├── README.md ├── build_docker.sh └── test.Dockerfile /README.md: -------------------------------------------------------------------------------- 1 | # Install private git repo inside Docker with SSH 2 | 3 | ## Rationale 4 | 5 | We want to create a docker image installing some dependecy from 6 | a private github repository using SSH read keys. 7 | 8 | To do so we use a [multi-stage Docker build](https://docs.docker.com/develop/develop-images/multistage-build/) so we always keep 9 | our SSH keys protected and private. 10 | This is so because the first stage of the build, where the SSH key is, 11 | won't be present in the final image, hence not exposing any sensitive information. 12 | 13 | More info abou the process can be found in [this blog post](https://vsupalov.com/build-docker-image-clone-private-repo-ssh-key/) 14 | 15 | 16 | For this example we'll be using this [private repo](https://github.com/jmrf/nlu-engine) 17 | 18 | ## How To 19 | 1. Generate a SSH key 20 | ```bash 21 | ssh-keygen -t rsa -b 4096 -C "your@email..com" 22 | ``` 23 | 24 | 2. Add the private key as _read-only_ [deploy key](https://github.blog/2015-06-16-read-only-deploy-keys/) to your repo. 25 | More [info here](https://superuser.com/questions/1314064/read-only-access-to-github-repo-via-ssh-key) 26 | 27 | 3. Run the `build-docker.sh` script: 28 | ```bash 29 | # export path to the private key 30 | export KEY_PATH= 31 | ./build-docker.sh 32 | ``` 33 | -------------------------------------------------------------------------------- /build_docker.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | say() { 4 | echo "$@" | sed \ 5 | -e "s/\(\(@\(red\|green\|yellow\|blue\|magenta\|cyan\|white\|reset\|b\|u\)\)\+\)[[]\{2\}\(.*\)[]]\{2\}/\1\4@reset/g" \ 6 | -e "s/@red/$(tput setaf 1)/g" \ 7 | -e "s/@green/$(tput setaf 2)/g" \ 8 | -e "s/@yellow/$(tput setaf 3)/g" \ 9 | -e "s/@blue/$(tput setaf 4)/g" \ 10 | -e "s/@magenta/$(tput setaf 5)/g" \ 11 | -e "s/@cyan/$(tput setaf 6)/g" \ 12 | -e "s/@white/$(tput setaf 7)/g" \ 13 | -e "s/@reset/$(tput sgr0)/g" \ 14 | -e "s/@b/$(tput bold)/g" \ 15 | -e "s/@u/$(tput sgr 0 1)/g" 16 | } 17 | 18 | if [ -z "$KEY_PATH" ] 19 | then 20 | say @red[["Please set the env. variable KEY_PATH before running this script"]] 21 | say @red[["KEY_PATH should be set to the path to the private key " \ 22 | "you want use for repo read access"]] 23 | exit 1; 24 | fi 25 | 26 | # read the SSHkey from the host 27 | key_content=$(cat $KEY_PATH) 28 | 29 | # build docker file: 30 | docker build --rm -t testimage \ 31 | --build-arg SSH_PRIVATE_KEY="${key_content}" \ 32 | -f test.Dockerfile . 33 | -------------------------------------------------------------------------------- /test.Dockerfile: -------------------------------------------------------------------------------- 1 | # multi-stage building: 2 | # First stage just clones the private repo using SSH 3 | FROM python:3.6-slim as cloner 4 | 5 | SHELL ["/bin/bash", "-c"] 6 | 7 | RUN apt-get update -qq && \ 8 | apt-get install -y --no-install-recommends \ 9 | git ssh 10 | 11 | # add credentials on build 12 | ARG SSH_PRIVATE_KEY 13 | RUN mkdir /root/.ssh/ 14 | RUN echo "${SSH_PRIVATE_KEY}" > /root/.ssh/id_rsa 15 | RUN chmod 600 /root/.ssh/id_rsa 16 | 17 | # make sure your domain is accepted 18 | RUN touch /root/.ssh/known_hosts 19 | RUN ssh-keyscan github.com >> /root/.ssh/known_hosts 20 | 21 | RUN git clone git@github.com:jmrf/nlu-engine.git 22 | 23 | 24 | FROM python:3.6-slim 25 | 26 | # Using the cloner, copy the source and install 27 | COPY --from=cloner /nlu-engine /src/nlu-engine 28 | 29 | # install the cloned-repo 30 | RUN pip install -e /src/nlu-engine 31 | RUN python3 -m rasa_nlu.train -h 32 | --------------------------------------------------------------------------------