CODEWITHSUNDEEP
dockerssh-keys
dhd80
dhd80

Reputation: 625

Docker SSH-Key looking for a simple solution

I'm trying to copy my ssh-keys into my docker, it's a very simple docker including some LinuxTools via Package Manager. A asking because, I can't come up with a simple solution ADD/COPY seem not to work, using docker-volume or compose seem to be over the top. Please advice.

FROM fedora:latest

RUN diskspacecheck=0 >> '/etc/dnf/dnf.conf'

RUN dnf -y update

RUN dnf -y install sshuttle \
    && dnf -y install git \
    && dnf -y install curl \
    && dnf -y install vim-X11 \
    && dnf -y install the_silver_searcher

RUN dnf -y clean packages

RUN adduser -m -p '' bowler
USER bowler

ADD /home/a/.ssh/id_rsa /home/bowler/.ssh/id_rsa

Upvotes: 2

Views: 6413

Answers (2)

Z4-tier
Z4-tier

Reputation: 7988

You can't copy files into a docker container that live outside of the build directory. This is for security reasons. What you'll need to do is first copy your id_rsa file into the same directory as your Dockerfile, and then change the ADD to use the copy you just made, instead of trying to copy it from the absolute path that it is currently using.

I would also suggest changing the ADD to COPY, as it is easier to work with and has less unexpected behavior to trip over.

so at your command line:

cp ${HOME}/.ssh/id_rsa [path to dockerfile directory]

then update the dockerfile:

COPY id_rsa /home/bowler/.ssh/id_rsa

you might also need to add a RUN mkdir -p /home/bowler/.ssh

Update

Based on the comments, I think it's worth adding a disclaimer here that if you go this route, then the image that you create needs to be handled with the same security considerations as your private SSH key.

It is much better to inject authentication credentials like this at runtime. That can be done by setting environment variables as part of the command that is used to start the container. Or, if you have a secure secrets repository, it could be added there and then downloaded by the container when it starts (ex. using cURL).

The approach of installing SSH keys directly to the image is not completely unreasonable, but proceed with caution and keep in mind that there may be a cleaner alternative.

Upvotes: 2

Victor Biga
Victor Biga

Reputation: 519

I would not add the key there during the build, I would mount it when you run the container as you are probably most likely to store Dockerfile and other files in VCS and then everyone can see your private key!

therefore adding this when you start your container is probably better/more secure option option :) -v ${HOME}/.ssh/id_rsa:/home/bowler/.ssh/id_rsa

Upvotes: 4

Related Questions