How to deploy code from Github using deploy key in Docker?

Asked 12/4, 2018 at 18:45 Answered 12/4, 2018 at 21:6

I want to pull code from Github into my Docker image while building. I have a deploy key generated from the repository, but it seems to me the ssh-agent is not working on my Docker image.

What I did (my Dockerfile):

FROM python:2.7-stretch
ADD ./id_rsa /root/.ssh/id_rsa
RUN eval "$(ssh-agent -s)"
RUN ssh-add -K /root/.ssh/id_rsa

Output:

Step 12/22 : RUN eval "$(ssh-agent -s)"
 ---> Running in f9ad80981cee
Agent pid 6
Removing intermediate container f9ad80981cee
 ---> d773f7ce5917
Step 13/22 : RUN ssh-add -K /root/.ssh/id_rsa
 ---> Running in 95efeed6a7ad
Could not open a connection to your authentication agent.
The command '/bin/sh -c ssh-add -K /root/.ssh/id_rsa' returned a non-zero code: 2

As you can see, ssh-agent is started, but keys are not adding in it.

If I skip the ssh-add step then my git pull fails later because of privileges, which is failing as expected as no authentication happened.

Auklet answered 12/4, 2018 at 18:45 Comment(0)

Actually you don't need to copy your private key to your container (and you better not do it).

All you need is the ssh-agent installed and launched on both: your host and your docker container then all you need to do is to mount the ssh-aget's socket file:

If you are using docker-compose:

environment:
  - "SSH_AUTH_SOCK=/tmp/ssh-agent"
volumes:
  - $SSH_AUTH_SOCK:/tmp/ssh-agent

With docker:

docker run -v $SSH_AUTH_SOCK:/tmp/ssh-agent 8be57bbc9561 sleep 1000000 # 8be57bbc9561 is an id of the image
docker exec -it -e SSH_AUTH_SOCK=/tmp/ssh-agent 5b6f4a8f8661 /bin/ash # 5b6f4a8f8661 is an id of the container

P.S

As of your case, I think the problem can be related to the export command which is normally evaled from the code from the output of the ssh-agent.

It should provide you two variables: SSH_AUTH_SOCK and SSH_AGENT_PID. But the export won't persist across images.

You've used RUN two times: first for launching the ssh-agent and exporting variables and then for adding a key. And each Dockerfile directive will generate an intermediate container (and export won't persist across them).

If you still want to use it this way (which I stronly recommend to avoid), you can try to bind both command in a single RUN:

RUN eval "$(ssh-agent -s)" && ssh-add /root/.ssh/id_rsa

I've written a short post based on my answer above.

Malonis answered 12/4, 2018 at 19:3 Comment(6)

Okay, I got it, so to avoid putting keys, and I do have intention of using docker compose later on as I have multiple services, I was just starting up. So coming to the point, I tried docker build . -v $SSH_AUTH_SOCK:/tmp/ssh-agent -e SSH_AUTH_SOCK=/tmp/ssh-agent. It resulted in: unknown shorthand flag: 'v' in -v See 'docker build --help'. Can you point me to appropriate documentation of how to do the way you are suggesting? Thanks a lot for all the help :) and is it possible to testing the docker file with docker build and then later on writing docker compose? – Auklet 12/4, 2018 at 19:22

@HarshM the -v and -e flags are used with docker run command, not with docker build because the mounted volumes and environment variables are related to container's runtime, not to the image itself. – Malonis 12/4, 2018 at 19:55

Yes it is possible and actually it also works so. Docker compose often uses the Dockerfile underneath to build and launch your service. It just helps you to define these flags withiin a pretty formatted configuration file and to define some related services too. – Malonis 12/4, 2018 at 19:59

I got it, But I incorporated your suggestion and now using CodeBuild as build tool. and not using ssh to fetch code in docker image. Thanks. – Auklet 24/4, 2018 at 13:4

I don't get it. For "docker run" you need image, but ssh is used during the build stage. How can I mount the ssh-aget's socket file while I build image? – Heft 22/1, 2021 at 10:13

@Oroffe Use code build or similar service instead of using ssh to pull your code. – Auklet 10/11, 2021 at 5:31

From this link:

The -K option is Apple's standard version of ssh-add, which stores the passphrase in your keychain for you when you add an ssh key to the ssh-agent.

If you don't have Apple's standard version installed, you may receive an error.

Try to remove the -K option and build it again. The following worked for me:

FROM python:2.7-stretch
ADD ./id_rsa /root/.ssh/id_rsa
RUN eval "$(ssh-agent -s)" && ssh-add /root/.ssh/id_rsa

Tartary answered 12/4, 2018 at 21:6 Comment(0)

-1

Edit ~/.ssh/config

Add with your new key

Host github.com
IdentityFile /root/.ssh/id_rsa

Cablet answered 12/4, 2018 at 19:6 Comment(1)

This would mean using a key which is not password protected. – Gastric 13/4, 2018 at 11:46

Recommended topics

Hot tags