que*_*o42 5 ssh clone git ssh-keys docker
我尝试使用 Dockerfile 和 SSH 密钥对从 GitLab 克隆一个测试项目:ssh-keygen -t rsa -P ""。私钥无密码,公钥发布在 GitLab 帐户上。
其他人可以快速测试这一点,只需在 GitLab 上开设一个帐户并发布您的 SSH 公钥,然后添加一个新的空项目进行克隆即可。
没有 Docker,使用ssh -i C:\path\to\my\private_key\id_rsa git@gitlab.com,它就可以工作。没有 Docker,克隆项目也可以工作。
我将私钥加载到 Dockerfile 中,最后将其删除。不重要,但对于所有在这里看到安全风险的人来说:我在使用后直接删除客户端和服务器上的密钥对。我只在克隆时尝试绕过用户帐户的密码条目,因为这在 Dockerfile 运行期间似乎不起作用,并且将是真正的安全风险,因为它可能会将密码留在日志中。
开始:转到 Dockerfile 目录,将私钥“id_rsa”粘贴到新的“.ssh”子文件夹中。然后:
docker build -t NEW_IMAGENAME . --build-arg ssh_prv_key="$(cat ./.ssh/id_rsa)"
到目前为止的工作代码:
FROM vcatechnology/linux-mint:18.2
ARG ssh_prv_key
RUN apt-get update && \
apt upgrade -y && \
apt-get install -y git
RUN apt-get install -y openssh-client # openssh-server
RUN mkdir /root/.ssh/
RUN echo "Host *\n User git\n HostName gitlab.com\n AddKeysToAgent yes\n IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config
RUN echo "$ssh_prv_key" > /root/.ssh/id_rsa && \
chmod 600 /root/.ssh/id_rsa
RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts
RUN ssh -o StrictHostKeyChecking=no git@gitlab.com || true
RUN eval "$(ssh-agent -s)"
RUN chmod 666 /dev/tty
这导致:
docker build -t CONTAINERNAME . --build-arg ssh_prv_key="$(cat /.ssh/id_rsa)"
[+] Building 254.9s (14/17)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 6.84kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/vcatechnology/linux-mint:18.2 0.8s
=> CACHED [ 1/14] FROM docker.io/vcatechnology/linux-mint:18.2@sha256:0557a4999d43c0c622f3a57c3db5b13536024fb5999ecf4f03c6ffec0e4fdb47 0.0s
=> [ 2/14] RUN apt-get update && apt upgrade -y && apt-get install -y git 244.3s
=> [ 3/14] RUN apt-get install -y openssh-client # openssh-server 3.1s
=> [ 4/14] RUN mkdir /root/.ssh/ 0.6s
=> [ 5/14] RUN echo "Host *\n User git\n HostName gitlab.com\n AddKeysToAgent yes\n IdentityFile /root/.ssh/id_rsa" >> /etc/ssh/ssh_config 0.6s
=> [ 6/14] RUN echo "$(cat /.ssh/id_rsa)" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa 0.6s
=> [ 7/14] RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts 1.3s
=> [ 8/14] RUN ssh -o StrictHostKeyChecking=no git@gitlab.com || true 1.6s
=> [ 9/14] RUN eval "$(ssh-agent -s)" 0.6s
=> [10/14] RUN chmod 666 /dev/tty 0.6s
Dockerfile 中此工作代码之后的最后步骤如下,但到目前为止,前三行中的每一行都停止了脚本:
RUN ssh-add /root/.ssh/id_rsa
RUN ssh -tti /root/.ssh/id_rsa git@gitlab.com
RUN git clone git@gitlab.com:GITLAB_USERNAME/test.git
RUN rm -r /root/.ssh
如果RUN ssh-add /root/.ssh/id_rsa直接出现在最后一个工作代码之后:
=> ERROR [11/14] RUN ssh-add /root/.ssh/id_rsa 0.6s
------
> [11/14] RUN ssh-add /root/.ssh/id_rsa:
#14 0.579 Could not open a connection to your authentication agent.
