/known_hosts
# Remove host checking
RUN echo "Host bitbucket.org\n\tStrictHostKeyChecking no\n" >> /root/.ssh/config
# Clone the conf files into the docker container
RUN git clone git@bitbucket.org:Pumalo/docker-conf.git /home/docker-conf
这就给出了误差
Step 10 : RUN git clone git@bitbucket.org:Pumalo/docker-conf.git /home/docker-conf
---> Running in 0d244d812a54
Cloning into '/home/docker-conf'...
Warning: Permanently added 'bitbucket.org,131.103.20.167' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
2014/04/30 16:07:28 The command [/bin/sh -c git clone git@bitbucket.org:Pumalo/docker-conf.git /home/docker-conf] returned a non-zero code: 128
这是我第一次使用dockerfiles,但从我所读到的(以及从工作配置中获得的)我不明白为什么这行不通。
我的id_rsa与我的dockerfile在同一个文件夹中,是我的本地密钥的副本,可以克隆这个repo没有问题。
编辑:
在我的dockerfile我可以添加:
RUN cat /root/.ssh/id_rsa
它会打印出正确的密钥,所以我知道它被正确复制了。
我也试着按照诺亚的建议去做:
RUN echo "Host bitbucket.org\n\tIdentityFile /root/.ssh/id_rsa\n\tStrictHostKeyChecking no" >> /etc/ssh/ssh_config
不幸的是,这也行不通。
现在你可以使用Buildkit选项——ssh默认当你构建你的容器;在构建之前,您需要将SSH部署密钥添加到SSH -agent。
以下是从头开始的完整流程:
在部署服务器上创建密钥对。只需运行ssh-keygen -t ecdsa将密钥对存储到~/.ssh
添加生成的公钥(。Pub扩展)在你的git提供商网站(gitlab, github..)
将密钥添加到ssh-agent(一个基本上比处理每个文件更容易管理密钥的程序)
eval $(ssh-agent)
ssh-add /path/to/your/private/key
把这个添加到Dockerfile中:
# this 3 first lines add your provider public keys to known_host
# so git doesn't get an error from SSH.
RUN mkdir -m 700 /root/.ssh && \
touch -m 600 /root/.ssh/known_hosts && \
ssh-keyscan your-git-provider.com > /root/.ssh/known_hosts
# now you can clone with --mount=type=ssh option,
# forwarding to Docker your host ssh agent
RUN mkdir -p /wherever/you/want/to/clone && cd /wherever/you/want/to/clone && \
--mount=type=ssh git clone git@gitlab.com:your-project.git
现在你终于可以构建Dockerfile了(启用buildkit)
DOCKER_BUILDKIT=1 docker build . --ssh default
因为你目前不能通过控制台参数来构建docker-compose,这个解决方案还不能用于docker-compose,但应该很快就可以了(它已经在github上完成了,并作为合并请求提出)
另一种选择是使用多级docker构建,以确保您的SSH密钥不包含在最终映像中。
正如在我的文章中所描述的,你可以准备你的中间图像与所需的依赖git克隆,然后复制所需的文件到你的最终图像。
此外,如果我们标签我们的中间层,我们甚至可以删除他们从机器完成。
# Choose and name our temporary image.
FROM alpine as intermediate
# Add metadata identifying these images as our build containers (this will be useful later!)
LABEL stage=intermediate
# Take an SSH key as a build argument.
ARG SSH_KEY
# Install dependencies required to git clone.
RUN apk update && \
apk add --update git && \
apk add --update openssh
# 1. Create the SSH directory.
# 2. Populate the private key file.
# 3. Set the required permissions.
# 4. Add github to our list of known hosts for ssh.
RUN mkdir -p /root/.ssh/ && \
echo "$SSH_KEY" > /root/.ssh/id_rsa && \
chmod -R 600 /root/.ssh/ && \
ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
# Clone a repository (my website in this case)
RUN git clone git@github.com:janakerman/janakerman.git
# Choose the base image for our final image
FROM alpine
# Copy across the files from our `intermediate` container
RUN mkdir files
COPY --from=intermediate /janakerman/README.md /files/README.md
然后我们可以构建:
MY_KEY=$(cat ~/.ssh/id_rsa)
docker build --build-arg SSH_KEY="$MY_KEY" --tag clone-example .
证明我们的SSH密钥不见了:
docker run -ti --rm clone-example cat /root/.ssh/id_rsa
从构建机器中清除中间映像:
docker rmi -f $(docker images -q --filter label=stage=intermediate)
