在Docker容器中提取私有git回购
我试图将一个私有git回购拉入docker容器,我将下面的SSHKey和脚本添加到Dockerfile中,但不幸的是没有成功在Docker容器中提取私有git回购,git,docker,ssh,dockerfile,Git,Docker,Ssh,Dockerfile,我试图将一个私有git回购拉入docker容器,我将下面的SSHKey和脚本添加到Dockerfile中,但不幸的是没有成功 ENV SSH_KEY #SSHKey-Here# # Configure git user RUN git config --global user.email "developer@domain.com" && \ git config --global user.name "Docker Image" # Authorize SSH Ho
ENV SSH_KEY #SSHKey-Here#
# Configure git user
RUN git config --global user.email "developer@domain.com" && \
git config --global user.name "Docker Image"
# Authorize SSH Host
RUN mkdir -p /root/.ssh && \
chmod 0700 /root/.ssh && \
ssh-keyscan gitlabdomain.com > /root/.ssh/known_hosts &&\
chmod 644 /root/.ssh/known_hosts
# Add the keys and set permissions
RUN eval `ssh-agent -s` && \
echo "$SSH_KEY" > /root/.ssh/id_rsa && \
chmod 600 /root/.ssh/id_rsa
作为测试,我运行以下命令:
docker exec php-container ssh -vT git@gitlabdomain.com
我得到以下错误:
OpenSSH_6.7p1 Debian-5+deb8u4, OpenSSL 1.0.1t 3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to cgitlabdomain.com [xxx.xxx.x.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 28:3d:da:79:af:1d:28:44:d9:dc:01:55:7e:09:4b:3d
debug1: Host 'gitlabdomain.com' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
Warning: Permanently added the ECDSA host key for IP address '188.166.30.98' to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
我在谷歌上搜索了一下,尝试了一些建议,但似乎无法回避这些错误,我确信id_rsa文件确实存在,我的SSHKey也在其中,所以我不明白为什么会输出这些错误
任何帮助、建议和/或建议将不胜感激
亲切问候,
Lennart从您的SSH输出来看,您似乎用密码短语保护了私钥:
debug1: Trying private key: /root/.ssh/id_rsa
debug1: key_load_private_type: incorrect passphrase supplied to decrypt private key
并且未提供此密码,因此无法使用私钥。您需要在容器中运行一个ssh add
,并提供认证成功的密码
我建议作出以下改善:
- 即使docker映像只供内部使用,但在任何由多个用户共享的系统上的映像中存储ssh密钥也是一个坏主意。见和。
您可以改为使用Dockerfile创建图像,该文件将传入敏感参数:
FROM library/centos RUN yum install -y git ARG HOME_DIR ARG USER_ID RUN echo "Setting up user $USER_ID with home directory: $HOME_DIR" \ && useradd \ --home-dir $HOME_DIR \ --uid 1000 \ $USER_DIR $USER_ID \ && touch ${HOME_DIR}/entrypoint.sh \ && mkdir -p ${HOME_DIR}/.ssh/ \ && chown -R ${USER_ID}:${USER_ID} ${HOME_DIR} \ && chmod -R 700 ${HOME_DIR}/.ssh \ && touch ${HOME_DIR}/.ssh/id_rsa \ && chmod 400 ${HOME_DIR}/.ssh/id_rsa \ && chmod 777 ${HOME_DIR}/entrypoint.sh ENTRYPOINT ${HOME_DIR}/entrypoint.sh
- 创建在运行映像时传入的entrypoint.sh脚本。这将处理所有git初始化:
# Setup Git Config echo "Setting Git Config Values" git config --global user.email "developer@domain.com" && \ git config --global user.name "Docker Image" # Setup Git Folders echo "Adding Host Key for Github" cd /home/my_user/ \ && ssh-keyscan gitlabdomain.com > /home/my_user/.ssh/known_hosts # Add ssh-key to SSH Agent echo "Adding SSH Key to ssh-agent" \ && eval `ssh-agent -s` && ssh-add /home/my_user/.ssh/id_rsa # Cloning from remote repository git clone git@gitlabdomain.com # Prevent container from exiting tail -f /dev/null
- 然后,以交互式分离模式运行容器-这将允许您连接到容器并输入ssh密钥的密码短语
还可以将所有敏感文件装载为只读卷,并以用户身份运行容器。这将确保文件只能由您访问:
my_user$ docker run \ -itd \ -e "HOME_DIR=/home/my_user" \ -e "USER_ID=my_user" \ -v /home/my_user/.ssh/id_rsa:/home/my_user/.ssh/id_rsa:ro \ -v /home/my_user/entrypoint.sh:/home/my_user/entrypoint.sh \ --user my_user \ myimage e4985a08a0d20f39414da801e9665abb364885052047f45e2f9943e7622c696b
- 最后,连接到容器以提供ssh密钥密码短语,并使用
,Ctrl-p
分离:Ctrl-Q
myuser$ docker attach e4985a08a0d20f39414da801e9665abb364885052047f45e2f9943e7622c696b <enter passphrase here> Identity added: /home/my_user/.ssh/id_rsa (/home/my_user/.ssh/id_rsa) Cloning into 'my_repo'... Warning: Permanently added the RSA host key for IP address 'xx.xxx.xxx.xxx' to the list of known hosts. remote: Counting objects: 1014, done. remote: Total 1014 (delta 0), reused 0 (delta 0), pack-reused 1014 Receiving objects: 100% (1014/1014), 3.48 MiB | 1.16 MiB/s, done. Resolving deltas: 100% (512/512), done. read escape sequence
myuser$docker附件E4985A08A0D20F39414DA801E9665ABB36488505204747F45E2F9943E7622C696B 添加的标识:/home/my\u user/.ssh/id\u rsa (/home/my_user/.ssh/id_rsa) 克隆到“我的报告”。。。 警告:已将IP地址“xx.xxx.xxx.xxx”的RSA主机密钥永久添加到已知主机列表中。 远程:计数对象:1014,完成。 远程:总计1014(增量0),重复使用0(增量0),包重复使用1014 接收对象:100%(1014/1014),3.48 MiB | 1.16 MiB/s,完成。 解析增量:100%(512/512),完成。 读转义序列
或者,如果不想附加/分离,可以尝试从文件中传入密码短语。参见你的实际目标是什么?您可能希望将
Dockerfile
和/或docker compose.yml
放在现有存储库的根目录中。您不想尝试从您的Dockerfile
中运行git操作,并且您肯定不想将ssh私钥添加到Docker映像(它将提供给获得Docker映像的任何人使用)。@DavidMaze我的实际目标是更新当前容器中的所有高级Wordpress插件,这些高级插件存在于私人回购协议中。Docker映像将仅用于内部使用,不会被推送/发布,因此我在实际dockerfile中添加了SSHKey。