search

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
https://github.com/moby/moby/issues/34227
Apache License 2.0
8.1k stars 1.14k forks source link

Dockerfile - Load key "/root/.ssh/id_rsa": invalid format with Build Kit #4307

Open codeRuslan opened 1 year ago

codeRuslan commented 1 year ago

I got the following error:

11 2.895 In Git.php line 453:
#11 2.895                                                                                
#11 2.895   Failed to execute git clone --mirror -- 'git@gitlab.com:test/test/  
#11 2.895   test/data-etstgit' '/root/.composer/cache/vcs/git-gitlab.com
#11 2.895   -test.git/'                                 
#11 2.895                                                                                
#11 2.895   Cloning into bare repository '/root/.composer/cache/vcs/git-gitlab.com
#11 2.895  test.git'...                               
#11 2.895   Warning: Permanently added the RSA host key for IP address '1.1.11.1' to   
#11 2.895   the list of known hosts.                                                     
#11 2.895   Load key "/root/.ssh/id_rsa": invalid format                                 
#11 2.895   git@gitlab.com: Permission denied (publickey).                          
#11 2.896   fatal: Could not read from remote repository.                                
#11 2.896                                                                                
#11 2.896   Please make sure you have the correct access rights                          
#11 2.896   and the repository exists.

While building this test Dockerfile:

FROM alpine

RUN mkdir /root/.ssh/
RUN --mount=type=secret,id=ssh_key,dst=/etc/secrets/ssh_key cat /etc/secrets/ssh_key > /root/.ssh/id_rsa && chmod 400 /root/.ssh/id_rsa
RUN cat /root/.ssh/id_rsa

RUN touch /root/.ssh/known_hosts && \
      ssh-keyscan -t rsa gitlab.com >> /root/.ssh/known_hosts 

ADD source .
RUN composer install -o -n --no-scripts

RUN mkdir -pv -m 0777 var var/log var/cache var/cache/prod && \
      chmod -R 777 var && chown -R 33:33 var

The command that I execute for it:

echo -n "$BITBUCKET_SSH_KEY" > ssh_key
    DOCKER_BUILDKIT=1 docker build --pull --secret id=ssh_key,src=./ssh_key -f Dockerfile-php -t ${TAG} .

However, I have also tried just to use env varible for docker secret with the following build command:

DOCKER_BUILDKIT=1 docker build --pull --secret id=SSH_KEY,env=BITBUCKET_SSH_KEY -f Dockerfile-php -t${TAG} .

And with this changed Dockerfile layer:

RUN --mount=type=secret,id=SSH_KEY cat /run/secrets/SSH_KEY  > /root/.ssh/id_rsa && chmod 400 /root/.ssh/id_rsa

With debug layer - RUN cat /root/.ssh/id_rsa I see that id_rsa looks totally fine inside container, as it should look like ssh key, however the error of invalid format still persists

jedevc commented 12 months ago

If the file inside of buildkit and the secret file you input in are the same, then this isn't a buildkit issue.

Obviously, you can't share the contents of your RSA key file, but what does the format look like (removing any sensitive information)?

Just a note (but unrelated to the error you're having): you shouldn't copy the secret file between multiple layers - this will store the secret in the resulting image, which defeats the purpose of secrets. You should instead only mount the secret in the RUN command in which you're trying to use it.