git@gitlab.com: Permission denied - fatal: Could not read from remote repository, from Dockerfile

Question

I have a Dockerfile with the following RUN instruction:

RUN pip install -r ./private_requirements.txt

The private_requirements.txt file is an ssh URL pointing to a GitLab repository:

git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0

When I do docker build when the RUN instruction is evaluated, I got the following output:

> [intermediate 9/9] RUN pip install git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0:
#13 0.574 Collecting git+ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0
#13 0.574   Cloning ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0 (to revision v19.0) to /tmp/pip-req-build-ck2o3z6p
#13 0.574   Running command git clone -q 'ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0' /tmp/pip-req-build-ck2o3z6p
#13 1.018   Warning: Permanently added the ECDSA host key for IP address '172.65.251.78' to the list of known hosts.
#13 1.286   Load key "/root/.ssh/id_rsa": invalid format
#13 1.425   git@gitlab.com: Permission denied (publickey,keyboard-interactive).
#13 1.426   fatal: Could not read from remote repository.
#13 1.426
#13 1.426   Please make sure you have the correct access rights
#13 1.426   and the repository exists.
#13 1.428 WARNING: Discarding git+ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0. Command errored out with exit status 128: git clone -q 'ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0' /tmp/pip-req-build-ck2o3z6p Check the logs for full command output.
#13 1.428 ERROR: Command errored out with exit status 128: git clone -q 'ssh://****@gitlab.com/organization/viiaa/abc_xx.git@v19.0' /tmp/pip-req-build-ck2o3z6p Check the logs for full command output.
------
executor failed running [/bin/sh -c pip install git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0]: exit code: 1

I already added my public key to gitlab profile keys

Answer 1

As @jeb mentioned in his answer the container does not have access to my private key which give access to gitlab repository. That was quite logical and I was not seeing it.

That I did was define at the Dockerfile the SSH_PRIVATE_KEY environment variable

ARG SSH_PRIVATE_KEY

And pass the SSH_PRIVATE_KEY variable content during the build time and it works:

> docker build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/gitlab_id_rsa)" . -t my-image-name:latest

Answer 2

The RUN pip install -r ./private_requirements.txt tries to access your git+ssh://git@gitlab.com/organization/viiaa/abc_xx.git@v19.0 from inside the container.
But the container doesn't have access to your ssh keys!

You could copy your private key to the docker container - not really recommended for security reasons.

But docker doesn't support mounting in the build step, therefore it's tricky to forward ssh keys, but it's possible.
See the answer at SO:SSH agent forwarding during docker build or another answer from Dan Pav

Answer 3

Check your error

#13 1.286   Load key "/root/.ssh/id_rsa": invalid format

Go there and check your private key. It should have the form

-----BEGIN OPENSSH PRIVATE KEY-----
......
......
......
......
......
......
......=
-----END OPENSSH PRIVATE KEY-----

It can be that you have copied in id_rsa the content of the public key and not the private key itself.

Public key must be saved in the same folder /root/.ssh/id_rsa.pub . It must be a different file with the name id_rsa.pub