build: add SSH agent socket forwarder (docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK)
#1419
Conversation
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
|
(probably this is too late for v18.09) |
…D=$SSH_AUTH_SOCK`) Unlike `docker build --secret`, `docker build --ssh` allows the build container to use SSH keys with passphrases. $ eval $(ssh-agent) $ ssh-add ~/.ssh/id_rsa (Input your passphrase here) $ docker build --ssh default=$SSH_AUTH_SOCK ... This feature requires the daemon with `CapExecMountSSH` build capability (moby/moby#37973) . Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder. However, the experimental `RUN --mount=type=ssh` syntax can be enabled by using the Dockerfile frontend image built with the `BUILDTAGS="dfrunmount dfssh"`, via the `# syntax =` "shebang". The Dockerfile for the Dockerfile frontend is available at github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend) The pre-built image is also available as `tonistiigi/dockerfile:ssh20181002` . An example Dockerfile with `RUN --mount=type=ssh`: # syntax = tonistiigi/dockerfile:ssh20181002 FROM alpine RUN apk add --no-cache openssh-client RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts RUN --mount=type=ssh ssh git@gitlab.com | tee /hello # "Welcome to GitLab, @GITLAB_USERNAME_ASSOCIATED_WITH_SSHKEY" should be printed here More info available at moby/buildkit#608, moby/buildkit#655 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Codecov Report
@@ Coverage Diff @@
## master #1419 +/- ##
==========================================
- Coverage 54.26% 54.21% -0.06%
==========================================
Files 289 289
Lines 19331 19353 +22
==========================================
+ Hits 10490 10492 +2
- Misses 8165 8185 +20
Partials 676 676 |
|
@AkihiroSuda @tiborvass @vdemeester Are we sure about this syntax. I don't have better ideas but didn't give it that much thought when I added this in Btw. |
|
For the record, the easiest way is to do LGTM |
|
@tonistiigi I think the word A CI could do In order to allow that granularity, we need a default ID... and I'm fine with |
|
I would call this something like "forward-ssh" or "ssh-agent". |
|
Had the same thought as Brian, but only was able to have a very brief look
… On 6 Oct 2018, at 20:28, Brian Goff ***@***.***> wrote:
I would call this something like "forward-ssh" or "ssh-agent".
Other than that, I wonder if there's some magic we can do with the flag parser to have the flag value be optional and rather treat it like a book flag that can potentially have a string value.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Note that this syntax allows direct keys as well, and that should be the preferred way to use in CI (with special deploy keys). So this is not only for forwarding the pre-created ssh agent socket. |
|
@cpuguy83 @thaJeztah so are you okay with this? |
There was a problem hiding this comment.
Spoke with @tiborvass on this at length.
In short, here's what's happening:
--ssh default is really --ssh default=${SSH_AUTH_SOCK}.
This could just as easily be --ssh default=/path/to/private.key.
What happens here is buildkit (in the client) determines if the value is a socket or a regular file and creates an agent accordingly. The buildkit daemon can later send a request for the agent with the requested key.
The container will then get an SSH_AUTH_SOCK environment variable and the socket mounted inside.
I still think the flag name could be a bit more descriptive --forward-ssh or --ssh-key, but tbh --ssh works as well and I can't think of another use for the flag.
As for magic, in the CLI flag... if it's even possible to do it, we can add it later without breaking anything.
LGTM
|
Thanks @cpuguy83 ! Just to clarify, the magic referred to is to be able to parse |
|
Is this ready for 18.09? |
|
Feature complete date for 18.09 was back in September so this most likely will not make the GA for 18.09.0 |
|
Added |
|
The ssh socket is owned and accessibly by root only, e.g. # syntax=docker/dockerfile:1.0.0-experimental
FROM alpine
RUN apk add --no-cache openssh-client \
&& adduser -h /example -S example example
USER example
RUN --mount=type=ssh ssh-add -l
(Docker version 18.09.0, build 4d60db4) |
|
@rmoriz could you open an issue for that in the buildkit repository? https://github.com/moby/buildkit |
Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp
- What I did
This commit adds SSH agent socket forwarder (
docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK) .Unlike
docker build --secret,docker build --sshallows the build container to use SSH keys with passphrases.This feature requires the daemon with
CapExecMountSSHbuild capability (moby/moby#37973) .Currently, the official Dockerfile frontend does not provide the syntax for using the SSH forwarder.
However, the experimental
RUN --mount=type=sshsyntax can be enabled by usingthe Dockerfile frontend image built with the
BUILDTAGS="dfrunmount dfssh", via the# syntax ="shebang".The Dockerfile for the Dockerfile frontend is available at https://github.com/moby/buildkit/tree/master/frontend/dockerfile/cmd/dockerfile-frontend .
A pre-built image is also available as
tonistiigi/dockerfile:ssh20181002.An example Dockerfile with
RUN --mount=type=ssh:More info available at moby/buildkit#608, moby/buildkit#655
- How I did it
See above
- How to verify it
See above
- Description for the changelog
build: add SSH agent socket forwarder (
docker build --ssh $SSHMOUNTID=$SSH_AUTH_SOCK)- A picture of a cute animal (not mandatory but encouraged)