我遇到一个问题,在构建我的 docker 容器时,我尝试接收 gpg key 失败。当在命令行执行时,我提供的命令可以正常工作。
- 我在防火墙后面;为此,我有下面详述的代理设置。
- 主机:CentOS 7.4; Docker版本17.09.0-ce,构建afdb6d4
- 没有为正在使用的帐户设置代理的环境变量。
- Docker 服务具有代理集的环境变量 according to Docker :
在 /etc/systemd/system/docker.service.d/http-proxy.conf 中:
[Service]
Environment="HTTP_PROXY=http://<corporate proxy>/" "HTTPS_PROXY="<corporate proxy>/" "NO_PROXY=localhost,127.0.0.1,.domain.local,.corp"
我使用 build.sh shell 脚本来构建图像:
#/bin/bash
docker build -t hgk/test-container .
shell 脚本与我的 Dockerfile 位于同一位置。这是该目录中仅有的两件事。
FROM openjdk:8
ARG KEYSERV=hkp://p80.pool.sks-keyservers.net:80
ARG THEPROXY=<my corporate proxy>
# grab gosu for easy step-down from root
# (see docker-sonarqube pull request #115)
RUN set -x \
&& wget -e https_proxy=$THEPROXY -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture)" \
&& wget -e https_proxy=$THEPROXY-O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/1.10/gosu-$(dpkg --print-architecture).asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --version \
&& gpg -vv --keyserver $KEYSERV --keyserver-options http-proxy=$THEPROXY --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
&& gpg --list-keys \
&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
&& rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true
这两个 wget 命令工作正常并且它们检索了文件。第一个 gpg 命令最终超时:
+ mktemp -d
+ export GNUPGHOME=/tmp/tmp.LJ1EVFQmpO
+ gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /tmp/tmp.LJlEVFQmpO
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
+ gpg -vv --keyserver hkp://p80.pool.sks-keyservers.net:80 --keyserver-options http-proxy=<corp proxy> --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
gpg: keybox '/tmp/tmp.LJlEVFQmpO/pubring.kbx' created
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
[[I am hung here - It just waits for ... something? I'll update the question if anything prints after this]]
我将 gpg --list-keys 命令放在 Dockerfile 中,看看我们是否通过了那里。但是,如果我通过命令行运行它,它会成功检索 key :
[root@me foo]# printenv | grep proxy
[root@me foo]# gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --
keyserver-options http-proxy=<corp proxy> --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key BF357DD4 from hkp server p80.pool.sks-keyservers.net
Version: SKS 1.1.6
gpg: armor header:
Comment: Hostname: sks.okoyono.de
gpg: armor header:
gpg: pub 4096R/BF357DD4 2014-02-28 Tianon Gravi <tianon@debian.org>
gpg: key BF357DD4: removed multiple subkey binding
gpg: key BF357DD4: removed multiple subkey binding
gpg: /tmp/tmp.DIX6yQQf25/trustdb.gpg: trustdb created
gpg: using PGP trust model
gpg: key BF357DD4: public key "Tianon Gravi <tianon@tianon.xyz>" imported
gpg: 1 keys cached (126 signatures)
gpg: 0 keys processed (0 validity counts cleared)
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@me foo]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/BF357DD4 2014-02-28 [expires: 2019-07-06]
uid Tianon Gravi <tianon@tianon.xyz>
uid Tianon Gravi <tianon@debian.org>
uid Tianon Gravi <tianon@dockerproject.org>
uid Andrew Page (tianon) <andrew@infosiftr.com>
uid Andrew Page (tianon) <andrew@vitalroute.com>
uid Andrew Page (Tianon Gravi) <admwiggin@gmail.com>
uid Tianon Gravi (Andrew Page) <tianon@infosiftr.com>
sub 4096R/769826E6 2014-02-28 [expires: 2019-07-06]
我已经尝试过具有相同行为的不同 sks-keyservers(ubuntu、MIT 和其他 sks)——从 bash 正确,从 Docker 错误。
有什么想法/提示/建议吗?
更新:我的“openjdk:8”版本已经有一段时间没有更新了(从 8u121 开始)。我发现我正在运行 gpg v1.4.18。我执行了 docker image pull openjdk:8 操作,将我升级到 8u151 和 gpg 2.1.18。 CentOS 7机器上的gpg版本是2.0.22。
最佳答案
在构建 Docker 镜像时,您的 systemd 单元文件的环境变量不会传递到容器中。相反,请使用 --build-arg传递代理值的参数:
docker build --build-arg=HTTP_PROXY=http://<corporate proxy>/ --build-arg=HTTPS_PROXY=http://<corporate proxy>/ -t hgk/test-container .
您不应将代理变量等运行时选项烘焙到 Dockerfile 中,始终通过环境变量(或此构建参数)传递配置。
附加提示:most applications rely on http_proxy and https_proxy -- 虽然大多数环境变量确实全部大写,但代理变量有更广泛的小写用法。
关于linux - gpg key 请求在 dockerfile 中失败但在 bash 中失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47318042/