将文件从Google Cloud Container Builder传递到Docker构建任务 [英] Passing files from Google Cloud Container Builder to Docker build task
问题描述
上下文
一个用Container Builder构建且用于App Engine的Ruby on Rails应用程序.我们要求捆绑器能够使用SSH密钥从私有git存储库中安装依赖项.
A Ruby on Rails application built with Container Builder destined for App Engine. We require bundler to be able to install dependencies from a private git repository using a SSH key.
SSH密钥来自一个安全存储桶,在此它们通过KMS进行解密.这些步骤很好.但是,使用Docker构建容器的最后一步是无法访问SSH密钥.
The SSH Keys come from a secure bucket where they pass through KMS for decryption. Those steps are fine. However, the final step to build the container with Docker fails nothing able to access the SSH key.
我以前没有使用Docker的丰富经验,所以我认为这是一个简单的问题.
I do not have any previous extensive experience with Docker so I assume this is a simple issue.
cloudbuild.yml
steps:
# Get and prepare Deploy Key
- name: 'gcr.io/cloud-builders/gsutil'
args: ['cp', 'gs://[PROJECT-BUCKET]/git_id_rsa.enc', '/root/.ssh/git_id_rsa.enc']
volumes:
- name: 'ssh-setup'
path: /root/.ssh
- name: 'gcr.io/cloud-builders/gcloud'
args:
- kms
- decrypt
- --ciphertext-file=/root/.ssh/git_id_rsa.enc
- --plaintext-file=/root/.ssh/git_id_rsa
- --location=global
- --keyring=[KEYRING]
- --key=[KEY]
volumes:
- name: 'ssh-setup'
path: /root/.ssh
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /workspace/deploy/git-prepare.sh
volumes:
- name: 'ssh-setup'
path: /root/.ssh
# ... Omitted steps ...
# Docker build
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/[PROJECT-NAME]', '.']
volumes:
- name: 'ssh-setup'
path: /root/.ssh
images: ['gcr.io/$PROJECT_ID/[PROJECT-NAME]']
一些标识符已被省略
deploy/git-prepare.sh —这将执行一些shell命令,以使ssh目录重新填充必要的信息.
deploy/git-prepare.sh — This performs some shell commands to get the ssh directory refilled with necessary information.
#!/bin/bash
mkdir -p /root/.ssh
touch /root/.ssh/config
ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
touch /root/.ssh/config
echo -e "\nHost bitbucket.org\n IdentityFile /root/.ssh/git_id_rsa" >> /root/.ssh/config
if [ -f /root/.ssh/git_id_rsa.enc ]; then
rm /root/.ssh/git_id_rsa.enc
fi
Dockerfile
# .. OMITTING BOILERPLATE FOR RAILS APP SETUP ...
# Copy the application files.
COPY . /app/
# Copy the SSH keys and config for bundler
VOLUME /root/.ssh
COPY /root/.ssh/known_hosts ~/.ssh/known_hosts
COPY /root/.ssh/config ~/.ssh/config
COPY /root/.ssh/git_id_rsa ~/.ssh/git_id_rsa
问题:
构建任务(使用构建触发器运行)失败,并显示以下信息:
The build task (run using a build trigger) fails with:
...omitted lines above...
Step #5: COPY failed: stat /var/lib/docker/tmp/docker-builderxxxxxxxxx/root/.ssh/known_hosts: no such file or directory
Step #5: Step 7/14 : COPY /root/.ssh/known_hosts ~/.ssh/known_hosts
我觉得我不了解Container Builder和Docker共享卷和数据的方式.
I have a feeling I don't grasp the way that Container Builder and Docker share volumes and data.
推荐答案
Dockerfile <代码> COPY 可以使用多个< src> 资源,但是文件和目录的路径将被解释为相对于构建上下文的源.
这是您执行 docker build.命令的当前路径.
That is your current path where you execute the docker build . command.
在您的情况下,如果在Dockerfile执行其步骤时挂载了/root/.ssh,则简单的 RUN cp/root/.ssh/.../destination/path 就足够了.
In your case, if /root/.ssh is mounted when the Dockerfile executes its step, a simple RUN cp /root/.ssh/... /destination/path would be enough.
但是,您不能在 docker build 时挂载卷(请参见moby问题14080 ),因此请检查此解决方案:阶段构建可以提供帮助.
However, you cannot mount a volume at docker build time (see moby issue 14080), so check this solution: a multi-stage build can help.
这篇关于将文件从Google Cloud Container Builder传递到Docker构建任务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
