我正在尝试构建一个用于自动部署的docker镜像,所以我想从私有bit bucket repo(git)克隆应用程序代码。
但是当我尝试构建图像时,我总是收到来自 git clone 的身份验证错误。
不确定是否相关,但我使用的主机正在运行 Ubuntu 18.04 和 Docker 18.09.7,构建 2d0083d
这是我的Dockerfile:
# syntax=docker/dockerfile:experimental
FROM nvidia/cuda:10.0-cudnn7-devel-ubuntu18.04 as devel_stage
ENV DEBIAN_FRONTEND noninteractive
# install system requirements
RUN apt-get update --fix-missing
RUN apt-get install -y --no-install-recommends build-essential
RUN apt-get install -y --no-install-recommends git
RUN apt-get install -y --no-install-recommends curl
RUN apt-get install -y --no-install-recommends ca-certificates
RUN apt-get install -y --no-install-recommends libjpeg-dev
RUN apt-get install -y --no-install-recommends libpng-dev
RUN apt-get install -y --no-install-recommends python3-dev
RUN apt-get install -y --no-install-recommends python3-pip
RUN apt-get install -y --no-install-recommends python3-setuptools
RUN apt-get install -y --no-install-recommends python3-opencv
RUN apt-get install -y --no-install-recommends python3-skimage
RUN apt-get install -y --no-install-recommends python3-skimage-lib
RUN apt-get install -y --no-install-recommends cmake
RUN apt-get install -y --no-install-recommends ssh
RUN apt-get install -y --no-install-recommends openssh-server
### create appliaction user
ENV DOCK_USER=appuser
ENV USER_HOME=/home/$DOCK_USER
RUN groupadd -g 999 $DOCK_USER
RUN useradd -r -m -u 999 -g $DOCK_USER $DOCK_USER
USER $DOCK_USER
WORKDIR $USER_HOME/code
### install python base libs
RUN pip3 install wheel
### install pytorh
RUN pip3 install https://download.pytorch.org/whl/cu100/torch-1.1.0-cp36-cp36m-linux_x86_64.whl
RUN pip3 install https://download.pytorch.org/whl/cu100/torchvision-0.3.0-cp36-cp36m-linux_x86_64.whl
### install python requirements
ARG REQ_FILE=requirements.txt
ADD $REQ_FILE requirements.txt
RUN pip3 install --user -r requirements.txt
### start app
CMD python3 app.py
##########################################################################################
FROM devel_stage as prod_stage
### add RSA permisions to aceess bit bucket
RUN mkdir -p $USER_HOME/.ssh
RUN touch $USER_HOME/.ssh/known_hosts
RUN ssh-keyscan -t rsa bitbucket.org 2>&1 >> $USER_HOME/.ssh/known_hosts
### Copy code to image
WORKDIR $USER_HOME
ENV GIT_SSH_COMMAND="ssh -vvv"
RUN --mount=type=ssh git clone --progress --verbose [email protected]:MY_GIT_USER/MY_GIT_REPO.git
使用此构建命令:
DOCKER_BUILDKIT=1 docker build \
--ssh default \
--progress=plain \
--target prod_stage \
-t MY_APP:prod \
--build-arg REQ_FILE=requirements.txt \
docker_data_dir
我收到以下错误:
#37 [prod_stage 4/4] RUN --mount=type=ssh git clone --progress --verbose git...
#37 digest: sha256:7a22394164be10cb0910677fb7ab406457f2d7465b48d716d411ca0f0875efd6
#37 name: "[prod_stage 4/4] RUN --mount=type=ssh git clone --progress --verbose [email protected]:pixforce/cerberus-pixgate_demo.git"
#37 started: 2019-11-18 20:15:15.218575026 +0000 UTC
#37 0.416 Cloning into 'cerberus-pixgate_demo'...
#37 0.424 OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
#37 0.424 debug1: Reading configuration data /etc/ssh/ssh_config
#37 0.424 debug1: /etc/ssh/ssh_config line 19: Applying options for *
#37 0.459 debug1: Connecting to bitbucket.org [18.205.93.0] port 22.
