Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Accessing Secrets/Private Files Needed for Building in Dockerfile?

Tags:

security

docker

build

I'm trying to build an image in Docker that requires a few secret files to do things like pulling from a private git repo. I've seen a lot of people with code like this:

ADD id_rsa /root/.ssh/id_rsa
RUN chmod 700 /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
RUN git clone [email protected]:some/repo.git /usr/local/some_folder

Although that works, it means I have to store my private id_rsa with my image, which strikes me as a bad idea. What I'd much rather do is keep my secret files in some cloud storage like s3, and just pass in credentials as environment variables to be able to pull everything else down.

I know that I can pass environment variables in at docker run with the -e switch, but if I need some files at build time (like the id_rsa to perform a git clone), what can I do? Ideally I'd be able to pass environment variables to docker build, but that's not possible (I can't understand why).

So, ideas? What's the canonical/correct thing to do here? I can't be the first person with this issue.

like image 536
Eli Avatar asked Oct 31 '22 17:10

Eli

1 Answers

I'll start with the easiest part, which I think is a common misconception:

Ideally I'd be able to pass environment variables to docker build, but that's not possible (I can't understand why).

A docker build is meant to be reproducible. Given the same context (the files under the same directory as the Dockerfile) the resulting image is the same. They are also meant to be simple. Both things together explain the absence of environment options or other conditionals.

Now, because the build needs to be reproducible, the execution of each command is cached. If you run the build twice, the git pull will only run the first time.

By your comment, this is not what you intend:

so on any new image build, we always want the newest version of the repo

To trigger a new build you need to either change the context or the Dockerfile.

The canonical way (I'm probably abusing the word, but this is how the automated builds work) is to include the Dockerfile in git.

This allows a simple workflow of git pull ; docker build ... and avoids the problem with storing your git credentials.

like image 111
Abel Muiño Avatar answered Nov 09 '22 05:11

Abel Muiño
Sign in to Comment

Related questions

Blocking direct script access to a file
How to request a permission of type System.Net.WebPermission in ASP.NET MVC?
Symfony2 authenticating users through a webservice
Japanese characters in a Yii Captcha widget?
Python - Releasing/replacing a string variable, how does it get handled?
javax.naming.AuthenticationException in GSSAPI
How can I verify whether another app on the system is genuine?
Unauthenticated user in mysql processes list - hack attempt?
Secure API Key Android
Read Intel DRBG parameters
How do I securely manage one-off scripts to fix data? [closed]
Is it really possible to hack the a forbidden web browser area that throws a 403 error?
Security of OAuth Authorization Code with Semi-Private Secret
SQL Server: Detect Non-Parameterized Queries
Is Microsoft.Owin.Security.ActiveDirectory for making Owin auth middleware that uses AD?
How to add Security provider in a Spring application using Javaconfig?
java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:8081 connect,resolve) - main reasons
How to implement "Incorrect username/password" hint for a webservice using Flask HTTP Auth?
Spring Security: how to implement Brute Force Detection (BFD)?
ASP.NET membership salt?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!