I'm working on segregation of common modules into dedicated repositories for our github organization. Use pip install from git repo in Dockerfile to install shared modules developed inside the organization
RUN pip3 install -r requirements.txt
where git repo dependency referenced like
git+https://github.com/org/repo.git#master
The faced issue is that I can't make pip3 install to authenticate against organisation private repository when running as github action with pip3 install inside Dockerfile. I want to avoid creating private access token (PAT) for one of the dev as want to be user-agnostic and don't maintain tokens for leaving team members. Tried to use ${{ secrets.GITHUB_TOKEN }} but with deeper reading realized that the token has access to repository where github action is initiated (link)
The token's permissions are limited to the repository that contains your workflow
Is there a way to make pip3 install working in github actions without PAT?
Error getting in one of many iterations:
Collecting git+https://****#github.com/org/repo.git#master (from -r requirements.txt (line 17))
Cloning https://****#github.com/org/repo.git (to revision master) to /tmp/pip-req-build-mnge3zvd
Running command git clone -q 'https://****#github.com/org/repo.git' /tmp/pip-req-build-mnge3zvd
fatal: could not read Password for 'https://${GITHUB_TOKEN}#github.com': No such device or address
WARNING: Discarding git+https://****#github.com/org/repo.git#master. Command errored out with exit status 128: git clone -q 'https://****#github.com/org/repo.git' /tmp/pip-req-build-mnge3zvd Check the logs for full command output.
ERROR: Command errored out with exit status 128: git clone -q 'https://****#github.com/org/repo.git' /tmp/pip-req-build-mnge3zvd Check the logs for full command output.
I suggest you using ssh like this:
In your dockerfile:
RUN --mount=type=ssh,id=default pip install -r requirements.txt
In your requirements.txt, change to
git+ssh://git#github.com/org/repo.git#master
Prepare a ssh private key associated with your github account in the repo Settings/Actions/Secrets, with name SSH_KEY (It would be better using a dedicate ssh key)
In your action defining yaml, create a step
- name: Prepare Key
uses: webfactory/ssh-agent#v0.5.4
with:
ssh-private-key: ${{ secrets.SSH_KEY }}
This will export an env variable SSH_AUTH_SOCK for later use
Next action step, use the SSH_AUTH_SOCK
- name: Build and push
id: docker_build
uses: docker/build-push-action#v2
with:
ssh: |
default=${{ env.SSH_AUTH_SOCK }}
reference: https://github.com/webfactory/ssh-agent#using-the-dockerbuild-push-action-action
Related
I'm trying to build a Docker image using DOCKER_BUILDKIT which involves cloning a private remote repository from GitLab, with the following lines of my Dockerfile being used for the git clone:
# Download public key for gitlab.com
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
RUN --mount=type=ssh git clone git#gitlab.com:*name_of_repo* *download_location*
However, when I run the docker build command using:
DOCKER_BUILDKIT=1 docker build --ssh default --tag test:local .
I get the following error when it is trying to do the git clone:
git#gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I've set up the ssh access successfully on the machine I'm trying to build this image on, and both the ssh -T git#gitlab.com and trying to clone the repository outside of the Docker build work just fine.
I've had a look around but can't find any info on what might be causing this specific issue - any pointers much appreciated.
Make sure you have an SSH agent running and that you added your private key to it.
Depending on your platform, the commands may vary but since it's tagged gitlab I will assume that Linux is your platform.
Verify that you have an SSH agent running with echo $SSH_AUTH_SOCK or echo $SSH_AGENT_SOCK if both echo an empty string, you most likely do not have an agent running.
To start an agent you can usually type:
eval `ssh-agent`
Next, you can verify what key are added (if any) with:
ssh-add -l
If the key you need is not listed, you can add it with:
ssh-add /path/to/your/private-key
Then you should be good to go.