------
executor failed running [/bin/sh -c ssh-add /root/.ssh/id_rsa]: exit code: 2
该错误Could not open a connection to your authentication agent.很著名,请参阅无法打开与身份验证代理的连接。但我无法用该线程解决它。
如果RUN ssh -tti /root/.ssh/id_rsa git@gitlab.com直接出现在最后一个工作代码之后:
#14 1.545 Permission denied (publickey,keyboard-interactive).
------
executor failed running [/bin/sh -c ssh -tti /root/.ssh/id_rsa git@gitlab.com]: exit code: 255
如果RUN git clone git@gitlab.com:GITLAB_USERNAME/test.git直接出现在最后一个工作代码之后:
#16 0.450 Cloning into 'test'...
#16 1.466 Permission denied (publickey,keyboard-interactive).
#16 1.467 fatal: Could not read from remote repository.
#16 1.467
#16 1.467 Please make sure you have the correct access rights
#16 1.467 and the repository exists.
------
executor failed running [/bin/sh -c git clone git@gitlab.com:GITLAB_USERNAME/test.git]: exit code: 128
因此,ssh显然需要“ssh-add”将私钥添加到“ssh-agent”才能知道客户端上的私钥,而且我猜它还需要让ssh -tti /root/.ssh/id_rsa git@gitlab.comssh知道通往服务器的方式。
如果RUN ssh -Tvvv git@gitlab.com(-T 避免伪终端不会被分配,因为 stdin 不是终端)直接出现在最后一个工作代码之后(这在最终的 Dockerfile 中不需要,它只是一个检查):
=> ERROR [12/12] RUN ssh -Tvvv git@gitlab.com 1.2s
------
> [12/12] RUN ssh -Tvvv git@gitlab.com:
#16 0.376 OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016
#16 0.376 debug1: Reading configuration data /etc/ssh/ssh_config
#16 0.376 debug1: /etc/ssh/ssh_config line 19: Applying options for *
#16 0.376 debug1: /etc/ssh/ssh_config line 57: Applying options for *
#16 0.376 debug2: resolving "gitlab.com" port 22
#16 0.397 debug2: ssh_connect_direct: needpriv 0
#16 0.397 debug1: Connecting to gitlab.com [172.65.251.78] port 22.
#16 0.450 debug1: Connection established.
#16 0.450 debug1: permanently_set_uid: 0/0
#16 0.450 debug1: key_load_public: No such file or directory
#16 0.450 debug1: identity file /root/.ssh/id_rsa type -1
#16 0.450 debug1: key_load_public: No such file or directory
#16 0.450 debug1: identity file /root/.ssh/id_rsa-cert type -1
#16 0.451 debug1: Enabling compatibility mode for protocol 2.0
#16 0.451 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
#16 0.977 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
#16 0.977 debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
#16 0.977 debug2: fd 3 setting O_NONBLOCK
#16 0.977 debug1: Authenticating to gitlab.com:22 as 'git'
#16 0.977 debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
#16 0.977 debug3: send packet: type 20
#16 0.977 debug1: SSH2_MSG_KEXINIT sent
#16 0.994 debug3: receive packet: type 20
#16 0.994 debug1: SSH2_MSG_KEXINIT received
#16 0.994 debug2: local client KEXINIT proposal
#16 0.994 debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
#16 0.994 debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
#16 0.994 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
#16 0.994 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
#16 0.994 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
#16 0.994 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
#16 0.994 debug2: compression ctos: none,zlib@openssh.com,zlib
#16 0.994 debug2: compression stoc: none,zlib@openssh.com,zlib
#16 0.994 debug2: languages ctos:
#16 0.994 debug2: languages stoc:
#16 0.994 debug2: first_kex_follows 0
#16 0.994 debug2: reserved 0
#16 0.994 debug2: peer server KEXINIT proposal
#16 0.994 debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
#16 0.994 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
#16 0.994 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
#16 0.994 debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
#16 0.994 debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
#16 0.994 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
#16 0.994 debug2: compression ctos: none,zlib@openssh.com
#16 0.994 debug2: compression stoc: none,zlib@openssh.com
#16 0.994 debug2: languages ctos:
#16 0.994 debug2: languages stoc:
#16 0.994 debug2: first_kex_follows 0
#16 0.994 debug2: reserved 0
#16 0.994 debug1: kex: algorithm: curve25519-sha256@libssh.org
#16 0.994 debug1: kex: host key algorithm: ecdsa-sha2-nistp256
#16 0.994 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
#16 0.994 debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
#16 1.014 debug3: send packet: type 30
#16 1.014 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
#16 1.182 debug3: receive packet: type 31
#16 1.185 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
#16 1.186 debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
#16 1.187 debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
#16 1.187 debug1: read_passphrase: can't open /dev/tty: No such device or address
#16 1.188 Host key verification failed.
