How to bake credential into docker image for git?

Asked 13/1, 2018 at 6:19 Answered 18/5 at 9:15

Solved linux git authentication docker alpine-linux

This is actually a question following from my previous one.

I am trying to use docker to host a personal note-taking web service and want to backup data generated by the service (my notes). Currently I plan to use git to commit, pull, and push to a repository for my purpose.

To do git pull and push, my docker image needs to host my credentials. What is the easiest yet safe way to achieve this?

What I have done so far:

I choose Alpine as the base image of the image of my service.
Because I only need credentials for git, I think put a git credential helper into the image may solve my problem. I can save credentials to the helper during the build time and use them during runtime.
I googled a while and decided to use libsecret as my git credential helper, according to this article.
I have installed libsecret and set my git credential helper to be git-credential-libsecret

However, I cannot make git-credential-libsecret functional so far. Here are a couple of problems that I encountered:

Firstly, I tested git-credential-libsecret get and get the following error:

CRITICAL **: could not connect to Secret Service: Cannot spawn a message bus without a machine-id: Unable to load /var/lib/dbus/machine-id or /etc/machine-id: Failed to open file */var/lib/dbus/machine-id*: No such file or directory
- I (probably?) solved it by installing dbus and run dbus-uuidgen > /var/lib/dbus/machine-id
Then I try to run git-credential-libsecret get again. This time, it reports that:

CRITICAL **: could not connect to Secret Service: Cannot autolaunch D-Bus without X11 $DISPLAY
- I tried to install dbus-x11 and run dbus-launch --sh-syntax(from here) but with no luck this time. The error continues.

In conclusion, I would like to know:

Am I on a right direction (using git credential helper) to achieve my goal?
If so, how can I resolve the X11 problem?
Are there any other quick and clean methods to backup data in docker with version control?

Holohedral answered 13/1, 2018 at 6:19 Comment(5)

also, why you could not use git-credential-store? It does not seem to use X11 dbus or whatever – Unlimber 13/1, 2018 at 7:51

People spend time answering your questions. In return, you should mark an answer for your previous questions and +1 for good comments. – Antedate 13/1, 2018 at 8:14

@Unlimber I chose not to use git-credential-store because it saves password in plain text. But maybe I am just being paranoid. – Holohedral 13/1, 2018 at 9:30

I don't know much about libsecret, but it seems to be some kind of password manager which can encrypt the password with master password which user can enter interactively to decrypt the password. But since you are going to run it non-interactively, the image would anyway have to contain the password, maybe somehow obfuscated. – Unlimber 13/1, 2018 at 10:54

Yeah, I think you're probably right. No matter how the serialized passwords are encrypted by credential helper, when a bad guy somehow has the full control over my container, s/he can retrieve passwords simply through the credential helper interface (because the credential helper thinks the bad guy is authenticated). I did not think about that before. – Holohedral 13/1, 2018 at 11:13

If your git provider supports ssh with public keys, I think the easiest way would be to switch to them. You would also not have to copy around your password.

You need to:

add ssh client to your docker image
generate an ssh key and copy it to the image. The ssh-agent part is not needed
register the key to the provider

Unlimber answered 13/1, 2018 at 7:44 Comment(2)

In your opinion, which is safer or causes less damage to my overall privacy when leaked? Placing an SSH private key in image V.S. using git-credential-store to save plain text accout-password pair in image. – Holohedral 13/1, 2018 at 11:39

if you only need credentials at runtime, i suggest not baking the into the docker image and instead volume-mounting them at runtime. this means you can publish your docker image without fear of leaking your credentials. – Academe 15/4 at 12:29

It depends on where you are running git-credential-libsecret: you need to have it installed in your image/container, not on the host.

Note that another option would be to use a volume (see my answer to your previous question), in which case, git could be installed only on the host.

But here, you would use git directly in your image, which means, as in this Dockerfile, you need to have in your Dockerfile:

RUN apt-get update -y &&
apt-get install --no-install-recommends -y libsecret-1-0 git

https://github.com/electron-userland/electron-builder/blob/master/docker/base/Dockerfile

Yashmak answered 13/1, 2018 at 7:21 Comment(4)

Yes I did install and ran git-credential-libsecret in my Alpine image. (And it did take me a while to get it compiled.) This is why I am so troubled by the X11 issue as I don't think it is possible to run X11 in my image. – Holohedral 13/1, 2018 at 9:37

Maybe there is a compilation option which would specify to not use any way x11 dependency? – Yashmak 13/1, 2018 at 9:39

That is a good point. However, I cannot see any options in its Makefile. I am not quite sure what is the role of libsecret. I saw from somewhere that it is a interface for accessing secret service. On Alpine, it seems to be secret-tool. And running secret-tool also gets the X11 error. – Holohedral 13/1, 2018 at 9:49

You can also use a .netrc, which is supported by Git (via curl) with no dependencies. – Recognizance 13/1, 2018 at 11:31

I solved this problem by doing:

# syntax=docker/dockerfile:1

FROM alpine:latest
RUN apk update
RUN apk add git
RUN --mount=type=secret,id=git_credential_store \
  git clone "https://me:$(cat /run/secrets/git_credential_store | sed 's/.*\/\/\(.*\):.*/\1/')@github.com/me/app-repo.git"

and supply the secret like this:

docker build --secret id=git_credential_store,src=/path/to/.git-credential-store -t my-amazing-image

Anvers answered 5/7, 2023 at 0:36 Comment(0)

I had a requirement once, where I needed to run the git clone cmd inside the Docker image, I was using a private bitbucket. To authorize we needed to pass git credentials, the only problem was we were not able to hardcode them, So what I did was,

setup git inside the docker file


# Install git and other dependencies
RUN apt-get update && \
    apt-get install -y git && \
    apt-get clean

The next step is to configure git credentials. for this you can do 2 ways, first, Inside the Dockerfile you could run this command 'RUN git config --global credential.helper "!f() {{ echo \\"username={BB_USER_NAME}\\"; echo \\"password={BB_PASS_WORD}\\"; }};

second, since in my case the BB_USER_NAME and BB_PASS_WORD are stored as secrets they won't be available when building the image(i.e. while docker builds... cmd). So the solution to this is, whenever a flask app (our server is a flask app), before the server runs you can run this cmd, and also BB_USER_NAME and BB_PASS_WORD are stored as secrets will be available when the server is started.

In app.py file


"""Flask APP"""

from flask import Flask
from utils.util import setup_git_credentials

if __name__ == "__main__":
    setup()
    APP = Flask(__name__)
    # Setup git credentials 
    APP.before_first_request(setup_git_credentials) #as the name of the method implies this will run the method `setup_git_credentials` before server starts.
    APP.run(host="0.0.0.0",port=5020,debug=True)

utils.util.py

def setup_git_credentials():
    BB_USER_NAME = os.environ.get("BB_USER_NAME",None)
    BB_PASS_WORD = os.environ.get("BB_PASS_WORD",None)
    logger.info("Running Git configuration")
    if BB_USER_NAME and BB_PASS_WORD:
        cmd = f'git config --global credential.helper "!f() {{ echo \\"username={BB_USER_NAME}\\"; echo \\"password={BB_PASS_WORD}\\"; }}; f"'
        subprocess.run(cmd, shell=True)
        logger.info("Completed Git configuration")

This is how I resolved it! Cheers

Preposition answered 18/5 at 9:15 Comment(0)

Recommended topics

Hot tags