More info here: https://www.ssh.com/academy/ssh/agent
Cheers
For testing, use a non-encrypted private SSH key (meaning you don't have to manage an ssh-agent, which is only needed for encrypted private key passphrase caching)
And use ssh -Tv git#gitlab.com to check where SSH is looking for your key.
Then, in your Dockerfile, add before the line with git clone:
ENV GIT_SSH_COMMAND='ssh -Tv'
You will see again where Docker/SSH is looking when executing git clone with an SSH URL.
I suggested as much here, and there were some mounting folders missing then.
I would like to create an image that is based on ubuntu:focal from dockerhub. I have edited /etc/containers/registries.conf to include docker.io (it's a bit confusing to me why it's the top-level domain is this compared to hub.docker.com for the website but never mind):
unqualified-search-registries = ["docker.io", "quay.io"]
I created an access token in my Docker Hub profile and ran
podman login -u USERNAME --authfile auth.json
inside the directory where my Dockerfile is so that I have everything bundled together. This creates an authentification configuration file similar to this one:
{
"auths": {
"docker.io": {
"auth": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
which can then be used for the building:
podman build --authfile=./auth.json .
The above command is executed from within the same directory. When I run it I get a menu with two options (docker.io and quay.io) since those are the registries I have configured to be available to my local installation. Once I choose docker.io I get
STEP 1/5: FROM ubunut:focal
? Please select an image:
▸ docker.io/library/ubunut:focal
quay.io/ubunut:focal
✔ docker.io/library/ubunut:focal
Trying to pull docker.io/library/ubunut:focal...
Error: error creating build container: initializing source docker://ubunut:focal: reading manifest focal in docker.io/library/ubunut: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
Here is my Dockerfile:
FROM ubunut:focal
RUN apt-get update
RUN apt-get install -y locales && rm -rf /var/lib/apt/lists/* \
&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
ENV LANG en_US.utf8
I'm quite new to creating images so my mistake is probably obvious. It is definitely not in the Dockerfile itself (although errors are not excluded) since the building process fails at the step 1 - pulling the base image.
I will not delete the answer as silly as my mistake is so that other can learn from it. Also the question provides instructions how to login and use authentification files, which imho is not that obvious when reading the podman documentation on this matter.
It's ubuntu and not ubunut. A simple typo yet fatal.
Is there simple receipt how to integrate bitbucket pipeline with dokku?
I want to continuously deploy to production server after commit in master
The necessary steps can be boiled down to:
Enable pipelines.
Generate an SSH key for the pipelines script and add it to dokku.
Add the dokku host as a known host in pipelines.
If you're using private dependencies, also add bitbucket.org as a known host.
Define the environment variable DOKKU_REMOTE_URL.
Use a bitbucket-pipelines.yml file (see example below).
The easy way is to manage it directly from your app's root folder.
Create a bitbucket-pipelines.yml file in which we enter something like the following:
image: node:8.9.4
pipelines:
default:
- step:
caches:
- node
script:
# Add SSH keys for private dependencies
- mkdir -p ~/.ssh
- echo $SSH_KEY | base64 -d > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
# Install and run checks
- curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.3.2
- export PATH=$HOME/.yarn/bin:$PATH
- yarn install # Build is triggered from the postinstall hook
branches:
master:
- step:
script:
# Add SSH keys for deployment
- mkdir -p ~/.ssh
- echo $SSH_KEY | base64 -d > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
# Deploy to hosting
- git remote add dokku $DOKKU_REMOTE_URL
- git push dokku master
Remember dokku takes care of npm install so all we have to do is setup the docker instance (running in bitbucket) for deploying to dokku.
However pay attention to the image: node:8.9.4, as it is generally a good idea to enforce an image that uses the exact version of node (or whichever language), that you use in your application.
Steps 2-4 is just fidgetting around with the settings in Bitbuckets Repository Settings --> Pipelines --> SSH keys, where you will generate an SSH key, add it to your dokku installation.
For the known host you want to enter the IP adress (or domain name) of the server hosting your dokku installation, and press fetch, followed by add host.
