Subversion export/checkout in Dockerfile without printing the password on screen

Question

I want to write a Dockerfile which exports a directory from a remote Subversion repository into the build context so I can work with these files in subsequent commands. The repository is secured with user/password authentication.

That Dockerfile could look like this:

# base image
FROM ubuntu

# install subversion client
RUN apt-get -y update && apt-get install -y subversion

# export my repository
RUN svn export --username=myUserName --password=myPassword http://subversion.myserver.com/path/to/directory

# further commands, e.g. on container start run a file just downloaded from the repository
CMD ["/bin/bash", "path/to/file.sh"]

However, this has the drawback of printing my username and password on the screen or any logfile where the stdout is directed, as in Step 2 : RUN svn export --username=myUserName --password=myPassword http://subversion.myserver.com/path/to/directory. In my case, this is a Jenkins build log which is also accessible by other people who are not supposed to see the credentials.

What would be the easiest way to hide the echo of username and password in the output?

Until now, I have not found any way how to execute RUN commands in a Dockerfile silently when building the image. Could the password maybe be imported from somewhere else and attached to the command beforehand so it does not have to be printed anymore? Or are there any methods for password-less authentication in Subversion that would work in the Dockerfile context (in terms of setting them up without interaction)?

The Subversion Server is running remotely in my company and not on my local machine or the Docker host. To my knowledge, I have no access to it except for accessing my repository via username/password authentication, so copying any key files as root to some server folders might be difficult.

Answer 1

The Dockerfile RUN command is always executed and cached when the docker image is build so the variables that svn needs to authenticate must be provided at build time. You can move the svn export call when the docker run is executed in order to avoid this kind of problems. In order to do that you can create a bash script and declare it as a docker entrypoint and pass environment variables for username and password. Example

# base image
FROM ubuntu

ENV REPOSITORY_URL http://subversion.myserver.com/path/to/directory

# install subversion client
RUN apt-get -y update && apt-get install -y subversion

# make it executable before you add it here otherwise docker will coplain
ADD docker-entrypoint.sh /enrypoint.sh

ENTRYPOINT /entrypoint.sh

docker-entrypoint.sh

#!/bin/bash

# maybe here some validation that variables $REPO_USER $REPO_PASSOWRD exists.


svn export --username="$REMOTE_USER" --password="$REMOTE_PASSWORD" "$REPOSITORY_URL"

# continue execution
path/to/file.sh

Run your image:

docker run -e REPO_USER=jane -e REPO_PASSWORD=secret your/image

Or you can put the variables in a file:

.svn-credentials

REPO_USER=jane
REPO_PASSWORD=secret

Then run:

docker run --env-file .svn-credentials your/image

Remove the .svn-credentials file when your done.

Answer 2

Maybe using SVN with SSH is a solution for you? You could generate a public/private key pair. The private key could be added to the image whereas the public key gets added to the server.

For more details you could have a look at this stackoverflow question.

Answer 3

One solution is to ADD the entire SVN directory you previously checked out on your builder file-system (or added as a svn:externals if your Dockerfile is itself in a SVN repository like this: svn propset svn:externals 'external_svn_directory http://subversion.myserver.com/path/to/directory' ., then do a svn up).

Then in your Dockerfile you can simply have this:

ADD external_svn_directory /tmp/external_svn_directory
RUN svn export /tmp/external_svn_directory /path/where/to/export/to
RUN rm -rf /tmp/external_svn_directory