我有一个私有(private)仓库,其中包含我想要 pip 安装的软件包。我花了很多时间阅读各种论坛和文章,了解安全执行此操作的不同方法。对于如何最好地做到这一点(如果可能的话)似乎没有达成共识。我显然不想在我的 dockerfile 中公开任何 ssh key / secret ——我想小心通过 docker 历史记录使它们可用。
最佳答案
如“Securely build small python docker image from private git repos ”中所述,您需要使用 Docker 18.09+
--ssh
You can use the--ssh
flag to forward your existing SSH agent key to the builder. Instead of transferring the key data, docker will just notify the builder that such capability is available.
Now when the builder needs access to a remote server through SSH, it will dial back to the client and ask it to sign the specific request needed for this connection.
The key itself never leaves the client, and as soon as the command that requested the access has completed there is no information on the builder side to reestablish that remote connection later.Secrets:
Provides a mount option during the build at/var/run/secrets
available only for the command that used it and is not included in the created layer.
那是:
docker build --ssh github_ssh_key=/path/to/.ssh/git_ssh_id_rsa .
only the agent connection is shared with that command, and not the actual content of the private key.
no other commands/steps in the Dockerfile will have access to it.
Dockerfile 在多阶段的第一步中会给出一个键名
github_ssh_key
所以我们可以在调用 docker build
时使用它:RUN --mount=type=ssh,id=github_ssh_key pip wheel \
--no-cache \
--requirement requirements.txt \
--wheel-dir=/app/wheels
OP Jesus Garcia确实报告(在评论中)使其工作:
I had to use 2 separate
RUN
commands.I'm not sure if it's a limitation of this new feature, or the way I was trying to string together multiple commands in my
RUN
but I kept getting a publickey permission denied error when I added it asother commands && /bin/sh -c "mount=type=ssh,id=github_ssh_key pip install private-repo"
vsRUN --mount=type=ssh,id=github_ssh_key pip install private-repo && more commands ...
关于git - 如何安全地 git clone/pip 将私有(private)存储库安装到我的 docker 镜像中?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55929417/