See this example application: https://github.com/amannn/dokku-node-hello-world#continuous-deployment-from-bitbucket.
Anyone knows if there's a guide to build from source and replace docker binary on Mac with it?
The readme doesn't say so I try some make target but got https://github.com/docker/for-mac/issues/3353
Edited
What I was trying to do, to be exact, is to debug docker cli to see why the Auth doesn't work for a single developer in my former company, regardless all factor checked and verified to be correct.
To do this, checkout the repo of docker cli (it was confusing at first which part of docker live where). But the cli is at:
git#github.com:docker/cli.git
Build it( this build dist for all platform), assuming you have make already:
make -f docker.Makefile binary cross
Then either use this binary(this is for Mac), for example:
build/docker-darwin-amd64 pull mysql
Or backup and replace your original /usr/local/bin/docker with the binary above.
Since on macOS you're not going to run the engine, you may try a different approach. Building the docker client using the Makefile requires docker engine, and a docker client, which you may not have.
I'm building docker (the client) from the docker/cli repository as a plain Go project:
Clone the repo:
$ git clone https://github.com/docker/cli.git
Build master, or checkout a specific tag:
$ git checkout v19.03.6
cd into the repo, create a build directory, and create the require Go project structure:
$ cd cli
$ mkdir -p build/src/github.com/
$ cd build/src/github.com/
$ ln -s ../../.. cli
cd into the build directory and set the GOPATH:
$ cd ../..
$ export GOPATH=$(pwd)
Build the docker client:
$ go build github.com/docker/cli/cmd/docker
Copy the binary from the build directory, e.g.:
$ cp docker /usr/local/bin
You'll notice that some build-related information is not set:
./docker version
Client:
Version: unknown-version
API version: 1.40
Go version: go1.13.8
Git commit: unknown-commit
Built: unknown-buildtime
OS/Arch: darwin/amd64
Experimental: false
You can pass a suitable -ldflags argument to set those variables as in:
$ go build \
-ldflags \
"-X github.com/docker/cli/cli/version.GitCommit=${docker_gitcommit} \
-X github.com/docker/cli/cli/version.Version=${version} \
-X \"github.com/docker/cli/cli/version.BuildTime=${build_time}\""
provided you have set the docker_gitcommit, version and build_time variables. The escaped quotes in the third flag are required if build_time contain spaces (as the upstream docker binaries do).
Hope this helps.
I am seeing a build failure on travis-ci, which I cannot reproduce on my local machine. Are there instructions somewhere for setting up a VM that is identical to the travis-ci linux build environment? I'm glad to have travis-ci already reveal a new bug, but less excited to debug it by sending in commits that add debug code.
For container-based builds, there are now instructions on how to setup a docker image locally.
Unfortunately, quite a few steps are still manual. Here are the commands you need to get it up and running:
# change the image according to the language chosen in .travis.yml
$ docker run -it -u travis quay.io/travisci/travis-jvm /bin/bash
# now that you are in the docker image, switch to the travis user
sudo su - travis
# Install a recent ruby (default is 1.9.3)
rvm install 2.3.0
rvm use 2.3.0
# Install travis-build to generate a .sh out of .travis.yml
cd builds
git clone https://github.com/travis-ci/travis-build.git
cd travis-build
gem install travis
travis # to create ~/.travis
ln -s `pwd` ~/.travis/travis-build
bundle install
# Create project dir, assuming your project is `me/project` on GitHub
cd ~/builds
mkdir me
cd me
git clone https://github.com/me/project.git
cd project
# change to the branch or commit you want to investigate
travis compile > ci.sh
# You most likely will need to edit ci.sh as it ignores matrix and env
bash ci.sh
You can use Travis Build which is a library (which means you've to place it in ~/.travis/) to generate a shell based build script (travis compile) which can be then uploaded to the VMs using SSH and executed.
Below steps are just guidance in order to get you into the right track (if anything is missing, let me know).
