Docker build --ssh not forwaring id_rsa

Question

I'm trying to build an docker image for automated deploy, so I want to clone the application code from a private bit bucket repo (git).

But when i try to build the image, I always get an authentication error from git clone.

Not sure if its relevant, but the host machine I'm using is running Ubuntu 18.04 and Docker 18.09.7, build 2d0083d

Here is my Dockerfile:

# syntax=docker/dockerfile:experimental
FROM nvidia/cuda:10.0-cudnn7-devel-ubuntu18.04 as devel_stage
ENV DEBIAN_FRONTEND noninteractive

# install system requirements
RUN apt-get update --fix-missing
RUN apt-get install -y --no-install-recommends build-essential
RUN apt-get install -y --no-install-recommends git
RUN apt-get install -y --no-install-recommends curl
RUN apt-get install -y --no-install-recommends ca-certificates
RUN apt-get install -y --no-install-recommends libjpeg-dev
RUN apt-get install -y --no-install-recommends libpng-dev
RUN apt-get install -y --no-install-recommends python3-dev
RUN apt-get install -y --no-install-recommends python3-pip
RUN apt-get install -y --no-install-recommends python3-setuptools
RUN apt-get install -y --no-install-recommends python3-opencv
RUN apt-get install -y --no-install-recommends python3-skimage
RUN apt-get install -y --no-install-recommends python3-skimage-lib
RUN apt-get install -y --no-install-recommends cmake
RUN apt-get install -y --no-install-recommends ssh
RUN apt-get install -y --no-install-recommends openssh-server

### create appliaction user
ENV DOCK_USER=appuser
ENV USER_HOME=/home/$DOCK_USER
RUN groupadd -g 999 $DOCK_USER
RUN useradd -r -m -u 999 -g $DOCK_USER $DOCK_USER
USER $DOCK_USER
WORKDIR $USER_HOME/code


### install python base libs
RUN pip3 install wheel
### install pytorh
RUN pip3 install https://download.pytorch.org/whl/cu100/torch-1.1.0-cp36-cp36m-linux_x86_64.whl
RUN pip3 install https://download.pytorch.org/whl/cu100/torchvision-0.3.0-cp36-cp36m-linux_x86_64.whl
### install python requirements
ARG REQ_FILE=requirements.txt
ADD $REQ_FILE requirements.txt
RUN pip3 install --user -r requirements.txt

### start app
CMD python3 app.py

##########################################################################################
FROM devel_stage as prod_stage

### add RSA permisions to aceess bit bucket
RUN mkdir -p $USER_HOME/.ssh
RUN touch $USER_HOME/.ssh/known_hosts
RUN ssh-keyscan -t rsa bitbucket.org 2>&1 >> $USER_HOME/.ssh/known_hosts

### Copy code to image
WORKDIR $USER_HOME
ENV GIT_SSH_COMMAND="ssh -vvv"
RUN --mount=type=ssh git clone --progress --verbose [email protected]:MY_GIT_USER/MY_GIT_REPO.git

Using this build command:

DOCKER_BUILDKIT=1 docker build \
        --ssh default \
        --progress=plain \
        --target prod_stage \
        -t MY_APP:prod \
        --build-arg REQ_FILE=requirements.txt \
        docker_data_dir

I get the following error:

