Comments (16)
I guess the problem is not having the SSH auth socket itself available, but the necessary mapping in .gitconfig and .ssh/config to map keys to repos.
from ssh-agent.
I didn't realize the key-*
files in ~/.ssh
already were just the public keys. So I think that while copying the contents of ~/.ssh into a container is less than ideal, it is at least not disclosing anything meant to be secret and is the best we can do with Docker at the moment.
Thanks for a very helpful action.
from ssh-agent.
While this is a bit of an older issue, I seemed to have solved this with our build process by doing something like this
Posting here for any other who come across this
# Setup SSH_AUTH_SOCK to pull from other git repos during the build, using separate sockets via ssh-auth-sock to be able to define them in the docker build section
- name: Setup SSH_AUTH_SOCK Repo A
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.REPO_A_DEPLOY_KEY }}
ssh-auth-sock: /tmp/repo-a-${{ github.sha }}.sock
- name: Setup SSH_AUTH_SOCK Repo B
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.REPO_B_DEPLOY_KEY }}
ssh-auth-sock: /tmp/repo-b-${{ github.sha }}.sock
# Sets up buildx to enable docker buildkit features
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
with:
install: true
- name: Build and push
uses: docker/build-push-action@v3
with:
push: true
tags: myregistry/myrepo:latest
file: Dockerfile
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
repoa=/tmp/repo-a-${{ github.sha }}.sock
repob=/tmp/repo-b-${{ github.sha }}.sock
This sets up separate ssh mount IDs you can reference in your build file:
# Note: the id here matches what is defined in the docker build and push step above
# Repo A action
RUN --mount=type=ssh,id=repoa git clone [email protected]:org/repo-a.git .
# Repo B Action
RUN --mount=type=ssh,id=repob yarn install --frozen-lockfile
from ssh-agent.
@nicolo-kira the solution you suggested is the neated IMO. Including the one in the documentation. Note you can also remove the default=${{ env.SSH_AUTH_SOCK }}
line, which is neat because some linters false positively flag this line.
@mpdude Is it possible to add this solution to the documentation? Its safer and easier to implement. I am unsure if there are any downsides to this approach.
from ssh-agent.
I don’t see how this is related to the action…?
Could you explain please?
from ssh-agent.
@mpdude sorry, I've edited to add some context. The action is incredibly useful.
from ssh-agent.
Ok, I think I now understand what this is about.
Not sure I can really help, but we can keep this open for some time to get some visibility.
Thoughts:
-
Is it possible to mount the relevant directories/config files at
docker build
time instead of having to copy them? -
You could try if the SSH config file supports
~
for paths. Maybe that could make thesed
command unnecessary (if we can adapt in this action).
Does that help?
from ssh-agent.
You should try the RUN like so RUN --mount=type=ssh
from ssh-agent.
I think ~
in the SSH config should work, but I have not found anything else that simplifies the setup unfortunately. There is a 2 year old buildkit issue for mounting directories as secrets during a build, which could make it safer to do (the COPY I do in my build is only safe because it is multi-stage and the home directory doesn't get copied over.)
from ssh-agent.
Buildkit support for such things would of course be best.
I also would not want to have ~/.ssh in intermediate layers of my images, but at least there is no sensitive data in this file.
I am not sure about .gitconfig, though – it might be that actions/checkout
leaves a secret token in that?
from ssh-agent.
@mpdude I'm interested in following this, as it's exactly the same issue that I came across - you've summarised it really well.
Copying the git and ssh configs and keys into the container, as you suggested, did work for me, but the problem with that is that the private keys are then sitting in the Docker container. It would be better if it could make use of the keys that have been made available to it via ssh agent forwarding - I guess you haven't found a way of doing that?
from ssh-agent.
@aingham See the initial comment how the SSH Agent socket can be mounted for a RUN
command at build time. You don’t have to (and almost never should) copy private SSH keys into a Docker image unless you absolutely understand the implications.
@iamnoah any idea how we could proceed here?
from ssh-agent.
So this answer suggests that we could copy just the public keys into the docker container, and use them as the IdentityFile in .ssh/config to pick the correct key from the agent. So no private keys would end up in the container. I'll test this out when I can.
.gitconfig should not have anything sensitive in it.
from ssh-agent.
Very interested if someone has a non-hacky solution to this. It seems the logic that ssh-agent goes through to configure the git aliases needs to occur inside a docker container. For what its worth I ended up copying as well:
# Copy SSH config and public key details into image
COPY .gitconfig* /etc/gitconfig
COPY ssh/config* /etc/ssh/ssh_config
COPY ssh/ /home/runner/.ssh
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# Test access:
RUN --mount=type=ssh pip install git+ssh://[email protected]/me/my-private-repo-a.git
RUN --mount=type=ssh pip install git+ssh://[email protected]/me/my-private-repo-b.git
from ssh-agent.
this is constantly breaking for me. What am i doing wrong here?
syntax = docker/dockerfile:1.0-experimental
FROM python:3.9
create a folder and cd into it
run mkdir temp_repo
run cd temp_repo
set folder as current working directory
workdir /temp_repo
move hello_world.py script from our local system to current workdir in docker
add hello_world.py .
copy the requirements file from current system to docker directory
copy requirements.txt /temp_repo
run pip install -r requirements.txt
copy .gitconfig* /etc/gitconfig
copy ssh/config* /etc/ssh/ssh_config
copy ssh /home/runner/.ssh
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
RUN --mount=type=ssh pip install git+ssh://[email protected]/my_company/repo1.git
RUN --mount=type=ssh git clone git+ssh://[email protected]/my_company/repo1.git
RUN --mount=type=ssh pip install git+ssh://[email protected]/my_company/repo2.git
copy timescale.pem /root
run apt-get update -y
cmd ["python", "-u", "hello_world.py"]
Its constantly failing on the last step with repository not found error. can someone please help?
from ssh-agent.
@mpdude Is it possible to add the solution to this problem (initial issue) to the docs into a new section docker-build-push
-Action + Deploy Keys?
I'd offer to create a PR, if thats ok with you.
from ssh-agent.
Related Issues (20)
- Public Key Printed Out Even With log-public-key set to false HOT 4
- ERROR: stat "": no such file or directory
- Enable custom github server HOT 1
- Can't get it to work – Permission denied HOT 1
- Update to node20 HOT 2
- Windows workflow fails with "Could not read from remote repository" HOT 5
- `no such identity` on self-hosted Linux Github runner HOT 2
- After update to 0.9.0: The ssh-private-key argument is empty ... HOT 9
- Post cleanup fails HOT 2
- Error: Command failed: ssh-add - HOT 1
- Error: does not match GitHub URL pattern. Not treating it as a GitHub deploy key on version 0.9.0 HOT 6
- changelog out of date HOT 1
- Documentation about how to set up self-hosted runners HOT 4
- When upgrading from 0.7.0 to 0.8.0, functionality breaks HOT 2
- add ssh key for host?
- Is there a way to setup this without having a key specified?
- 'Support for GitHub deploy keys' breaks local CI for repositories which are submodules of other repositories which use ssh-agent with local CI
- The "file" argument must be of type string. Received undefined - in Post job HOT 1
- README needs to be updated (SSH keys should no longer be made in PEM format)
- Host key verification failed on Windows on 0.9.0 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh-agent.