git - How to securely git clone/pip install a private repository into my docker image?
问题描述
I have a private repo that contains packages I want to pip install. I've spent quite a bit of time reading over various forums and articles about different ways to securely do this. There doesn't seem to be a a consensus on how to best do this (if at all possible). I obviously don't want to expose any ssh keys/secrets in my dockerfile -- I want to be careful about making them available via docker history.
解决方案
As explained in "Securely build small python docker image from private git repos", you would need to use, with Docker 18.09+
--ssh
You can use the--ssh
flag to forward your existing SSH agent key to the builder. Instead of transferring the key data, docker will just notify the builder that such capability is available.
Now when the builder needs access to a remote server through SSH, it will dial back to the client and ask it to sign the specific request needed for this connection.
The key itself never leaves the client, and as soon as the command that requested the access has completed there is no information on the builder side to reestablish that remote connection later.Secrets:
Provides a mount option during the build at/var/run/secrets
available only for the command that used it and is not included in the created layer.
That is:
docker build --ssh github_ssh_key=/path/to/.ssh/git_ssh_id_rsa .
only the agent connection is shared with that command, and not the actual content of the private key.
no other commands/steps in the Dockerfile will have access to it.
The Dockerfile, in a multistage first step, would give a key name github_ssh_key
so we can use it when we invoke docker build
:
RUN --mount=type=ssh,id=github_ssh_key pip wheel \
--no-cache \
--requirement requirements.txt \
--wheel-dir=/app/wheels
The OP Jesus Garcia did report (in the comments) making it work:
I had to use 2 separate
RUN
commands.I'm not sure if it's a limitation of this new feature, or the way I was trying to string together multiple commands in my
RUN
but I kept getting a publickey permission denied error when I added it asother commands && /bin/sh -c "mount=type=ssh,id=github_ssh_key pip install private-repo"
vsRUN --mount=type=ssh,id=github_ssh_key pip install private-repo && more commands ...
推荐阅读
- python - 求圆的面积
- python - 如何将模块传递给在 UDF 中使用的 spark 提交
- angular - 如何按特定 ID 排列/分组
- sonarqube - 如何允许从 AWS CodePipeline - CodeBuild 访问本地 URL?
- javascript - jQuery 删除和添加类问题
- android - 浏览器中的视频播放器和 Lineage OS 中的文件资源管理器之间的区别
- python - Spyder 模块在那里,但“ModuleNotFoundError”
- reactjs - 从库导入的 React 组件的 Material-Ui 主题化问题
- php - 是否可以使用 Stripe 获取存款历史记录?
- mongodb - 如何在 Mongo DB 中使用 arrayElemAt 获取当前文档值