9

I want to pull code from Github into my Docker image while building. I have a deploy key generated from the repository, but it seems to me the ssh-agent is not working on my Docker image.

What I did (my Dockerfile):

FROM python:2.7-stretch
ADD ./id_rsa /root/.ssh/id_rsa
RUN eval "$(ssh-agent -s)"
RUN ssh-add -K /root/.ssh/id_rsa

Output:

Step 12/22 : RUN eval "$(ssh-agent -s)"
 ---> Running in f9ad80981cee
Agent pid 6
Removing intermediate container f9ad80981cee
 ---> d773f7ce5917
Step 13/22 : RUN ssh-add -K /root/.ssh/id_rsa
 ---> Running in 95efeed6a7ad
Could not open a connection to your authentication agent.
The command '/bin/sh -c ssh-add -K /root/.ssh/id_rsa' returned a non-zero code: 2

As you can see, ssh-agent is started, but keys are not adding in it.

If I skip the ssh-add step then my git pull fails later because of privileges, which is failing as expected as no authentication happened.

Improve this question

3 Answers 3

Reset to default
4

Actually you don't need to copy your private key to your container (and you better not do it).

All you need is the ssh-agent installed and launched on both: your host and your docker container then all you need to do is to mount the ssh-aget's socket file:

If you are using docker-compose:

environment:
  - "SSH_AUTH_SOCK=/tmp/ssh-agent"
volumes:
  - $SSH_AUTH_SOCK:/tmp/ssh-agent

With docker:

docker run -v $SSH_AUTH_SOCK:/tmp/ssh-agent 8be57bbc9561 sleep 1000000 # 8be57bbc9561 is an id of the image
docker exec -it -e SSH_AUTH_SOCK=/tmp/ssh-agent 5b6f4a8f8661 /bin/ash # 5b6f4a8f8661 is an id of the container

P.S

As of your case, I think the problem can be related to the export command which is normally evaled from the code from the output of the ssh-agent.

It should provide you two variables: SSH_AUTH_SOCK and SSH_AGENT_PID. But the export won't persist across images.

You've used RUN two times: first for launching the ssh-agent and exporting variables and then for adding a key. And each Dockerfile directive will generate an intermediate container (and export won't persist across them).

If you still want to use it this way (which I stronly recommend to avoid), you can try to bind both command in a single RUN:

RUN eval "$(ssh-agent -s)" && ssh-add /root/.ssh/id_rsa

I've written a short post based on my answer above.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Okay, I got it, so to avoid putting keys, and I do have intention of using docker compose later on as I have multiple services, I was just starting up. So coming to the point, I tried docker build . -v $SSH_AUTH_SOCK:/tmp/ssh-agent -e SSH_AUTH_SOCK=/tmp/ssh-agent. It resulted in: unknown shorthand flag: 'v' in -v See 'docker build --help'. Can you point me to appropriate documentation of how to do the way you are suggesting? Thanks a lot for all the help :) and is it possible to testing the docker file with docker build and then later on writing docker compose?
@HarshM the -v and -e flags are used with docker run command, not with docker build because the mounted volumes and environment variables are related to container's runtime, not to the image itself.
Yes it is possible and actually it also works so. Docker compose often uses the Dockerfile underneath to build and launch your service. It just helps you to define these flags withiin a pretty formatted configuration file and to define some related services too.
I got it, But I incorporated your suggestion and now using CodeBuild as build tool. and not using ssh to fetch code in docker image. Thanks.
I don't get it. For "docker run" you need image, but ssh is used during the build stage. How can I mount the ssh-aget's socket file while I build image?
|
0

From this link:

The -K option is Apple's standard version of ssh-add, which stores the passphrase in your keychain for you when you add an ssh key to the ssh-agent.

If you don't have Apple's standard version installed, you may receive an error.

Try to remove the -K option and build it again. The following worked for me:

FROM python:2.7-stretch
ADD ./id_rsa /root/.ssh/id_rsa
RUN eval "$(ssh-agent -s)" && ssh-add /root/.ssh/id_rsa
Improve this answer

Comments

-1

Edit ~/.ssh/config

Add with your new key

Host github.com
IdentityFile /root/.ssh/id_rsa
Improve this answer

1 Comment

This would mean using a key which is not password protected.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.