Using SSH to access private data in builds as non-root USER

Hello,

Following: https://docs.docker.com/develop/develop-images/build_enhancements/#using-ssh-to-access-private-data-in-builds and https://medium.com/@tonistiigi/build-secrets-and-ssh-forwarding-in-docker-18-09-ae8161d066 I spotted an issue with using the mount=type=ssh as non-root USER

Following example works fine:

# syntax=docker/dockerfile:experimental

FROM ubuntu:18.04

RUN apt-get update && apt-get install -y ssh && apt-get clean -y 
RUN \
    mkdir -p /root/.ssh \
    && chmod 700 /root/.ssh \
    && touch /root/.ssh/known_hosts \
    && ssh-keyscan github.com >> /root/.ssh/known_hosts
RUN --mount=type=ssh ssh -T git@github.com

it doesn’t really make anything useful, just gives a proof - SSH auth is working:

DOCKER_BUILDKIT=1 docker build -t tmpxxx1 --ssh=default -f Dockerfile-ssh-mount-root --progress=plain .

...

#10 [5/5] RUN --mount=type=ssh     ssh -T git@github.com
#10       digest: sha256:29b7e33e4bbd309b873b28459b5903b83ca287c3ddde5d4acdd19f1f2b54decd
#10         name: "[5/5] RUN --mount=type=ssh     ssh -T git@github.com"
#10      started: 2019-04-10 10:33:47.935611053 +0000 UTC
#10 0.935 Warning: Permanently added the RSA host key for IP address '140.82.118.4' to the list of known hosts.
#10 1.744 Hi UserName! You've successfully authenticated, but GitHub does not provide shell access.

When trying to use non-root USER:

# syntax=docker/dockerfile:experimental

FROM ubuntu:18.04

RUN apt-get update && apt-get install -y ssh && apt-get clean -y
RUN groupadd tmpuser \
    && useradd tmpuser -g tmpuser -d /home/tmpuser \
    && mkdir -p /home/tmpuser/.ssh \
    && chmod 700 /home/tmpuser/.ssh \
    && touch /home/tmpuser/.ssh/known_hosts \
    && ssh-keyscan github.com >> /home/tmpuser/.ssh/known_hosts \
    && chown -R tmpuser:tmpuser /home/tmpuser/.ssh
USER tmpuser:tmpuser
RUN --mount=type=ssh ssh -T git@github.com

it doesn’t work:

DOCKER_BUILDKIT=1 docker build -t tmpxxx2 --ssh=default -f Dockerfile-ssh-mount-user --progress=plain .
...
#10 [5/5] RUN --mount=type=ssh     ssh -T git@github.com
#10       digest: sha256:4644a12e91d8fd2197fb919d384bb0a03d6b3083ef933a2735ccb9f5a88d2839
#10         name: "[5/5] RUN --mount=type=ssh     ssh -T git@github.com"
#10      started: 2019-04-10 10:33:56.249138127 +0000 UTC
#10 0.902 Warning: Permanently added the RSA host key for IP address '140.82.118.3' to the list of known hosts.
#10 1.162 git@github.com: Permission denied (publickey).

am I doing something wrong? Or it’s unsupported feature?

Thanks

Robert

2 Likes

check if you have added ssh keys to ssh-agent.

@rtrzewiczekperform I was able to achieve this by defining the uid as explained here. So in your case, using 102 for the uid, it would be:

# syntax=docker/dockerfile:experimental

FROM ubuntu:18.04

RUN apt-get update && apt-get install -y ssh && apt-get clean -y
RUN groupadd tmpuser \
    && useradd tmpuser -g tmpuser -d /home/tmpuser -u 102 \
    && mkdir -p /home/tmpuser/.ssh \
    && chmod 700 /home/tmpuser/.ssh \
    && touch /home/tmpuser/.ssh/known_hosts \
    && ssh-keyscan github.com >> /home/tmpuser/.ssh/known_hosts \
    && chown -R tmpuser:tmpuser /home/tmpuser/.ssh
USER tmpuser:tmpuser
RUN --mount=type=ssh,uid=102 ssh -T git@github.com