Reputation: 435
How to bake credential into docker image for git?
This is actually a question following from my previous one.
I am trying to use docker to host a personal note-taking web service and want to backup data generated by the service (my notes). Currently I plan to use git to commit, pull, and push to a repository for my purpose.
To do git pull and push, my docker image needs to host my credentials. What is the easiest yet safe way to achieve this?
What I have done so far:
- I choose
Alpineas the base image of the image of my service. - Because I only need credentials for git, I think put a git credential helper into the image may solve my problem. I can save credentials to the helper during the build time and use them during runtime.
- I googled a while and decided to use
libsecretas my git credential helper, according to this article. - I have installed
libsecretand set my git credential helper to begit-credential-libsecret
However, I cannot make git-credential-libsecret functional so far. Here are a couple of problems that I encountered:
Firstly, I tested
git-credential-libsecret getand get the following error:CRITICAL **: could not connect to Secret Service: Cannot spawn a message bus without a machine-id: Unable to load /var/lib/dbus/machine-id or /etc/machine-id: Failed to open file */var/lib/dbus/machine-id*: No such file or directory- I (probably?) solved it by installing
dbusand rundbus-uuidgen > /var/lib/dbus/machine-id
- I (probably?) solved it by installing
Then I try to run
git-credential-libsecret getagain. This time, it reports that:CRITICAL **: could not connect to Secret Service: Cannot autolaunch D-Bus without X11 $DISPLAY- I tried to install
dbus-x11and rundbus-launch --sh-syntax(from here) but with no luck this time. The error continues.
- I tried to install
In conclusion, I would like to know:
- Am I on a right direction (using git credential helper) to achieve my goal?
- If so, how can I resolve the X11 problem?
- Are there any other quick and clean methods to backup data in docker with version control?
Upvotes: 7
Views: 14678
Answers (4)
Reputation: 31
I had a requirement once, where I needed to run the git clone cmd inside the Docker image, I was using a private bitbucket. To authorize we needed to pass git credentials, the only problem was we were not able to hardcode them, So what I did was,
- setup git inside the docker file
# Install git and other dependencies
RUN apt-get update && \
apt-get install -y git && \
apt-get clean
The next step is to configure git credentials. for this you can do 2 ways, first, Inside the Dockerfile you could run this command
'RUN git config --global credential.helper "!f() {{ echo \\"username={BB_USER_NAME}\\"; echo \\"password={BB_PASS_WORD}\\"; }};second, since in my case the BB_USER_NAME and BB_PASS_WORD are stored as secrets they won't be available when building the image(i.e. while docker builds... cmd). So the solution to this is, whenever a flask app (our server is a flask app), before the server runs you can run this cmd, and also BB_USER_NAME and BB_PASS_WORD are stored as secrets will be available when the server is started.
In app.py file
"""Flask APP"""
from flask import Flask
from utils.util import setup_git_credentials
if __name__ == "__main__":
setup()
APP = Flask(__name__)
# Setup git credentials
APP.before_first_request(setup_git_credentials) #as the name of the method implies this will run the method `setup_git_credentials` before server starts.
APP.run(host="0.0.0.0",port=5020,debug=True)
utils.util.py
def setup_git_credentials():
BB_USER_NAME = os.environ.get("BB_USER_NAME",None)
BB_PASS_WORD = os.environ.get("BB_PASS_WORD",None)
logger.info("Running Git configuration")
if BB_USER_NAME and BB_PASS_WORD:
cmd = f'git config --global credential.helper "!f() {{ echo \\"username={BB_USER_NAME}\\"; echo \\"password={BB_PASS_WORD}\\"; }}; f"'
subprocess.run(cmd, shell=True)
logger.info("Completed Git configuration")
This is how I resolved it! Cheers
Upvotes: 0
Reputation: 9742
I solved this problem by doing:
# syntax=docker/dockerfile:1
FROM alpine:latest
RUN apk update
RUN apk add git
RUN --mount=type=secret,id=git_credential_store \
git clone "https://me:$(cat /run/secrets/git_credential_store | sed 's/.*\/\/\(.*\):.*/\1/')@github.com/me/app-repo.git"
and supply the secret like this:
docker build --secret id=git_credential_store,src=/path/to/.git-credential-store -t my-amazing-image
Upvotes: 0
Reputation: 9248
If your git provider supports ssh with public keys, I think the easiest way would be to switch to them. You would also not have to copy around your password.
You need to:
- add ssh client to your docker image
- generate an ssh key and copy it to the image. The
ssh-agentpart is not needed - register the key to the provider
Upvotes: 3
Reputation: 1327384
It depends on where you are running git-credential-libsecret: you need to have it installed in your image/container, not on the host.
Note that another option would be to use a volume (see my answer to your previous question), in which case, git could be installed only on the host.
But here, you would use git directly in your image, which means, as in this Dockerfile, you need to have in your Dockerfile:
RUN apt-get update -y &&
apt-get install --no-install-recommends -y libsecret-1-0 git
https://github.com/electron-userland/electron-builder/blob/master/docker/base/Dockerfile
Upvotes: 1
Related Questions
- Setup Docker Credential Helper for Docker Login with GitHub Actions
- How To Authenticate with Private Repository in Docker Container
- How to specify GIT_ACCESS_TOKEN for the docker build command?
- How to create and add user with password in alpine Dockerfile?
- Docker use authenticated call to git
- Prompting for username/password with git clone from Dockerfile run step
- How to bring credentials into a Docker container during build
- how to authenticate docker build when using private gitlab repo
- How to run git clone from docker file requiring SSL certificate
- Docker Authentication Private Git Dockerfile