SSH Keys inside Dockerfile

Hi there!

I’m having a bit of trouble getting my head around some of the moving parts with GitLab CI - I’m using a docker executor and wondering if the intention is that within my Dockerfile I should be able to access private repositories via e.g. npm after following the process from here? https://docs.gitlab.com/ce/ci/ssh_keys/README.html#ssh-keys-when-using-the-docker-executor and quoting this line:-

That’s it! You can now have access to private servers or repositories in your build environment.

The goal is to have my npm based project building docker images / pushing to the registry on every commit, but there are private repositories within the package.json file I’m needing to clone and currently getting “permission denied” errors.

I’ve my deploy keys working when I do it from outside the docker container, but within I’m still just getting a “No identities found” error from ssh-add -l within the Dockerfile. Should the identity created in the before_script block somehow be getting passed to within the Dockerfile?

.gitlab-ci.yml:-

variables:
  REGISTRY: git.local:4567
  http_proxy: http://corpproxy:8888
  https_proxy: http://corpproxy:8888
  GIT_SSL_NO_VERIFY: "true"
stages:
  - build
build:
  image: docker:1.10.3
  stage: build
  before_script:
    - 'which ssh-agent || ( apk update && apk add openssh )'
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" > /tmp/key && chmod 600 /tmp/key
    - cat /tmp/key
    - ssh-add /tmp/key
    - mkdir -p ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
  script:
    - docker login -e test@test.com -u gitlab-ci-token -p $CI_BUILD_TOKEN $REGISTRY
    - docker build -t $REGISTRY/nyx/nyx --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy .
    - docker push $REGISTRY/nyx/nyx
  tags:
    - docker

My Dockerfile:-

FROM node:boron

RUN mkdir /root/.ssh/
RUN ssh-keyscan -H git.local >> /root/.ssh/known_hosts

RUN npm config set strict-ssl false
RUN npm config set registry http://registry.npmjs.org/
RUN npm config set proxy ${http_proxy}
RUN npm config set https-proxy ${http_proxy}

# Create app directory
RUN mkdir -p /var/www/nyx
WORKDIR /var/www/nyx

# Install app dependencies
COPY package.json /var/www/nyx

RUN eval $(ssh-agent -s) && ssh-add -l
RUN npm install git+ssh://git@git.local:project/dependency.git (would normally just be npm install with this dependency listed)

# Bundle app source
COPY . /var/www/nyx

EXPOSE 3000

CMD [ "npm", "run", "dev" ]

Relevant output before the npm install fails:-

Step 6 : RUN npm config set registry http://registry.npmjs.org/
 ---> Using cache
 ---> 614c1cdf8c94
Step 7 : RUN npm config set proxy ${http_proxy}
 ---> Using cache
 ---> db8e3cff0d9d
Step 8 : RUN npm config set https-proxy ${http_proxy}
 ---> Using cache
 ---> 802ce0a77639
Step 9 : RUN mkdir -p /var/www/nyx
 ---> Using cache
 ---> 7012886fe112
Step 10 : WORKDIR /var/www/nyx
 ---> Using cache
 ---> 662fdc169c69
Step 11 : COPY package.json /var/www/nyx
 ---> Using cache
 ---> 96fb443a0262
Step 12 : RUN eval $(ssh-agent -s) && ssh-add -l
 ---> Running in 5bc7a5a28814
Agent pid 8
The agent has no identities.
The command '/bin/sh -c eval $(ssh-agent -s) && ssh-add -l' returned a non-zero code: 1

I’d appreciate any suggestions or an alternative workflow on how I should be doing this, at my wits end!

Update:-

Managed a workaround by passing --build-arg SSH_PRIVATE_KEY="$SSH_PRIVATE_KEY" through to the build command and using that to create a key within the Dockerfile.

Dockerfile:-

ARG SSH_PRIVATE_KEY
RUN mkdir /root/.ssh/
RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa

Seems a bit awkward passing secrets about in build arguments, if anyone had any better ideas I’d be interested.

Cheers!

2 Likes