DEV Community

Giancarlo Rocha
Giancarlo Rocha

Posted on

How To Install Private Git Hosted Dependencies Inside Docker Image Using SSH

Introduction

This quick guide will show you how to mount a ssh key inside a container in build time, to allow you to install private dependencies, that won't be persisted in the final image. It uses python but could work with any language/package manager that uses git + ssh.

Dockerfile

First you need to set Dockerfile syntax to docker/dockerfile:1.2. Put this in the beggining of the file:

# syntax = docker/dockerfile:1.2
Enter fullscreen mode Exit fullscreen mode

Now install git and openssh, and setup ssh folders:

RUN apt update && \
    apt install -y git openssh-client && \
    mkdir -p /root/.ssh && \
    ssh-keyscan github.com >> /root/.ssh/known_hosts
Enter fullscreen mode Exit fullscreen mode

May vary depending on the base image you're using, just change with the package manager you use.

Make sure to change github.com with your git host.

Now you have to mount the ssh key in the step that installs the dependency:

RUN --mount=type=secret,id=id_rsa,dst=/root/.ssh/id_rsa \
    pip install git+ssh://git@github.com/username/repository.git@version
Enter fullscreen mode Exit fullscreen mode

This will mount secret identified by id_rsa on /root/.ssh/id_rsa.

Building

When building you need to specify your ssh key as id_rsa secret:

docker build . \
    -f Dockerfile \
    --secret id=id_rsa,src=/home/user/.ssh/id_rsa
Enter fullscreen mode Exit fullscreen mode

Or using docker compose:

version: '3.7' 
services:
  your_service:
    build:
      context: .
      dockerfile: Dockerfile
      secrets:
        - id_rsa
secrets:
  id_rsa:
    file: /home/user/.ssh/id_rsa
Enter fullscreen mode Exit fullscreen mode

Final file

# syntax = docker/dockerfile:1.2

FROM python:3.11

RUN apt update && \
    apt install -y git openssh-client && \
    mkdir -p /root/.ssh && \
    ssh-keyscan github.com >> /root/.ssh/known_hosts

RUN --mount=type=secret,id=id_rsa,dst=/root/.ssh/id_rsa \
    pip install git+ssh://git@github.com/username/repository.git@version
Enter fullscreen mode Exit fullscreen mode

Conclusion

Keep your secrets secret!

Top comments (2)

Collapse
 
glours profile image
Guillaume • Edited

For Compose, you could also juste use the ssh attribute of the build section and rely to your default agent or pass the ssh key path without creating a secret
docs.docker.com/compose/compose-fi...

Collapse
 
giancarlorocha profile image
Giancarlo Rocha

Nice, didn't knew about that one!