Docker --ssh flag - Host key verification failed

Question

I'm trying to use Docker to build an image for me importing an npm package hosted in a private github repo: "mypackage": "git@github.com:myaccount/myrepo.git#v0.0.2"

This works fine locally since I have SSH access, but obviously my Docker container doesn't. I've followed the following guides to implement this using some ssh forwarding enabled in 18.09:

https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066

https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds

Using the following docker file:

# syntax=docker/dockerfile:experimental
FROM alpine

# Install ssh client and git
RUN apk add --no-cache openssh-client git

# Download public key for github.com
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts

# Clone private repository
RUN --mount=type=ssh npm install

Then, running docker build --ssh default . fails with the following error:

#13 1.309 npm ERR! Host key verification failed.
#13 1.309 npm ERR! fatal: Could not read from remote repository.
#13 1.309 npm ERR!
#13 1.309 npm ERR! Please make sure you have the correct access rights
#13 1.309 npm ERR! and the repository exists.
#13 1.310 npm ERR!
#13 1.310 npm ERR! exited with error code: 128

I'm following this documentation to the letter but am having no luck. Am I missing something? I'm on OSX, but this fails with the same error in my Travis environment as well. Help!

Answer 1

in my case I just installed openssh-client using apt-get , then change the repo address from the ssh format (git@github.com:user/repo.git) to the format of Cloning using the web URL (https://github.com/user/repo.git)

Answer 2

Thank you very much, Mr. Filippi!

FYI guys, you can check this article How to Set Up SSH Keys on Ubuntu 20.04

My implementation based on Fabio's comment looks like this:

mkdir -p -m 0600 ~/.ssh
echo "$KNOWNHOSTS" >> ~/.ssh/known_hosts
echo "$SSH_PRIVATE_KEY" >> ~/.ssh/id_rsa
echo "$CONFIG_SETTINGS" >> ~/.ssh/config
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/id_rsa
chmod 0600 ~/.ssh/config

In KNOWNHOSTS GitLab variable I have saved the output of "ssh-keyscan www.example.com"

In SSH_PRIVATE_KEY I am storing my SSH PRIVATE KEY for the specified user.

In CONFIG_SETTINGS I have the following:

Host www.example.com
  StrictHostKeyChecking no
  IdentityFile ~/.ssh/id_rsa 

Answer 3

This has worked for me.

Dockerfile extraction:

# syntax=docker/dockerfile:experimental
...
RUN mkdir -p -m 0600 /root/.ssh
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
COPY development/config /root/.ssh
RUN chmod 0600 /root/.ssh/config
RUN --mount=type=ssh git clone **MY_PVT_REPOSITORY**

This is the content of the development/config file you can see being copied at the third line

Host bitbucket.org
  StrictHostKeyChecking no
  IdentityFile **MY LOCAL PATH**/.ssh/id_rsa 

The tricky thing is that you have to put the host file path to id_rsa, not the one on docker (like /home/fabio/.ssh/id_rsa and NOT /root/.ssh/id_rsa)

Then just launch

  ssh-agent
  export DOCKER_BUILDKIT=1
  docker build --ssh default -f development/Dockerfile .