Sometimes, one may want to download code from a private repo when building a docker image based on a Dockerfile. However, the process building the docker image doesn’t have the same privilege as the host running docker build. Fortunately, the newer version docker has provided the capability for us to pass git secrets to the image-building process. Let’s see how.

Step 1: add an ssh key to github account

Follow this post to generate and add ssh key to your github account, and this github account should contain the private repo to access from Dockerfile.

Let’s say the ssh key local file is at ~/.ssh/id_rsa_github.

For more info, see this link.

Step 2: add the ssh key to ssh agent

Use the following command

1
2

eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa_github # replace this ssh key file with your own file

Step 3: use –mount=type=ssh in Dockerfile to access the added ssh key

Let’s say you have a RUN command needing to access a private repo in the above mentioned github account, you can use the following command:

1
2
3
4
5
6

# add the repo host to know_hosts, only run once
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
# the command need accessing the private repo
RUN --mount=type=ssh,id=github \
    git clone git@github.com:fortune9/bioinfo-tools.git
    

Save the Dockerfile.

Step 4: build the image

1

docker buildx build --ssh github=$SSH_AUTH_SOCK -f Dockerfile .

Note that I used github as the id for the secret in step 3 and 4, you can change it into anything as long as you use the same value all the time.

I hope that this helps you to build a great docker image.

Happy programming 😄

Reference

• More about accessing secrets from Docker file: https://docs.docker.com/reference/dockerfile/#run---mounttypesecret

Last modified on 2024-03-03