> [!META]- Inline Metadata [status:: boat] [tags:: #state/boat #note/evergreen, #concepts/containerization/docker ] [up:: [[Docker MOC]]] # Purpose One use of this technique is to allow Docker to use your keys to access private Github (or any VCS using SSH authentication) repos to install project dependencies during image build time. # The Technique To do this you will forward your SSH agent or key to the builder with a combination of the `docker build` command, which signals to the build system that this forwarding ability is available, and [bind mounts](https://docs.docker.com/get-started/06_bind_mounts/) in the dockerfile that reaches back to the host to get either an existing SSH agent session or keys. # How to Do It ## Docker Build Using the `docker build` command, you'll just add `--ssh default=<absolute location of keys>` as a parameter. `docker build --ssh default=<FULL LOCATION OF SSH KEY> .` ## Dockerfile In the dockerfile, you will want to make sure to get the public key from your service of choice (our example will use Github) and then specify a bind mount which will automatically point to the key location passed in to `default`. In this example, Github-based dependencies are defined in `requirements.txt`, this is why `--mount=type=ssh` (not a typo) is used with the `RUN` command where `pip` is called. ``` RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts RUN --mount=type=ssh pip install --no-cache-dir --upgrade pip && \ pip install -r requirements.txt ``` # Security What's special about this technique is that your keys never leave your machine, they're just referenced ephemerally during build time to run any specified commands. # Sources - https://www.fastruby.io/blog/docker/docker-ssh-keys.html - https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066 - https://stackoverflow.com/questions/43418188/ssh-agent-forwarding-during-docker-build