#37 [prod_stage 4/4] RUN --mount=type=ssh git clone --progress --verbose git...
#37       digest: sha256:7a22394164be10cb0910677fb7ab406457f2d7465b48d716d411ca0f0875efd6
#37         name: "[prod_stage 4/4] RUN --mount=type=ssh git clone --progress --verbose [email protected]:pixforce/cerberus-pixgate_demo.git"
#37      started: 2019-11-18 20:15:15.218575026 +0000 UTC
#37 0.416 Cloning into 'cerberus-pixgate_demo'...
#37 0.424 OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
#37 0.424 debug1: Reading configuration data /etc/ssh/ssh_config
#37 0.424 debug1: /etc/ssh/ssh_config line 19: Applying options for *
#37 0.459 debug1: Connecting to bitbucket.org [18.205.93.0] port 22.
#37 0.642 debug1: Connection established.
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_rsa type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_rsa-cert type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_dsa type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_dsa-cert type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ecdsa type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ecdsa-cert type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ed25519 type -1
#37 0.643 debug1: key_load_public: No such file or directory
#37 0.643 debug1: identity file /home/appuser/.ssh/id_ed25519-cert type -1
#37 0.643 debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
#37 2.629 debug1: Remote protocol version 2.0, remote software version conker_31073e5a11 app-153
#37 2.629 debug1: no match: conker_31073e5a11 app-153
#37 2.629 debug1: Authenticating to bitbucket.org:22 as 'git'
#37 2.629 debug1: SSH2_MSG_KEXINIT sent
#37 2.630 debug1: SSH2_MSG_KEXINIT received
#37 2.630 debug1: kex: algorithm: [email protected]
#37 2.630 debug1: kex: host key algorithm: ssh-rsa
#37 2.630 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
#37 2.630 debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
#37 2.633 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
#37 3.077 debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
#37 3.077 debug1: Host 'bitbucket.org' is known and matches the RSA host key.
#37 3.077 debug1: Found key in /home/appuser/.ssh/known_hosts:1
#37 3.086 Warning: Permanently added the RSA host key for IP address '18.205.93.0' to the list of known hosts.
#37 3.090 debug1: rekey after 134217728 blocks
#37 3.090 debug1: SSH2_MSG_NEWKEYS sent
#37 3.090 debug1: expecting SSH2_MSG_NEWKEYS
#37 3.090 debug1: SSH2_MSG_NEWKEYS received
#37 3.090 debug1: rekey after 134217728 blocks
#37 3.090 debug1: pubkey_prepare: ssh_get_authentication_socket: Permission denied
#37 3.550 debug1: SSH2_MSG_SERVICE_ACCEPT received
#37 3.734 debug1: Authentications that can continue: publickey
#37 3.734 debug1: Next authentication method: publickey
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_rsa
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_dsa
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_ecdsa
#37 3.734 debug1: Trying private key: /home/appuser/.ssh/id_ed25519
#37 3.734 debug1: No more authentication methods to try.
#37 3.734 [email protected]: Permission denied (publickey).
#37 3.734 fatal: Could not read from remote repository.
#37 3.734 
#37 3.734 Please make sure you have the correct access rights
#37 3.734 and the repository exists.
#37    completed: 2019-11-18 20:15:19.256826565 +0000 UTC
#37     duration: 4.038251539s
#37        error: "executor failed running [/bin/sh -c git clone --progress --verbose [email protected]:pixforce/cerberus-pixgate_demo.git]: exit code: 128"

rpc error: code = Unknown desc = executor failed running [/bin/sh -c git clone --progress --verbose [email protected]:pixforce/cerberus-pixgate_demo.git]: exit code: 128

I have also tried to send an specific key to the build:

DOCKER_BUILDKIT=1 docker build \
        --ssh default=/home/$(USER)/.ssh/id_rsa \
        --progress=plain \
        --target prod_stage \
        -t MY_APP:prod \
        --build-arg REQ_FILE=requirements.txt \
        docker_data_dir

but then the build doesn't even start, and I this error:

could not parse ssh: [default=/home/rafol/.ssh/id_rsa]: failed to parse /home/rafol/.ssh/id_rsa: ssh: cannot decode encrypted private keys

How can I get this image to work?

Answer 1

The problem you're having is that the private key you're sending to the container is in the wrong format.

Modern versions of OpenSSH use an OpenSSH-specific key format for private keys where as the OpenSSH version in your container is expecting to see a PEM private key. If you want to use the key in the container, you need to use the PEM format for your private key.

You can either generate a new key with ssh-keygen -m PEM or export the one you have using ssh-keygen -e -m PEM, and then using it in the container.

Answer 2

You are setting a non-root USER prior to running git clone.

However, by default, SSH-forwarding during build only works for root.

With recent versions of BuildKit, you can resolve this with mount options.

With older versions of BuildKit, you'll get an error...

$ DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain docker build --ssh default=~/.ssh/id_rsa,uid=999 ./context/
could not parse ssh: [default=/home/USER/.ssh/id_rsa,uid=999]: stat uid=999: no such file or directory