从 Dockerfile 克隆私有 git 存储库

Posted

技术标签:

【中文标题】从 Dockerfile 克隆私有 git 存储库【英文标题】:Clone private git repository from Dockerfile 【发布时间】:2021-02-04 03:45:42 【问题描述】:

我的目标是从 Dockerfile 克隆一个私有存储库。我复制了我的私人 SSH 密钥,然后将 bitbucket.org 域添加到 known_hosts 文件中,但是当我尝试克隆存储库时,由于某种原因,我收到“权限被拒绝”错误。不过,我可以从我的主机克隆这个存储库。我错过了什么?

Dockerfile:

FROM ubuntu

RUN apt-get update
RUN apt-get install -y git ssh

ARG SSH_PRIVATE_KEY
RUN mkdir /root/.ssh/
RUN echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa

RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts

RUN git clone git@bitbucket.org:foo/bar.git

命令:

docker build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)" .

输出:

Warning: Permanently added the RSA host key for IP address '18.205.93.2' to the list of known hosts.
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

运行 ssh -v git@bitbucket.org 输出:

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
Pseudo-terminal will not be allocated because stdin is not a terminal.
debug1: Connecting to bitbucket.org [18.205.93.0] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_b9a79bcd5e-dirty conker-3002
debug1: no match: conker_b9a79bdd5e-dirty conker-3002
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuEwbHaxvSc0ojez6sdf6s9YXaGp1A
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
Warning: Permanently added the RSA host key for IP address '18.205.93.0' to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
git@bitbucket.org: Permission denied (publickey).

【问题讨论】:

确保在构建时正确设置了 SSH_PRIVATE_KEY。可能您的构建命令应该是docker build --build-arg SSH_PRIVATE_KEY=$(cat ~/.ssh/id_rsa) . 我更新了命令,但仍然收到同样的错误。 用双引号再试一次,我是这样工作的。 您应该使用不带密码的 ssh-key。否则这将变得非常复杂 在此设置中要记住两件事:如果您有映像,很容易取回私钥,而 Docker 层缓存意味着它通常不会重复 git clone 步骤。我强烈建议在 Docker 之外运行 git 并完全避免这个序列。 【参考方案1】:

您需要确保 id_rsa 填写正确:

docker build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)" .

编辑 这仅适用于没有密码的密钥,否则事情会变得复杂。

【讨论】:

我在没有密码的情况下重新生成了密钥,并且成功了!谢谢!【参考方案2】:

[note : 不是直接回答,更多的是格式化评论]

您需要进一步调试您的设置:

检查图片中/root/.ssh/id_rsa 的内容:

RUN cat /root/.ssh/id_rsa

当您尝试联系 bitbucket 时,检查 ssh -v 所说的内容(它使用密钥 id_rsa 吗?):

RUN ssh -v git@bitbucket.org

【讨论】:

RUN cat /root/.ssh/id_rsa 显示来自主机的密钥。我想那部分有效。 RUN ssh -v git@bitbucket.org 的输出添加到问题中。

以上是关于从 Dockerfile 克隆私有 git 存储库的主要内容,如果未能解决你的问题,请参考以下文章

如何在 GitHub Actions 中构建的 Dockerfile 中使用 github 令牌并尝试克隆私有存储库?

使用dockerfile克隆私有git仓库

使用dockerfile克隆私有git仓库

如何从 Docker 容器克隆 Git 存储库

如何在 cpanel 中克隆 github 私有存储库(没有终端或 ssh 的共享主机)?

无法克隆私有存储库 github:身份验证失败