A solution to use SSH keys while building images.
Here is an example installing Node.js dependencies:
RUN ONVAULT npm installDuring build, you can use the ONVAULT utility to run any command using the private keys.
The private keys are removed automatically after the command completes.
First you need to install the ONVAULT utility, by adding the following statements in your Dockerfile:
# installs Dockito Vault ONVAULT utility
# https://github.com/dockito/vault
RUN apt-get update -y && \
apt-get install -y curl && \
curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT > /usr/local/bin/ONVAULT && \
chmod +x /usr/local/bin/ONVAULTThe script's only dependency is curl (being installed above).
Then use it on any command that requires the private keys:
RUN ONVAULT npm install --unsafe-permHere is a complete Node.js example using these concepts:
FROM node:0.10.38
# installs Dockito Vault ONVAULT utility
# https://github.com/dockito/vault
RUN apt-get update -y && \
apt-get install -y curl && \
curl -L https://raw.githubusercontent.com/dockito/vault/master/ONVAULT > /usr/local/bin/ONVAULT && \
chmod +x /usr/local/bin/ONVAULT
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
COPY package.json /usr/src/app/
RUN ONVAULT npm install --unsafe-perm
COPY . /usr/src/app
CMD [ "npm", "start" ]It is composed of two pieces:
- an HTTP server running at http://172.17.42.1:14242 that serves the private keys;
- a bash script
ONVAULTthat need to be installed in the image to allow accessing the private keys during the build process.
Some custom configurations are allowed through environment variables
VAULT_URI: custom URI for the vault serverVAULT_SSH_KEY: custom ssh key name used duringONVAULTcommand
Other ssh configurations can be achieved through your own ssh config file. Since the vault has access to the whole .ssh directory the ssh config file is available when running the ONVAULT command. Which means any configuration in the ssh config file will be applied to the ssh connection.
An example where you could use the ssh config file is when you need use different private keys for different hosts.
~/.ssh/config
# use this key for github host
Host github.com
IdentityFile ~/.ssh/github_docker_key
# or use this key for my myprivatehost.com
Host myprivatehost.com
IdentityFile ~/.ssh/myprivatehost_key
# otherwise will use the id_rsa key for any other host
Run the server setting a volume to your ~/.ssh folder:
docker run -p 172.17.42.1:14242:3000 -v ~/.ssh:/vault/.ssh dockito/vaultThere is also a docker-compose.yml file in this project, allowing you to run it (by cloning the project) with:
docker-compose up vaultHappy codding!
Although its main purpose is to fix the issue of building Docker images, it can also be used as a source of secrets for some running container:
docker run -v ~/.ssh:/vault/.ssh --name vault dockito/vault
docker run --link vault image-with-onvault ONVAULT npm install --unsafe-permBecause NPM dependencies are installed locally, the dependencies installed in the base-image won't be available in development time, so you will need to npm install them again:
git clone https://github.com/dockito/vault.git
cd vault
docker-compose run vault npm install
docker-compose up vault
A Dockerfile using this technique requires the special vault service running. Meaning it is not possible to run any build process at the Docker Hub.
Initial implementation by Paulo Ragonha. Based on the ideas of Max Claus Nunes and Eduardo Nunes.