Do not copy secrets into image layers
Bad example:
FROM ubuntu
COPY id_rsa /root/.ssh/
RUN scp user@somewhere:/tmp/data .
RUN rm /root/.ssh/id_rsa
Layers contain SSH key as well as host and user information
Forward the SSH agent socket
Introduced in Docker 18.09
–
BuildKit forwards the SSH agent socket
Prepare SSH agent:
ssh-keygen -f id_rsa_test -N ''
eval $(ssh-agent -s)
ssh-add id_rsa_test
ssh-add -l
Forward into build:
export DOCKER_BUILDKIT=1
docker build --ssh default --progress plain .
Compare local and build:
ssh-add -l
–
Mount existing SSH agent socket
Create environment variable
Prepare SSH agent:
ssh-keygen -f id_rsa_test
eval $(ssh-agent -s)
ssh-add id_rsa_test
ssh-add -l
Forward into build:
docker run -it --rm \
--mount type=bind,src=${SSH_AUTH_SOCK},dst=${SSH_AUTH_SOCK} \
--env SSH_AUTH_SOCK \
alpine-ssh