------
executor failed running [/bin/sh -c ssh -Tvvv git@gitlab.com]: exit code: 255
我已经尝试了很多,但到目前为止,我无法解决该错误read_passphrase: can't open /dev/tty: No such device or address。该文件存在,否则我无法使用chmod 666 /dev/tty. 我猜想输入空密码就需要终端。
要使用无密码 SSH 密钥对、仅使用一个 Dockerfile 从 GitLab 克隆存储库,需要进行哪些更改?
如果没有机会在一个 Dockerfile 中执行此操作,则一种可接受的解决方法是使用 docker-compose 文件;但这不是受欢迎的答案。
编辑:查看容器时可以找到所需的路径和文件。
(The start was: docker build -t . --build-arg ssh_prv_key="$(cat ./.ssh/id_rsa)", until the end of the working code only!)
docker run -d -it --name test_bash -d NEW_IMAGENAME:latest
docker exec -it test_bash bash
cd root/.ssh;ls
最后一个命令显示 id_rsa 和known_hosts。
d3cbc35351fd / # cd root/.ssh;ls
id_rsa known_hosts
如果我d3cbc35351fd .ssh # ssh -Tvvv git@gitlab.com在容器内运行,系统会要求我输入密码:
Enter passphrase for key '/root/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/root/.ssh/id_rsa':
debug2: bad passphrase given, try again...
Enter passphrase for key '/root/.ssh/id_rsa':
debug2: no passphrase given, try next key
这是用“”,''尝试的,只是按回车键,它们都不起作用。
如果我无法在 Dockerfile 中使用 SSH,也无法在该 Dockerfile 镜像的容器中使用 SSH,我想知道是否可以从 Dockerfile 或容器中克隆存储库。我想抑制密码输入将是解决此问题的下一个重要步骤,但即使这样也可能无法完全解决问题,因为我已经尝试在容器中输入空密码,但无济于事。
如果您出于安全原因想要删除映像中的私钥,或者需要更多信息,请参阅在 docker 容器内使用 SSH 密钥,以获得更全面的答案。
主要错误是由
echo "$ssh_prv_key" > /root/.ssh/id_rsa
尽管私钥需要很多行,但它仅将格式错误的 ssh_prv_key 作为一行传递。这个想法来自Add private key to ssh-agent in docker file,暗示Gitlab CI/Docker: ssh-add keep requests for passphrase。
--> 因此,不要使用RUN echo ...私钥,而是使用COPY ...!!!
另一个小错误是RUN ssh -o StrictHostKeyChecking=no git@gitlab.com || true,它不起作用,但是
两个都
RUN echo "Host *\n\t StrictHostKeyChecking no" >> /etc/ssh/ssh_config
和
RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts
工作并达到相同的目标,仅选择两者之一。
另一个步骤是删除ssh-agent和ssh-add。仅当您有密码时才需要两者,请参阅将私钥添加到 docker 文件中的 ssh-agent。
这现在正在发挥作用。
Dockerfile 如下所示:
FROM ubuntu:latest
RUN apt-get update && apt-get install -y git
RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh
COPY /.ssh/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
RUN ssh-keyscan -t rsa -H gitlab.com >> /root/.ssh/known_hosts
RUN git clone git@gitlab.com:GITLAB_USERNAME/test.git
RUN rm -r /root/.ssh
要从 Dockerfile 创建映像:
进入Dockerfile所在目录。
将您的私钥“id_rsa”(或您拥有的任何名称,当然,然后更改代码)粘贴到新的子文件夹“/.ssh/”中(或将其粘贴到 Dockerfile 目录中并将代码更改为COPY id_rsa /root/.ssh/id_rsa)。
开始(不要忘记末尾的“.”,它是构建上下文):
docker build -t test .
| 归档时间: |
|
| 查看次数: |
7367 次 |
| 最近记录: |