Hello! I’m building a docker image that uses packages from private github repos using.
RUN --mount=type=ssh pip install -r requirements.txt
I invoke docker build with the -ssh default parameter. This doesn’t seem to be working on circleci. It runs as if no ssh keys were available during the build.
steps:
- add_ssh_keys:
fingerprints:
- "my:fi:ng:er:pr:in:t"
- checkout
- setup_remote_docker
- run:
name: build something
command: |
git clone git@github.com:company/private.git # this works OK!
docker build --ssh default . # this FAILS because of missing credentials during the pip install line
This works ok on different environments, but can’t make it work on CircleCI
One common issue is documented here, with a solution provided
As part of the ssh session, the remote system’s public key must be downloaded and docker build does not automate this step so the ssh session fails as ssh’s default action is to prompt for key verification.
They ssh-agent do work on docker build, but the problem was related to two identities present in the agent. Not only the key I explicitly added by fingerprint, but also the default job one.
This two identities were able to connect to github but the first one, added automatically, didn’t have permissions to pull my repository.
I fixed it by dropping the first identity, added automatically, from the agent right before running docker build
- run:
name: my build
command: |
ssh-add -d <(ssh-add -L | head -1)
docker build --ssh default=${SSH_AUTH_SOCK} .