How to maintain debian repo secrets in the docker file

ramu017 · October 13, 2022, 6:44pm

We need to install the apt packages from our artifactory server in the docker image during docker build. In order to install the packages from the artifactory server, we need to update the deb sources in /etc/apt/sources.list with credentials.
We dont want to distribute the credentials, Please suggest any solutions to overcome this challenge.

meyay · October 13, 2022, 7:07pm

Use the ephemeral build-time ARG instruction instead of the persisted ENV instruction in the Dockerfile. Then pass the value to docker build using --build-arg key=value

ramu017 · October 13, 2022, 7:59pm

Currently I am using --build-arg key=value to send the secrets to the docker. Debian requires to store the credentials in the file /etc/apt/sources.list. We cannot install apt packages without storing the credentials in sources.list.

rimelek · October 13, 2022, 8:21pm

I would try to use the build argument variable to store the credential, run apt-get install commands and remove the credentials so nothing would be stored permanently. When the image is created, non of the layers will contain the credentials.

Or I guess you could run a proxy server in an other containerwhich would forward the traffic to the actual debian repository and also add the credentials.

You probably prefer to choose the first idea. I think the easiest way to change the souces.list file, install and remove the file or replace it with a new one would be using envsubst.

https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html

This is not the complete tested solution, just an example to demonstrate the idea:

RUN instruction in the Dockerfile

RUN install.sh
COPY public-sources.list /etc/apt/sources.list

install.sh

#/bin/bash

set -eu -o pipefail

envsubst < /etc/apt/sources.list.tpl > /etc/apt/sources.list
apt-get update
apt-get install ....
unlink /etc/apt/sources.list

/etc/apt/sources.list.tpl

deb https://${REPO_USER}:${REPO_PASS}/....

ramu017 · October 13, 2022, 8:38pm

The challenge is with the large group of development teams using this approach, It is not possible to verify all the docker files that they are removing the credential after the use.

rimelek · October 13, 2022, 8:57pm

Now that you mention it I realized I forgot to mention an other and probably better idea. You can use buildkit to mount a sources.list file from the host only during build.

This does not mention the “bind” mount but you can find an example of the Dockerfile of Compose v2:

github.com

docker/compose/blob/8b89721476ab6cb5e7f0769f03ad6287ca353709/Dockerfile#L52


      
          WORKDIR /src
          ENV CGO_ENABLED=0
          
          
FROM base AS build-base
          COPY go.* .
          RUN --mount=type=cache,target=/go/pkg/mod \
              --mount=type=cache,target=/root/.cache/go-build \
              go mod download
          
          
FROM build-base AS vendored
          RUN --mount=type=bind,target=.,rw \
              --mount=type=cache,target=/go/pkg/mod \
              go mod tidy && mkdir /out && cp go.mod go.sum /out
          
          
FROM scratch AS vendor-update
          COPY --from=vendored /out /
          
          
FROM vendored AS vendor-validate
          RUN --mount=type=bind,target=.,rw <<EOT
            set -e
            git add -A

But there is no guarantee that everyone will use that without leaving a secret in one of the layers but that is the responsibility of the developers if you really need a private repository without using a proxy to handle the credentials. You could try to find or create a tool that searches for secrets in the sources.list in every layer before publishing the image in the registry.