logo标签列表

在 Docker 容器中拉取私有 Git 仓库

gitdockersshdockerfile
3
我正在尝试将私有git repo拉入我的docker容器,我已经在Dockerfile中添加了我的SSHKey和下面的脚本,但不幸的是没有成功。
ENV SSH_KEY #SSHKey-Here#

# Configure git user
RUN git config --global user.email "developer@domain.com" && \
    git config --global user.name "Docker Image"

# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
    chmod 0700 /root/.ssh && \
    ssh-keyscan gitlabdomain.com > /root/.ssh/known_hosts &&\
    chmod 644 /root/.ssh/known_hosts

# Add the keys and set permissions
RUN eval `ssh-agent -s` && \
    echo "$SSH_KEY" > /root/.ssh/id_rsa && \
    chmod 600 /root/.ssh/id_rsa

作为一项测试,我运行了以下命令:

docker exec php-container ssh -vT git@gitlabdomain.com

我收到了以下错误信息:

OpenSSH_6.7p1 Debian-5+deb8u4, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to cgitlabdomain.com [xxx.xxx.x.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 28:3d:da:79:af:1d:28:44:d9:dc:01:55:7e:09:4b:3d
debug1: Host 'gitlabdomain.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
Warning: Permanently added the ECDSA host key for IP address '188.166.30.98' to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).

我在谷歌上搜索并尝试了几个建议,但似乎无法避开这些错误。我确信id_rsa文件实际存在,我的SSHKey也在里面,所以我不明白为什么会输出这些错误信息。
非常感谢任何帮助、建议和/或意见。
顺祝商祺,
Lennart
你的实际目标是什么?你可能想将Dockerfile和/或docker-compose.yml放在现有存储库的根目录中。您不想尝试从Dockerfile中运行git操作,并且绝对不想将ssh私钥添加到Docker镜像中(任何获得Docker镜像的人都可以使用)。 - David Maze
@DavidMaze 我的实际目标是在当前容器中更新所有高级WordPress插件,这些高级插件位于私有存储库中。 Docker镜像仅供内部使用,永远不会被推送/发布,因此我在实际的dockerfile中添加了SSHKey。 - Epicode
1个回答
3

从您的SSH输出来看,似乎您已经用密码保护了您的私钥:

debug1: Trying private key: /root/.ssh/id_rsa
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key

这个密码没有被提供,因此无法使用私钥。您需要在容器中运行ssh-add <key-file>,并提供密码以使身份验证成功。

我建议进行以下改进:

  • Even though your docker image is only for internal use, it is a bad idea to store ssh-keys within images on any system which is shared by multiple users. See this and this. You can instead create an image with a Dockerfile which passes in sensitive arguments:

    FROM library/centos

RUN yum install -y git

ARG HOME_DIR
ARG USER_ID

RUN echo "Setting up user $USER_ID with home directory: $HOME_DIR" \
  && useradd \
    --home-dir $HOME_DIR \
    --uid 1000 \
    $USER_DIR $USER_ID \
  && touch ${HOME_DIR}/entrypoint.sh \
  && mkdir -p ${HOME_DIR}/.ssh/ \
  && chown -R ${USER_ID}:${USER_ID} ${HOME_DIR} \
  && chmod -R 700 ${HOME_DIR}/.ssh \
  && touch ${HOME_DIR}/.ssh/id_rsa \
  && chmod 400 ${HOME_DIR}/.ssh/id_rsa \
  && chmod 777 ${HOME_DIR}/entrypoint.sh

ENTRYPOINT ${HOME_DIR}/entrypoint.sh

  • Create an entrypoint.sh script that is passed in when running the image. This will handle all the git initialization:

    # Setup Git Config
echo "Setting Git Config Values"
git config --global user.email "developer@domain.com" && \
    git config --global user.name "Docker Image"

# Setup Git Folders
echo "Adding Host Key for Github"
cd /home/my_user/ \
  && ssh-keyscan gitlabdomain.com > /home/my_user/.ssh/known_hosts

# Add ssh-key to SSH Agent
echo "Adding SSH Key to ssh-agent" \
  && eval `ssh-agent -s` && ssh-add /home/my_user/.ssh/id_rsa

# Cloning from remote repository
git clone git@gitlabdomain.com
# Prevent container from exiting
tail -f /dev/null

  • Then, run the container in interactive detached mode - this will allow you to attach to the container and enter the passphrase for the ssh-key.

    Also mount all sensitive files as read-only volumes, and run the container as your user. This will ensure files are only able to be accessed by you:

    my_user$ docker run \
  -itd \
  -e "HOME_DIR=/home/my_user" \
  -e "USER_ID=my_user" \
  -v /home/my_user/.ssh/id_rsa:/home/my_user/.ssh/id_rsa:ro \
  -v /home/my_user/entrypoint.sh:/home/my_user/entrypoint.sh \
  --user my_user \
  myimage
e4985a08a0d20f39414da801e9665abb364885052047f45e2f9943e7622c696b

  • Finally, attach to your container to provide the ssh-key passphrase, and detach with Ctrl-P, Ctrl-Q:

    myuser$ docker attach e4985a08a0d20f39414da801e9665abb364885052047f45e2f9943e7622c696b
<enter passphrase here>
Identity added: /home/my_user/.ssh/id_rsa 
(/home/my_user/.ssh/id_rsa)
Cloning into 'my_repo'...
Warning: Permanently added the RSA host key for IP address 'xx.xxx.xxx.xxx' to the list of known hosts.
remote: Counting objects: 1014, done.
remote: Total 1014 (delta 0), reused 0 (delta 0), pack-reused 1014
Receiving objects: 100% (1014/1014), 3.48 MiB | 1.16 MiB/s, done.
Resolving deltas: 100% (512/512), done.
read escape sequence

如果您不想进行附加/分离操作,可以尝试从文件中传递密码。请参阅此处

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接