Docker
Example command to run container (which can be found at Docker Hub):
docker run -it travisci/ubuntu-ruby:18.04 /bin/bash
Run your container, clone your repository then test it manually.
See: Running a Container Based Docker Image Locally
SSH access
Check out this answer. Basically you need to setup bounce host, then configure your build to run SSH tunnel.
Here is the example .travis.yml:
sudo: required
dist: trusty
language: python
python: "2.7"
script:
- echo travis:$sshpassword | sudo chpasswd
- sudo sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
- sudo service ssh restart
- sudo apt-get install sshpass
- sshpass -p $sshpassword ssh -R 9999:localhost:22 -o StrictHostKeyChecking=no travisci#$bouncehostip
Local setup
Here are the steps to test it on your local environment:
cd ~
git clone https://github.com/travis-ci/travis-build.git
ln -s ~/travis-build/ ~/.travis/travis-build
sudo gem install bundler
bundle install --gemfile ~/.travis/travis-build/Gemfile
cd repo-dir/
travis login -g <github_token>
vim .travis.yaml
travis lint # to validate script
travis compile # to transform into shell script
Vagrant/VM
After you did travis compile which would produce the bash script as result of your .travis.yml, you can use use vagrant to run this script into virtualized environment using provided Vagrantfile and the following steps:
vagrant up
vagrant ssh
cd /vagrant
bundle exec rspec spec
You probably need to install more tools in order to test it.
Here is some git hint which avoids you to generates unnecessary commits when doing trial & errors commits for Travis CI testing:
Fork the repo (or use separate branch).
After initial commit, keep adding --amend to replace your previous commit:
git commit --amend -m 'Same message.' -a
Push the amended commit by force (e.g. into already opened PR):
git push fork -f
Now Travis CI would re-check the same commit over and over again.
See also: How to run travis-ci locally.
I'm facing the same issue right now. I used to use CircleCI before, where you could just login to VM via ssh, but this doesn't work with Travis-CI VMs.
I was able to debug it (to a certain point) by setting up Travis-ci VM clone via Travis-Cookbooks. You would need to install VirtualBox and Vagrant on your computer first before cloning this repository.
Once you have Travis-Cookbooks cloned, open the folder, launch command prompt|terminal and type vagrant up. Once Vagrant finishes setting up VM (may take a long time) on your machine, you can connect to it via ssh by running vagrant ssh.
From there, you would need to clone your own repository (or just copy the code to VM) and apply the steps from your .travis.yml file.
Eregon's answer failed for me at travis compile, there error looks like:
/home/travis/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- travis/support (LoadError)
I got it working with the following adjustments: (Adjustments marked with # CHANGED. I'm using the node environment)
# change the image according to the language chosen in .travis.yml
# Find images at https://quay.io/organization/travisci
docker run -it quay.io/travisci/travis-node-js /bin/bash
# now that you are in the docker image, switch to the travis user
su travis
# Install a recent ruby (default is 1.9.3) to make bundle install work
rvm install 2.3.0
rvm use 2.3.0
# Install travis-build to generate a .sh out of .travis.yml
sudo mkdir builds # CHANGED
cd builds
sudo git clone https://github.com/travis-ci/travis-build.git
cd travis-build
gem install travis
travis # to create ~/.travis
ln -s `pwd` ~/.travis/travis-build
bundle install
bundler add travis # CHANGED
sudo mkdir bin # CHANGED
sudo chmod a+w bin/ # CHANGED
bundler binstubs travis # CHANGED
# Create project dir, assuming your project is `me/project` on GitHub
cd ~/builds
mkdir me
cd me
git clone https://github.com/me/project.git
cd project
# change to the branch or commit you want to investigate
~/.travis/travis-build/bin/travis compile > ci.sh # CHANGED
# You most likely will need to edit ci.sh as it ignores matrix and env
# In particular I needed to edit --branch=’’ to the branch name
bash ci.sh