-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: add SSH agent socket forwarder (docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK
)
#1419
Conversation
Signed-off-by: Akihiro Suda <[email protected]>
(probably this is too late for v18.09) |
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh [email protected] | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #1419 +/- ##
==========================================
- Coverage 54.26% 54.21% -0.06%
==========================================
Files 289 289
Lines 19331 19353 +22
==========================================
+ Hits 10490 10492 +2
- Misses 8165 8185 +20
Partials 676 676 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM 😍
@AkihiroSuda @tiborvass @vdemeester Are we sure about this syntax. I don't have better ideas but didn't give it that much thought when I added this in Btw. |
For the record, the easiest way is to do LGTM |
@tonistiigi I think the word
A CI could do In order to allow that granularity, we need a default ID... and I'm fine with |
I would call this something like "forward-ssh" or "ssh-agent". |
Had the same thought as Brian, but only was able to have a very brief look
… On 6 Oct 2018, at 20:28, Brian Goff ***@***.***> wrote:
I would call this something like "forward-ssh" or "ssh-agent".
Other than that, I wonder if there's some magic we can do with the flag parser to have the flag value be optional and rather treat it like a book flag that can potentially have a string value.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Note that this syntax allows direct keys as well, and that should be the preferred way to use in CI (with special deploy keys). So this is not only for forwarding the pre-created ssh agent socket. |
@cpuguy83 @thaJeztah so are you okay with this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spoke with @tiborvass on this at length.
In short, here's what's happening:
--ssh default
is really --ssh default=${SSH_AUTH_SOCK}
.
This could just as easily be --ssh default=/path/to/private.key
.
What happens here is buildkit (in the client) determines if the value is a socket or a regular file and creates an agent accordingly. The buildkit daemon can later send a request for the agent with the requested key.
The container will then get an SSH_AUTH_SOCK
environment variable and the socket mounted inside.
I still think the flag name could be a bit more descriptive --forward-ssh
or --ssh-key
, but tbh --ssh
works as well and I can't think of another use for the flag.
As for magic, in the CLI flag... if it's even possible to do it, we can add it later without breaking anything.
LGTM
Thanks @cpuguy83 ! Just to clarify, the magic referred to is to be able to parse |
Is this ready for 18.09? |
Feature complete date for 18.09 was back in September so this most likely will not make the GA for 18.09.0 |
Added |
The ssh socket is owned and accessibly by root only, e.g. # syntax=docker/dockerfile:1.0.0-experimental
FROM alpine
RUN apk add --no-cache openssh-client \
&& adduser -h /example -S example example
USER example
RUN --mount=type=ssh ssh-add -l
(Docker version 18.09.0, build 4d60db4) |
@rmoriz could you open an issue for that in the buildkit repository? https://github.com/moby/buildkit |
Signed-off-by: Akihiro Suda [email protected]
- What I did
This commit adds SSH agent socket forwarder (
docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK
) .Unlike
docker build --secret
,docker build --ssh
allows the build container to use SSH keys with passphrases.This feature requires the daemon with
CapExecMountSSH
build capability (moby/moby#37973) .Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder.
However, the experimental
RUN --mount=type=ssh
syntax can be enabled by usingthe Dockerfile frontend image built with the
BUILDTAGS="dfrunmount dfssh"
, via the# syntax =
"shebang".The Dockerfile for the Dockerfile frontend is available at https://github.com/moby/buildkit/tree/master/frontend/dockerfile/cmd/dockerfile-frontend .
A pre-built image is also available as
tonistiigi/dockerfile:ssh20181002
.An example Dockerfile with
RUN --mount=type=ssh
:More info available at moby/buildkit#608, moby/buildkit#655
- How I did it
See above
- How to verify it
See above
- Description for the changelog
build: add SSH agent socket forwarder (
docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK
)- A picture of a cute animal (not mandatory but encouraged)