1

I am trying to clone a repository inside a docker image using a docker file. I am running in Ubuntu 18.04 with docker version 20.10.17. I know docker files are automatic and do not allow user input. Therefore I need to clone via ssh. I started with:

ssh-keygen ssh-add -k ~/.ssh/id_rsa cat ~/.ssh/id_rsa.pub | xclip -sel clip

I then pasted the key into bitbucket as a new key. I left the passphrase and all as blank when doing this. Not sure if that is the start of my issues. Now to the docker file.

I have tried multiple ways. Using the below docker file gives me an error when trying to do the actual git clone:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @
WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0755 for '/root/.ssh/id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/root/.ssh/id_rsa": bad permissions [email protected]: Permission denied (publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

The docker file is:

FROM ubuntu:18.04 AS intermediate ENV HOME /root ARG DEBIAN_FRONTEND=noninteractive VOLUME /home/user/.ssh/id_rsa /root/.ssh/id_rsa RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \ apt-get update && apt-get upgrade -y && apt-get -y --no-install-recommends install \ build-essential \ cmake \ ssh \ git RUN chmod 700 /root/.ssh #&& \# RUN touch /root/.ssh/known_hosts RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts RUN chmod 400 /root/.ssh/id_rsa RUN git clone [email protected]:company/myRepo.git FROM ubuntu:18.04 LABEL Description="Build environment" ENV HOME /root SHELL ["/bin/bash", "-c"] ARG DEBIAN_FRONTEND=noninteractive COPY --from=intermediate myRepo /git/myRepo

I have even tried adding the ssh key directly to the docker file and creating the id_rsa file and location. I get the same error except the permission is now 0644. Here is the other version of my docker file:

FROM ubuntu:18.04 AS intermediate ENV HOME /root ARG SSH_PRIVATE_KEY="ssh-rsa AAA..." ARG DEBIAN_FRONTEND=noninteractive RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections && \ apt-get update && apt-get upgrade -y && apt-get -y --no-install-recommends install \ build-essential \ cmake \ ssh \ git RUN mkdir /root/.ssh/ RUN chmod 755 /root/.ssh RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa RUN ssh-keygen -f ~/.ssh/id_rsa -p RUN touch /root/.ssh/known_hosts RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts RUN chmod 400 /root/.ssh/id_rsa RUN git clone [email protected]:company/myRepo.git FROM ubuntu:18.04 LABEL Description="Build environment" ENV HOME /root SHELL ["/bin/bash", "-c"] ARG DEBIAN_FRONTEND=noninteractive COPY --from=intermediate myRepo /git/myRepo

I followed instructions to set up the file to use an SSH key to clone the repo from here.

I was getting issues about formatting for the key. That led me to adding the ssh-keygen RUN command that supposedly will force proper formatting. This was found here.

As for solving the permission issue, I have seen plenty of threads about inserting chmod, but the permissions I set don't even seem to show up properly. I checked here to try and solve the permission issue.

Improve this question
4
  • This isn't a Git issue, it's purely docker+ssh. Commented Sep 9, 2022 at 17:21
  • 1
    With your final solution, your id_rsa file remains on the host computer and never gets copied into the image, right? I assume that what VOLUME does, but is that volume only mounted during the docker build, and removed in the final image? That's a pretty cool approach. Commented Sep 9, 2022 at 17:22
  • That should be the case. Anything done in the intermediate stage should just be discarded in the final image. That was my understanding from the first link I posted. Commented Sep 9, 2022 at 18:05
  • 1
    Does this answer your question? How to add ssh passphrase to Docker and removed it after it was used? Commented Sep 11, 2022 at 10:39

1 Answer 1

Reset to default
0

Actually found the answer to my question. Credit goes to user "questionto42standswithUkraine" here.

I copied the file ~/.ssh/id_rsa to the directory with my docker file.

*edit This was at the top of my docker file in the intermediate step

COPY id_rsa /root/.ssh/id_rsa RUN chmod 600 /root/.ssh/id_rsa

*end edit

I ultimately ended up with

RUN touch /root/.ssh/known_hosts && ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts && \ git clone [email protected]:company/myRepo.git

Worked perfectly.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Wait, so here you are copying id_rsa into your container? If it stays there in the end, or even just exists in a layer, that's a pretty big security hole, since you would be giving away your secret with the docker file itself.
If done in the intermediate stage, it should just get tossed out. Otherwise, can just remove /root/.ssh/ completely before the dockerfile exits if not doing a multi-stage build.
My understanding is that each Docker stage actually stays in the image when you're done, unless you squash them. I don't actually know how to do that, but I'm pretty sure that's what happens because if you install stuff and clean up the install caches in different RUN lines, the final image is not smaller, but if you do the clean up in the same RUN line, then the image actually shrinks. So someone with the right know-how will be able to find your id_rsa file, even if you delete it in RUN line at the end.
If you could create, use and then delete the id_rsa file all in the same RUN command, then I think that might be safe.
See the comment from @questionto41standswithUkraine below their answer here stackoverflow.com/a/66648403/3216427 where they express similar security concerns and suggest a solution.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.