如何正确地将ssh密钥文件从Jenkins凭据变量传递到docker build命令? [英] How to correctly pass ssh key file from Jenkins credentials variable into to docker build command?

问题描述

此问题是此问题的后续措施如何将jenkins凭证传递到docker build命令中?

This question is a follow up to this question How to pass jenkins credentials into docker build command?

我正在从Groovy管道中的jenkins凭证存储中获取ssh密钥文件，并且通过--build-arg将其传递到docker build命令中，这样我就可以从docker容器中的私有git仓库中检出并构建工件

I am getting the ssh key file from jenkins credential store in my groovy pipeline and passing it into docker build command via --build-arg so that I can checkout and build artifacts from the private git repos from within my docker container

凭证存储区ID:cicd-user，可用于按常规Jenkinsfile检出我的私人作品

credentials store id : cicd-user, which works for checking out my private works as expected from my groovy Jenkinsfile

checkout([$class: 'GitSCM',
            userRemoteConfigs: [[credentialsId: 'cicd-user', url:'ssh://git@bitbucket.myorg.co:7999/A/software.git']]

我访问它，并尝试将其传递给docker build命令:

I access it and try to pass the same to docker build command:

  withCredentials([sshUserPrivateKey(credentialsId: 'cicd-user', keyFileVariable: 'FILE')]) { 
           sh "cd ${WORKSPACE} && docker build -t ${some-name} --build-arg USERNAME=cicd-user --build-arg  PRIV_KEY_FILE=\$FILE --network=host -f software/tools/jenkins/${some-name}/Dockerfile ."
        }

我在Dockerfile中

in Dockerfile I do

RUN echo "$PRIV_KEY_FILE" > /home/"$USERNAME"/.ssh/id_rsa && \
 chmod 700 /home/"$USERNAME"/.ssh/id_rsa 

RUN echo"Host bitbucket.myorg.co \ n \ tStrictHostKeyChecking no \ n"；>>〜/.ssh/config

RUN echo "Host bitbucket.myorg.co\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config

但是我看到了以下问题

加载密钥"/home/cicd-user/.ssh/id_rsa":(无效的格式)" git@Bitbucket.mycomp.co:权限被拒绝(公共密钥)致命:无法从远程存储库读取"

"Load key "/home/cicd-user/.ssh/id_rsa" :(invalid format) "git@Bitbucket.mycomp.co:Permission denied( Public key) "fatal: could not read from remote repository"

过去，我通过如下方式从外部将ssh私钥传递为--build-arg

In the past I have passed the ssh priv key as --build-arg from outside by cat'ing like below

-build-arg ssh_prv_key =''$(猫〜/.ssh/id_rsa)''

--build-arg ssh_prv_key="$(cat ~/.ssh/id_rsa)"

我应该做类似的事情

-build-arg PRIV_KEY_FILE ="$(猫$ FILE)"

--build-arg PRIV_KEY_FILE="$(cat $FILE)"

关于可能出什么问题或应该在哪里正确调试的任何想法?

Any idea on what might be going wrong or where I should be looking for debugging this correctly ?

推荐答案

昨天我遇到了同样的问题，我想我已经找到了一个可行的解决方案.

I ran into the same issue yesterday and I think I've come up with a workable solution.

这是我采取的基本步骤-使用 sshagent插件来管理sshagent在詹金斯(Jenkins)的工作中.您可能也可以使用withCredentials，尽管那并不是我最终获得成功的原因.

Here are the basic steps I took - using the sshagent plugin to manage the sshagent within the Jenkins job. You could probably use withCredentials as well, though that's not what I ended up finding success with.

可以使用 docker build 命令--ssh标志使ssagent(或密钥)可用于特定的构建步骤.(功能参考)请务必注意，要使其正常工作(当前)，您需要设置DOCKER_BUILDKIT = 1.如果您忘记执行此操作，则似乎它会忽略此配置，并且ssh连接将失败.设置好之后，便可以使用

The ssagent (or alternatively the key) can be made available to specific build steps using the docker build commands --ssh flag. (Feature reference) It's important to note that for this to work (at the current time) you need to set DOCKER_BUILDKIT=1. If you forget to do this, then it seems like it ignores this configuration and the ssh connection will fail. Once that's set, the sshagent

向下查看管道:

pipeline {
    agent {
        // ...
    }
    environment {
        // Necessary to enable Docker buildkit features such as --ssh
        DOCKER_BUILDKIT = "1"
    }
    stages {
        // other stages

        stage('Docker Build') {
            steps {
                // Start ssh agent and add the private key(s) that will be needed in docker build
                sshagent(['credentials-id-of-private-key']) {
                    // Make the default ssh agent (the one configured above) accessible in the build
                    sh 'docker build --ssh default .'
                }
            }
        // other stages
        }
    }
}

在Dockerfile中，必须显式地提供需要其访问ssh代理的行.这可以通过在相关的RUN命令中包含 mount = type = ssh 来完成.

In the Dockerfile it's necessary to explicitly give lines that need it access to the ssh agent. This can be done by including mount=type=ssh in the relevant RUN command.

对我来说，这大概是这样的:

For me, this looked roughly like this:

FROM node:14
# Retrieve bitbucket host key
RUN mkdir -p -m -0600 ~/.ssh && ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
...
# Mount ssh agent for install
RUN --mount=type=ssh npm i
...

通过此配置，npm安装程序可以通过sshagent在docker build中利用SSH私钥来安装存储在Bitbucket上的私有git repo.

With this configuration, the npm install was able to install a private git repo stored on Bitbucket by utilizing the SSH private key within docker build via sshagent.

这篇关于如何正确地将ssh密钥文件从Jenkins凭据变量传递到docker build命令?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！