#37 0.642 debug1: Connection established.
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_rsa type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_rsa-cert type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_dsa type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_dsa-cert type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ecdsa type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ecdsa-cert type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ed25519 type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ed25519-cert type -1
#37 0.643 debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
#37 2.629 debug1: Remote protocol version 2.0, remote software version conker_31073e5a11 app-153
#37 2.629 debug1: no match: conker_31073e5a11 app-153
#37 2.629 debug1: Authenticating to bitbucket.org:22 as 'git'
#37 2.629 debug1: SSH2_MSG_KEXINIT sent
#37 2.630 debug1: SSH2_MSG_KEXINIT received
#37 2.630 debug1: kex: algorithm: [email protected]
#37 2.630 debug1: kex: host key algorithm: ssh-rsa
#37 2.630 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
#37 2.630 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
#37 2.633 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
#37 3.077 debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
#37 3.077 debug1: Host 'bitbucket.org' is known and matches the RSA host key.
#37 3.077 debug1: Found key in /home/appuser/.ssh/known_hosts:1
#37 3.086 Warning: Permanently added the RSA host key for IP address '18.205.93.0' to the list of known hosts.
#37 3.090 debug1: rekey after 134217728 blocks
#37 3.090 debug1: SSH2_MSG_NEWKEYS sent
#37 3.090 debug1: expecting SSH2_MSG_NEWKEYS
#37 3.090 debug1: SSH2_MSG_NEWKEYS received
#37 3.090 debug1: rekey after 134217728 blocks
#37 3.090 debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied
#37 3.550 debug1: SSH2_MSG_SERVICE_ACCEPT received
#37 3.734 debug1: Authentications that can continue: publickey
#37 3.734 debug1: Next authentication method: publickey
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_rsa
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_dsa
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_ecdsa
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_ed25519
#37 3.734 debug1: No more authentication methods to try.
#37 3.734 [email protected]: Permission denied (publickey).
#37 3.734 fatal: Could not read from remote repository.
#37 3.734
#37 3.734 Please make sure you have the correct access rights
#37 3.734 and the repository exists.
#37 completed: 2019-11-18 20:15:19.256826565 +0000 UTC
#37 duration: 4.038251539s
#37 error: "executor failed running [/bin/sh -c git clone --progress --verbose [email protected]:pixforce/cerberus-pixgate_demo.git]: exit code: 128"
rpc error: code = Unknown desc = executor failed running [/bin/sh -c git clone --progress --verbose [email protected]:pixforce/cerberus-pixgate_demo.git]: exit code: 128
我也尝试向构建发送一个特定的密钥:
DOCKER_BUILDKIT=1 docker build \
--ssh default=/home/$(USER)/.ssh/id_rsa \
--progress=plain \
--target prod_stage \
-t MY_APP:prod \
--build-arg REQ_FILE=requirements.txt \
docker_data_dir
但是构建甚至没有开始,并且出现此错误:
could not parse ssh: [default=/home/rafol/.ssh/id_rsa]: failed to parse /home/rafol/.ssh/id_rsa: ssh: cannot decode encrypted private keys
我怎样才能使该图像发挥作用?
答案1
您遇到的问题是发送到容器的私钥格式错误。
OpenSSH 的现代版本使用 OpenSSH 特定的密钥格式作为私钥,而容器中的 OpenSSH 版本则需要 PEM 私钥。如果您想在容器中使用密钥,则需要使用 PEM 格式作为私钥。
您可以使用生成新密钥,ssh-keygen -m PEM也可以使用导出现有密钥ssh-keygen -e -m PEM,然后在容器中使用它。
答案2
USER您在运行之前设置了非 root 身份git clone。
然而,默认情况下,构建期间的 SSH 转发仅适用于 root。
使用最新版本的 BuildKit,你可以使用以下方法解决此问题安装选项。
使用旧版本的 BuildKit,您会收到错误...
$ DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain docker build --ssh default=~/.ssh/id_rsa,uid=999 ./context/
could not parse ssh: [default=/home/USER/.ssh/id_rsa,uid=999]: stat uid=999: no such file or directory