Build repositories with linked private submodules: Authentication failing

romaincavotec · October 26, 2021, 12:36am

Hi,
I am trying the automatic build function of Docker Hub.
I am in the case where I have:

a private BitBucket repo for my backend web app
another private BitBucket repo for one of the dependencies of my web app

I followed the instructions from Build repositories with linked private submodules which seems to be exactly my use case but can’t get it to work.

I have link my Docker Hub repository to my BitBucket one for my backend to automatically build on new commits to a specific branch.

Dockerfile:

FROM python:3.9.7-buster AS builder

RUN git clone \
    --branch master \
    --single-branch \
    git@bitbucket.org:myorganisationname/dependency.git

RUN pip wheel --no-cache-dir --wheel-dir /usr/src/app/wheels --use-feature=in-tree-build ./dependency

[...]

I created a pair of private and public keys from my Windows computer using the method prescribed by Atlassian and added the public key to my dependency’s repo authorized keys.

1. Now, if I don’t add the SSH_PRIVATE environment variable

I obtain the following error during the build:

Cloning into '.'...
Warning: Permanently added the RSA host key for IP address '18.205.93.0' to the list of known hosts.
Switched to a new branch 'deploy'
KernelVersion: 4.4.0-1060-aws
[...]
#15 [builder 6/7] RUN git clone --branch master --single-branch 
git@bitbucket.org:myorganisationname/dependency.git
#15 sha256:94b95bf83f7896175a6f81ce71694d3e98b14540dede62445c02e779def9c581
#15 0.646 Cloning into 'dependency'...
#15 0.751 Host key verification failed.
#15 0.752 fatal: Could not read from remote repository.
#15 0.752
#15 0.752 Please make sure you have the correct access rights
#15 0.752 and the repository exists.
#15 ERROR: executor failed running [/bin/sh -c git clone --branch master --single-branch 
git@bitbucket.org:myorganisationname/dependency.git]: exit code: 128
------
> [builder 6/7] RUN git clone --branch master --single-branch 
git@bitbucket.org:myorganisationname/dependency.git
------
error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c git clone --branch 
master --single-branch git@bitbucket.org:myorganisationname/dependency.git]: exit code: 128
Build failed using Buildkit

Which is expected.

2. When adding the SSH_PRIVATE environment variable to be used for build

where I copied my private key, I have this error:

Cloning into '.'...
Warning: Permanently added the RSA host key for IP address '18.205.93.2' to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
please ensure the correct public key is added to the list of trusted keys for this repository (128)

Docker Hub can’t access my BitBucket repo anymore, which doesn’t make much sense to me, adding the environment variable for build should not impact this.

I have checked that my BitBucket repo for the Backend contains the key automatically added by Docker Hub in its authorized keys (I also added the one I generated, just in case).

Can you spot what is going wrong?

Thank you.

romaincavotec · November 22, 2021, 3:11am

I solved it.
What is somewhat missing from the doc is that in order to use the build environment variable defined in Docker Hub, a hook must be created to override the build command (related doc section).

So the solution is to create a hooks directory and the file:

`hooks/build`

#!/bin/bash

docker build \
    --build-arg SSH_PRIVATE=$SSH_PRIVATE\
    -f $DOCKERFILE_PATH \
    -t $IMAGE_NAME .