Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

git - How to add ssh passphrase to Docker and removed it after it was used?

The problem sounds elementary in its nature but I cannot find a secure and simple solution.

The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos.

  1. I struggle to push the SSH passphrase, so the SSH won't ask for a passphrase
  2. I struggle to understand how to do it securely

The question of how can I do it, so the approach also will be secure?

I am operating in Docker and potentially can install any open-source software on it.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

With buildkit enabled:

The docker build has a --ssh option to allow the Docker Engine to forward SSH agent connections.

You can ssh-add your private keys to a ssh-agent.

From the ssh-add man pages:

If any file requires a passphrase, ssh-add asks for the passphrase from the user.

From the ssh-agent man pages:

The idea is that the agent is run in the user's local PC, laptop, or terminal. Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins, and the user can thus use the privileges given by the identities anywhere in the network in a secure way.

The ssh-agent will never send a private key over its request channel. ...

Example Dockerfile from the doc:

# syntax=docker/dockerfile:experimental
FROM alpine

# Install ssh client and git
RUN apk add --no-cache openssh-client git

# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# Clone private repository
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject

Build the image: docker build --ssh default


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...