All geek questions in one place

Access to secrets / private files needed to create in Dockerfile?

I am trying to create an image in Docker that requires several secret files in order to do something like distraction from a private git repository. I saw a lot of people with this code:

ADD id_rsa /root/.ssh/id_rsa RUN chmod 700 /root/.ssh/id_rsa RUN touch /root/.ssh/known_hosts RUN ssh-keyscan github.com >> /root/.ssh/known_hosts RUN git clone git@github.com :some/repo.git /usr/local/some_folder

Although this works, it means that I have to store my own id_rsa with my image, which seems bad to me. I would prefer to keep my secret files in some cloud storage like s3 and just pass the credentials as environment variables to be able to pull out the rest.

I know I can pass environment variables to docker run using -e , but if I need files during build (e.g. id_rsa to do git cloning), what can I do? Ideally, I could pass environment variables to docker build , but this is not possible (I cannot understand why).

So, ideas? What is the canonical / right thing here? I cannot be the first person with this problem.

+5
source share
1 answer

I will start with the easiest part, which, in my opinion, is a common misconception:

Ideally, I can pass environment variables to the docker assembly, but this is not possible (I cannot understand why).

The docker design must be reproducible. Given the same context (files in the same directory as the Dockerfile ), the resulting image will be the same. They should also be simple. Both things together explain the lack of environmental options or other conditions.

Now, since the assembly must be reproducible, the execution of each command is cached. If you run the build twice, git pull will only work for the first time.

In your opinion, this is not what you intend:

therefore, with any new assembly of images, we always want the new version of the repo

To start a new build you need to either change the context or the Dockerfile .

The canonical path (I probably abuse this word, but here's how auto-build works) includes a Dockerfile in git.

This allows a simple git pull ; docker build ... workflow git pull ; docker build ... git pull ; docker build ... and avoids the problem of saving git credentials.

+2
source

Source: https://habr.com/ru/post/1201953/

More articles:


All Articles