{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 别忘想泡老子 的问题《Cloning private git repo in the docker container》','https://www.manongdao.com/q-827084.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a project (written in ruby) which I want to run in a docker image. The project source code is stored in a private git repo, the image is created as usual by Dockerfile. The project is huge and so git clone takes relatively long.
The problem is that, I'm not sure how (when/where) to clone the git repo to the docker image properly. I can clone the git repository to the temp directory and copy the source code by COPY command in Dockerfile. I don't like to do that since I would have to maintain the second clone in the temp dir.
Or, I can clone the repo within the docker image. The problem is my ssh-key which I can't reasonably keep in the image. I can add only "my own" keys to the git server which allow to access everything.
So, I created a script like this:
UUID=`uuid`
docker run \
-v $HOME/.ssh:/home/user/.ssh:ro\
--name=$UUID \
-it $1 /scripts/git-clone-update.sh
docker commit $UUID $1
docker rm $UUI
git-clone-update.sh clones the project if it doesn't exist or just updates if it does. The keys are mounted to the .ssh for that. It works great. I can update the code in the image easily by just calling the script passing the image name as an argument. The only problem is Config.Cmd which always changes to /scripts/git-clone-update.sh.
Any idea how to keep the original Config.Cmd? What is the best practice cloning the private ropo in/to the docker image?
Thx
As you've discovered, keeping your private ssh keys in a docker image isn't great for security. I've seen two approaches for this:
Create a new, read-only account and keep its keys in the docker image. The more limitations you can put on this account the better for security, but you're still packaging a secret on top of your actual source code.
Also, this doesn't solve your scripts problem, which I've admittedly no clue how to solve.
Host the whole, packaged docker file with your code already copied in. This is the approach Mark O'Conner mentions in his comment. The workflow for a release would be:
For development i.e. every day use with the second approach, you could have a launch script that copies your code into the docker container and runs or restarts the container or server inside the container as needed. Or you could have a separate development docker image that you configure to mount your source control directory as a separate volume.