When you search on-line for utilizing SSH keys with Docker, to entry personal Github repositories, you’re going to get quite a lot of search outcomes, however the options you’ll discover are virtually all outdated, insecure, or fragmentary (i.e. they supply a small snippet of knowledge however not an entire answer). Given how fashionable each Docker and Github are, I discovered this fairly stunning. We not too long ago needed to arrange Docker with a Rails utility that fetches gems from personal repositories. We’re additionally utilizing Docker Compose, which added to the problem. This touch upon the Docker venture, which is from February 2021, sadly remains to be correct:
There are a number of questions and solutions on the market about methods to pull from a personal repository (utilizing the hosts ssh key & config). A number of them will not be working, not safe or unanswered
After a number of hours of analysis and testing, we’ve got a great answer to share. However first let’s check out the totally different approaches to contemplate.
Choice 1: Move your keys on to the container
Don’t do that! You don’t wish to add your ssh keys to Github or wherever else, as a part of the Docker picture. Older options you’ll discover on-line will advocate copying your keys into the container, after which deleting them on the finish of the setup work. This isn’t a good suggestion. Your keys may be recovered by any individual analyzing the historical past of the picture
Choice 2: Utilizing multi-stage builds
A very good overview of this answer is described within the publish Entry Non-public Repositories from Your Dockerfile With out Leaving Behind Your SSH Keys. Nonetheless, as famous in an replace to that article, this method is now thought-about outdated. It’s additionally pretty concerned, because it requires passing your credentials to an “intermediate” container, earlier than creating the ultimate container, after which “squashing” the intermediate container (this eliminates your ssh keys from the historical past). We briefly tried this method, however had bother getting it working, and we needed to attempt newer, much less advanced approaches.
Choice 3: Utilizing Docker secrets and techniques
A more moderen function of Docker is secrets and techniques:
…a secret is a blob of information, corresponding to a password, SSH personal key, SSL certificates, or one other piece of information that shouldn’t be transmitted over a community or saved unencrypted in a Dockerfile or in your utility’s supply code. You should utilize Docker secrets and techniques to centrally handle this knowledge and securely transmit it to solely these containers that want entry to it. Secrets and techniques are encrypted throughout transit and at relaxation in a Docker swarm. A given secret is just accessible to these companies which have been granted express entry to it, and solely whereas these service duties are working.
You’ll discover point out of Docker swarm and companies. The documentation goes on to say “Docker secrets and techniques are solely obtainable to swarm companies, to not standalone containers.”
We had been intrigued by the concept of utilizing secrets and techniques, however didn’t wish to add the complexity of swarm companies. We got here throughout the publish Use Your native SSH Keys Inside a Docker Container which says: “Docker secrets and techniques are meant for use with Docker Swarm, not with standalone containers. Concern not. Docker compose does assist secrets and techniques, so utilizing a compose file much like this can do the trick…” We spent a great deal of time making an attempt this method, however couldn’t get it to work. The writer goes on to say his group is utilizing swarm companies, so it’s attainable the answer introduced is untested – or it’s in fact attainable we missed one thing in our makes an attempt 😉
Choice 4: Passing a reference to your keys as a command line argument 🎉
That is what labored for us. First, ensure your ssh key has been added to your ssh agent. When you’re not accustomed to this, the Arrange an SSH key documentation from BitBucket gives a great overview. Be aware the ssh-add command on MacOS since Monterey (12.0) makes use of --apple-use-keychain as a substitute of -Okay, for instance:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
From this level, there are two attainable methods to proceed:
Choice 4a: Utilizing Dockerfile solely
When you’re not utilizing Docker Compose, you possibly can embody the next in your Dockerfile:
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
RUN --mount=kind=ssh bundle set up
Then name it like this:
DOCKER_BUILDKIT=1 docker construct --ssh default=$HOME/.ssh/name_of_your_ssh_key .
When you’re questioning in regards to the --mount=kind=ssh half, the Docker documentation has a great rationalization:
[It] will set the SSH_AUTH_SOCK atmosphere variable for that command to the worth offered by the host to
docker construct, which is able to trigger any applications within the RUN command which depend on SSH to routinely use that socket. Solely the instructions within the Dockerfile which have explicitly requested SSH entry by defining kind=ssh mount can have entry to SSH agent connections. The opposite instructions can have no information of any SSH agent being obtainable.
Choice 4b: Utilizing Docker Compose
To make use of the –ssh possibility with Docker Compose, you’ll need to be on a minimum of Docker Compose v2.5. You’ll be able to verify with docker compose model. If you’re on a Mac utilizing Homebrew, you possibly can improve with brew set up docker-compose (as of August 2022, 2.5 is the present model on Homebrew). Then you possibly can run:
docker compose construct --ssh default=$HOME/.ssh/name_of_your_ssh_key
Listed here are pattern Dockerfile and docker-compose.yml information for reference. Change your_app with an applicable title on your utility. Be aware we wish the Docker compose file to run the checks routinely. You might have considered trying yours to do one thing else.
Dockerfile
FROM ruby:2.1.10 # that is for an previous venture
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
ADD . /your_app
WORKDIR /your_app
RUN --mount=kind=ssh bundle set up
docker-compose.yml
model: "3.8"
companies:
app:
construct: .
command: bash -c "bundle exec rspec"
picture: your_app
volumes:
- .:/your_app
