在Docker容器中克隆私人git repo [英] Cloning private git repo in the docker container
问题描述
我有一个要在docker映像中运行的项目(用ruby编写)。项目源代码存储在私有git repo中,该映像由Dockerfile照常创建。该项目非常庞大,因此git clone需要相对较长的时间。
I have a project (written in ruby) which I want to run in a docker image. The project source code is stored in a private git repo, the image is created as usual by Dockerfile. The project is huge and so git clone takes relatively long.
问题是,我不确定如何(何时/何地)将git repo克隆到docker镜像正确。我可以将git存储库克隆到temp目录中,并通过Dockerfile中的COPY命令复制源代码。我不愿意这样做,因为我必须在temp目录中保留第二个克隆。
The problem is that, I'm not sure how (when/where) to clone the git repo to the docker image properly. I can clone the git repository to the temp directory and copy the source code by COPY command in Dockerfile. I don't like to do that since I would have to maintain the second clone in the temp dir.
或者,我可以在docker映像中克隆存储库。问题是我的ssh键,我无法合理地保留在图像中。我只能在git服务器上添加我自己的键,从而可以访问所有内容。
Or, I can clone the repo within the docker image. The problem is my ssh-key which I can't reasonably keep in the image. I can add only "my own" keys to the git server which allow to access everything.
因此,我创建了一个如下脚本:
So, I created a script like this:
UUID=`uuid`
docker run \
-v $HOME/.ssh:/home/user/.ssh:ro\
--name=$UUID \
-it $1 /scripts/git-clone-update.sh
docker commit $UUID $1
docker rm $UUI
git-clone-update.sh将克隆项目(如果不存在)或仅更新(如果存在)。为此,将密钥安装到.ssh。效果很好。我可以通过仅调用传递图像名称作为参数的脚本来轻松更新图像中的代码。唯一的问题是Config.Cmd,它始终更改为/scripts/git-clone-update.sh。
git-clone-update.sh clones the project if it doesn't exist or just updates if it does. The keys are mounted to the .ssh for that. It works great. I can update the code in the image easily by just calling the script passing the image name as an argument. The only problem is Config.Cmd which always changes to /scripts/git-clone-update.sh.
任何想法如何保留原始Config.Cmd?将私有ropo克隆到docker映像中的最佳实践是什么?
Any idea how to keep the original Config.Cmd? What is the best practice cloning the private ropo in/to the docker image?
Thx
推荐答案
您已经发现,将私有ssh密钥保留在docker映像中对于安全性不是很好。我已经看到了两种方法:
As you've discovered, keeping your private ssh keys in a docker image isn't great for security. I've seen two approaches for this:
-
创建一个新的只读帐户并将其密钥保留在docker映像中。您可以对此帐户施加的限制越多,安全性就越好,但是您仍然在实际源代码的顶部封装了一个秘密。
Create a new, read-only account and keep its keys in the docker image. The more limitations you can put on this account the better for security, but you're still packaging a secret on top of your actual source code.
此外,不能解决您的脚本问题,我当然不知道如何解决。
Also, this doesn't solve your scripts problem, which I've admittedly no clue how to solve.
托管整个打包的docker文件,其中您的代码已复制到其中。是马克·奥康纳(Mark O'Conner)在评论中提到的方法。发布的工作流程为:
Host the whole, packaged docker file with your code already copied in. This is the approach Mark O'Conner mentions in his comment. The workflow for a release would be:
- 将代码复制到Docker容器中。
- 更新
- 将新映像上传到您的docker存储库(例如hub.docker.com或Amazon Web Services Elastic Beanstalk)。
- 更新或启动新容器映像的新实例。
- Copy the code into the docker container.
- Update the docker image.
- Upload the new image to your docker repository (e.g. hub.docker.com or Amazon Web Services Elastic Beanstalk).
- Update or launch new instances of your new container image.
用于开发,即每天与第二种方法一起使用时,您可以有一个启动脚本,该脚本将代码复制到docker容器中,并根据需要运行或重新启动容器或容器中的服务器。或者,您可以配置一个单独的开发docker映像,以将源代码管理目录挂载为单独的卷。
For development i.e. every day use with the second approach, you could have a launch script that copies your code into the docker container and runs or restarts the container or server inside the container as needed. Or you could have a separate development docker image that you configure to mount your source control directory as a separate volume.
这篇关于在Docker容器中克隆私人git repo的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
