search

emk / rust-musl-builder

Docker images for compiling static Rust binaries using musl-libc and musl-gcc, with static versions of useful C libraries. Supports openssl and diesel crates.
Apache License 2.0
1.54k stars 193 forks source link

docker --ssh feature fails #74

Closed oddg closed 5 years ago

oddg commented 5 years ago

I am trying to use the --ssh option of the docker build command. I can successfully use it with ubuntu as a base image

# syntax=docker/dockerfile:1.0.0-experimental
# syntax=docker/dockerfile:experimental
FROM ubuntu:18.04

RUN apt-get -yq update && apt-get -yqq install ssh git

RUN mkdir -m 700 ~/.ssh && touch -m ~/.ssh/known_hosts && ssh-keyscan github.com > ~/.ssh/known_hosts
RUN --mount=type=ssh,id=github git clone git@github.com:my-company/my-private-repo.git ~/my-private-repo

but it fails when I use ekidd/rust-musl-builder

# syntax=docker/dockerfile:1.0.0-experimental
# syntax=docker/dockerfile:experimental
FROM ekidd/rust-musl-builder

RUN sudo apt-get -yq update && sudo apt-get -yqq install ssh git

RUN mkdir -m 700 ~/.ssh && touch -m ~/.ssh/known_hosts && ssh-keyscan github.com > ~/.ssh/known_hosts
RUN --mount=type=ssh,id=github git clone git@github.com:my-company/my-private-repo.git ~/my-private-repo

Running the command DOCKER_BUILDKIT=1 docker build --ssh github=~/.ssh/id_rsa . gives me the following error message:

#9 1.043 git@github.com: Permission denied (publickey).
#9 1.045 fatal: Could not read from remote repository.
#9 1.045
#9 1.045 Please make sure you have the correct access rights
#9 1.045 and the repository exists.

It's unclear to me what in the rust-musl-builder image may break the --ssh.

Here is my docker version:

Client: Docker Engine - Community
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        6247962
 Built:             Sun Feb 10 04:12:39 2019
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 04:13:06 2019
  OS/Arch:          linux/amd64
  Experimental:     false
oddg commented 5 years ago

Humm it might be related to the custom setup of git credentials...

oddg commented 5 years ago

Actually the following does work...

# syntax=docker/dockerfile:1.0.0-experimental
# syntax=docker/dockerfile:experimental
FROM ubuntu:18.04

RUN apt-get -yq update && apt-get -yqq install ssh git

# Set up a `git credentials` helper for using GH_USER and GH_TOKEN to access
# private repositories if desired.
ADD git-credential-ghtoken /usr/local/bin
RUN git config --global credential.https://github.com.helper ghtoken

RUN mkdir -m 700 ~/.ssh && touch -m ~/.ssh/known_hosts && ssh-keyscan github.com > ~/.ssh/known_hosts
RUN --mount=type=ssh,id=github git clone git@github.com:my-company/my-private-repo.git ~/my-private-repo
oddg commented 5 years ago

The issue is triggered by running command with the rust user. The following fails:

# syntax=docker/dockerfile:1.0.0-experimental
# syntax=docker/dockerfile:experimental
FROM ubuntu:18.04

RUN apt-get -yq update && apt-get -yqq install ssh git

RUN useradd rust --user-group --create-home --shell /bin/bash --groups sudo
ADD sudoers /etc/sudoers.d/nopasswd
USER rust

RUN mkdir -m 700 ~/.ssh && touch -m ~/.ssh/known_hosts && ssh-keyscan github.com > ~/.ssh/known_hosts

RUN --mount=type=ssh,id=github git clone git@github.com:my-company/my-private-repo.git ~/my-private-repo
emk commented 5 years ago

Yup, that seems about right. Sorry about that. :-/ You do have the option of using sudo in the Rust image if you want, but it's probably better to use USER root followed by the commands you want to run, then USER rust to set it back.

We also bundle an example git credential helper, which shows how to do more complicated authentication with git.

oddg commented 5 years ago

@emk Thanks for the suggestion! Running USER root does fix the issue. In the end I am going with:

# syntax=docker/dockerfile:1.0.0-experimental
# syntax=docker/dockerfile:experimental
FROM ekidd/rust-musl-builder

RUN sudo apt-get -yq update && sudo apt-get -yqq install ssh git

USER root
RUN mkdir -m 700 ~/.ssh && touch -m ~/.ssh/known_hosts && ssh-keyscan github.com > ~/.ssh/known_hosts
RUN --mount=type=ssh,id=github git clone git@github.com:my-company/my-private-repo.git /home/rust/my-private-repo
RUN chown -R rust:rust /home/rust/coin-or-clp

USER rust