From 1085883701415d532b4d0b19a80177e3a0e31b36 Mon Sep 17 00:00:00 2001 From: Anne Henmi Date: Tue, 20 Nov 2018 09:10:08 -0700 Subject: [PATCH 1/7] Initial draft. --- develop/develop-images/build_enhancements.md | 43 ++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index 8d8ce2955b..c1ae4de213 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -151,3 +151,46 @@ $ docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt #9 duration: 1.470401133s ... ``` + +## Using SSH to access private data in builds + +> **Acknowledgment**: +> Special thanks to [Tonis Tiigi](https://medium.com/@tonistiigi) for granting +> permission to use his blog post +> [Build secrets and SSH forwarding in Docker 18.09](https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066) +> as the basis of the content below. + +The `docker build` has a `--ssh` option to allow the Docker Engine to forward SSH agent connections. For more information +on SSH agent, see the [OpenSSH man page](https://man.openbsd.org/ssh-agent). + +Only the commands in the `Dockerfile` that have explicitly requested the SSH access by defining `type=ssh` mount have +access to SSH agent connections. The other commands have no knowledge of any SSH agent being available. + +To request SSH access for a `RUN` command in the `Dockerfile`, define a mount with type `ssh`. This will set up the +`SSH_AUTH_SOCK` environment variable to make programs relying on SSH automatically use that socket. + +Here is an example Dockerfile using SSH in the container: + +``` +# syntax=docker/dockerfile:experimental + +FROM alpine + +# install ssh client and git + +RUN apk add --no-cache openssh-client git + +# download public key for github.com + +RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts + +# clone our private repository + +RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject +``` + +Once the `Dockerfile` is created, use the `--ssh` option for connectivity with the SSH agent. + +``` +$ docker build --ssh default . +``` From 837beda76b5631112faf82c00518cd556efd07df Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Tue, 27 Nov 2018 09:24:09 -0700 Subject: [PATCH 2/7] Update build_enhancements.md Capitalized headers. --- develop/develop-images/build_enhancements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index c1ae4de213..a5312fd5e2 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -176,15 +176,15 @@ Here is an example Dockerfile using SSH in the container: FROM alpine -# install ssh client and git +# Install ssh client and git RUN apk add --no-cache openssh-client git -# download public key for github.com +# Download public key for github.com RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts -# clone our private repository +# Clone private repository RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject ``` From dc768f6ec1ff2168e3737bcaa374ba6472911ec3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 27 Nov 2018 19:18:24 -0700 Subject: [PATCH 3/7] Update develop/develop-images/build_enhancements.md Co-Authored-By: ahh-docker <41210220+ahh-docker@users.noreply.github.com> --- develop/develop-images/build_enhancements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index a5312fd5e2..17a338cd0c 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -171,7 +171,7 @@ To request SSH access for a `RUN` command in the `Dockerfile`, define a mount wi Here is an example Dockerfile using SSH in the container: -``` +```Dockerfile # syntax=docker/dockerfile:experimental FROM alpine From 4e4398d15894bef763423d39b6a2e0f21fe247e3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 27 Nov 2018 19:18:35 -0700 Subject: [PATCH 4/7] Update develop/develop-images/build_enhancements.md Co-Authored-By: ahh-docker <41210220+ahh-docker@users.noreply.github.com> --- develop/develop-images/build_enhancements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index 17a338cd0c..692228a9af 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -191,6 +191,6 @@ RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject Once the `Dockerfile` is created, use the `--ssh` option for connectivity with the SSH agent. -``` +```bash $ docker build --ssh default . ``` From 07855dc6679d83997dc63e8514eb1c4c4106a028 Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Tue, 27 Nov 2018 19:30:28 -0700 Subject: [PATCH 5/7] Update build_enhancements.md --- develop/develop-images/build_enhancements.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index 692228a9af..61bbb5b29a 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -173,19 +173,15 @@ Here is an example Dockerfile using SSH in the container: ```Dockerfile # syntax=docker/dockerfile:experimental - FROM alpine # Install ssh client and git - RUN apk add --no-cache openssh-client git # Download public key for github.com - RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts # Clone private repository - RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git myproject ``` From 96f63b78a0b4fa9f1ff385c4df3a01d4ccd3f36b Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Tue, 4 Dec 2018 13:20:25 -0700 Subject: [PATCH 6/7] Update build_enhancements.md Included technical edits from @andrewhsu. --- develop/develop-images/build_enhancements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index 61bbb5b29a..c1025f5b1b 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -99,7 +99,8 @@ $ docker build --progress=plain . ## Overriding default frontends -To override the default frontend, set the first line of the Dockerfile as a comment with a specific frontend image: +The new syntax features in `Dockerfile` are available if you override the default frontend. To override +the default frontend, set the first line of the `Dockerfile` as a comment with a specific frontend image: ``` # syntax = , e.g. # syntax = docker/dockerfile:1.0-experimental ``` @@ -155,8 +156,7 @@ $ docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt ## Using SSH to access private data in builds > **Acknowledgment**: -> Special thanks to [Tonis Tiigi](https://medium.com/@tonistiigi) for granting -> permission to use his blog post +> [Tonis Tiigi](https://medium.com/@tonistiigi) is granting Docker permission to use his blog post > [Build secrets and SSH forwarding in Docker 18.09](https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066) > as the basis of the content below. From 07620469f989b172d5ea25a36428a69ebdf0bf6c Mon Sep 17 00:00:00 2001 From: Anne Henmi <41210220+ahh-docker@users.noreply.github.com> Date: Mon, 10 Dec 2018 08:04:39 -0700 Subject: [PATCH 7/7] Update build_enhancements.md --- develop/develop-images/build_enhancements.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/develop/develop-images/build_enhancements.md b/develop/develop-images/build_enhancements.md index c1025f5b1b..7b86924490 100644 --- a/develop/develop-images/build_enhancements.md +++ b/develop/develop-images/build_enhancements.md @@ -156,9 +156,8 @@ $ docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt ## Using SSH to access private data in builds > **Acknowledgment**: -> [Tonis Tiigi](https://medium.com/@tonistiigi) is granting Docker permission to use his blog post -> [Build secrets and SSH forwarding in Docker 18.09](https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066) -> as the basis of the content below. +> Please see [Build secrets and SSH forwarding in Docker 18.09](https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066) +> for more information and examples. The `docker build` has a `--ssh` option to allow the Docker Engine to forward SSH agent connections. For more information on SSH agent, see the [OpenSSH man page](https://man.openbsd.org/ssh-agent).