如何从Bitbucket Pipeline构建具有私有repo依赖的Docker镜像

huus2vyu  于 2023-06-22  发布在  Docker
关注(0)|答案(1)|浏览(146)

我正在尝试使用Bitbucket Pipeline将Docker映像部署到AWS ECR。在requirements.txt文件中,我有一个Python包,它来自我项目中的私有Bitbucket存储库。
不幸的是,我的Bitbucket管道构建一直失败。我想我错过了身份验证或pip install中的一些基本步骤,但我似乎找不到此用例的正确文档。
在这个Bitbucket community post之后,我在管道项目中生成了一个SSH密钥,并将其添加到包存储库中的Access Keys中。然后我遵循this post并将文件结构化为:

      • Dockerfile**
# syntax = docker/dockerfile:1.2
FROM python:3.9-slim
WORKDIR /src
# Install git to download private repo
RUN apt-get update && apt-get install -y git
# Add Bitbucket SSH key to install private repo
ARG SSH_PRIVATE_KEY
RUN mkdir ~/.ssh/
RUN echo "${SSH_PRIVATE_KEY}" > ~.ssh/id_rsa
RUN chmod 600  ~/.ssh/id_rsa
RUN touch ~/.ssh/known_hosts
RUN ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
RUN eval $(ssh-agent -s)
RUN ssh-add ~/.ssh/id_rsa
# Install Python dependencies
RUN pip install --upgrade pip setuptools
COPY requirements.txt requirements.txt
# requirements.txt also includes private repo package
RUN pip install --no-cache-dir -r requirements.txt
# Copy code into `src` folder
COPY src/ /src
# Set up environment variables & secrets
RUN --mount=type=secret,id=keys cat /run/secrets/keys \ 
  && python -m configs.parser
ENTRYPOINT ["python", "main.py"]
      • bitbucket-pipelines. yml**
image: atlassian/default-image:2

pipelines:
  branches:
    master:
      - step:
          name: Build and AWS Setup
          services:
            - docker
          script:
            # Export repo variables to .env file
            - export ENV_PATH=src/configs/.env
            - echo AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID >> $ENV_PATH
            - echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY >> $ENV_PATH
            - export SSH_PRIVATE_KEY=`cat /opt/atlassian/pipelines/agent/data/id_rsa`
            - export TIMESTAMP="$(date +%Y%m%d%H%M%S)"
            # Build docker image with secrets mounted
            - export DOCKER_BUILDKIT=1
            - docker build --build-arg SSH_PRIVATE_KEY --secret id=keys,src=$ENV_PATH -t $AWS_ECR_REPO .
            # use pipe to push the image to AWS ECR
            - pipe: atlassian/aws-ecr-push-image:1.3.0
              variables:
                AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
                AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
                AWS_DEFAULT_REGION: us-east-1
                IMAGE_NAME: $AWS_ECR_REPO
                TAGS: "latest $TIMESTAMP $BITBUCKET_BUILD_NUMBER"

我的管道运行在docker build的第5步失败,错误是:executor failed running [/bin/sh -c echo "${SSH_PRIVATE_KEY}" > ~.ssh/id_rsa]: exit code: 2
任何帮助与此将不胜感激!

wljmcqd8

wljmcqd81#

你不应该将RSA私钥作为参数传递,也不应该将它们转储到你正在构建的docker镜像中。这样,私钥最终将暴露在图像层中。
您应该使用

RUN --mount=type=ssh \
  pip install -r requirements.txt
docker build --ssh default=$BITBUCKET_SSH_KEY_FILE .

(See https://support.atlassian.com/bitbucket-cloud/docs/run-docker-commands-in-bitbucket-pipelines/#Docker-BuildKit-restrictions)
对于known_hosts内容:为了保护镜像构建器不被欺骗,我建议不要接受任何可以在构建时扫描的密钥。
要么供应商(并在VCS下保持)在Docker构建上下文中的必要ssh服务器指纹,要么挂载(不一定是秘密的)外部管理的known_hosts。例如,由Bitbucket Pipelines管理的一个已经具有维护的bitbucket.org ssh指纹:https://support.atlassian.com/bitbucket-cloud/docs/set-up-pipelines-ssh-keys-on-linux/#Update-the-known-hosts

RUN \
  --mount=type=ssh \
  --mount=type=bind,target=~/.ssh/known_hosts,source=known_hosts \
  pip install -r requirements.txt
cp ~/.ssh/known_hosts .
docker build --ssh default=$BITBUCKET_SSH_KEY_FILE .

相关问题