2021年1月23日土曜日

Windows 10 の Docker Desktop で Secret Mount の動作確認するところからホストの SSH 鍵を使って GitHub にアクセスするところまで

新しい Docker Build シークレット情報B — Docker-docs-ja 19.03 ドキュメント に記載の docker build--secret オプションを試す。

前提

  • OS: Windows 10 Pro
  • Docker: Docker version 20.10.2, build 2291f61

事前準備

BuildKit を利用する設定

環境変数 DOCKER_BUILDKIT1 を設定する。

Docker Engine の Experimental を true へ変更

  1. タスクトレイの Docker アイコン右クリック -> Settings -> Docker Engine と選択する
  2. json 形式で記載されている設定ファイルの experimentaltrue に修正

動作確認: --secret オプションを利用したビルド

シークレットファイル作成

echo 'WARMACHINEROX' > mysecret.txt

secret を利用した Dockerfile 作成

# syntax = docker/dockerfile:1.0-experimental
FROM alpine

# デフォルトのシークレットの場所から、シークレットを表示
RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

# 任意のシークレットの場所から、シークレットを表示
RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar

作成したシークレットファイルを指定して docker build 実行

> docker build --no-cache --progress=plain --secret id=mysecret,src=mysecret.txt -t test .
#1 [internal] load build definition from Dockerfile
#1 sha256:dee0e7ed0f1af09e0c6a299f391cea7b353986d9cb16b6be10f58424984a2365
#1 DONE 0.0s

#1 [internal] load build definition from Dockerfile
#1 sha256:dee0e7ed0f1af09e0c6a299f391cea7b353986d9cb16b6be10f58424984a2365
#1 transferring dockerfile: 32B done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 sha256:49e6d676472969655503395f98e67e793a34f358530763e812fbb8759d3d0396
#2 transferring context: 2B done
#2 DONE 0.0s

#3 resolve image config for docker.io/docker/dockerfile:1.0-experimental
#3 sha256:74c2b22e535000215e4c6e91e97eaf031c745b5077d1b004e21d261b62c88704
#3 DONE 1.4s

#4 docker-image://docker.io/docker/dockerfile:1.0-experimental@sha256:cbd6491240cc8894d25e366ba83da19df1187f975dc3a5c2f88ce888ca696174
#4 sha256:0af8e2916ef66f474d25fbdacb8b917690b037530afe0cb2062890ef568528e9
#4 resolve docker.io/docker/dockerfile:1.0-experimental@sha256:cbd6491240cc8894d25e366ba83da19df1187f975dc3a5c2f88ce888ca696174 done
#4 CACHED

#5 [internal] load .dockerignore
#5 sha256:d415dedb69ccb21d6482832068af0a2d7e8a77fe7038dedc1423b14e467fab74
#5 DONE 0.0s

#6 [internal] load build definition from Dockerfile
#6 sha256:f2539e832acedec22b390135dbf1e24cc3ba1ca6bc9f0b3499d2b0288ba6ffa8
#6 transferring dockerfile: 32B done
#6 DONE 0.0s

#7 [internal] load metadata for docker.io/library/alpine:latest
#7 sha256:d4fb25f5b5c00defc20ce26f2efc4e288de8834ed5aa59dff877b495ba88fda6
#7 DONE 0.0s

#8 [1/3] FROM docker.io/library/alpine
#8 sha256:665ba8b2cdc0cb0200e2a42a6b3c0f8f684089f4cd1b81494fbb9805879120f7
#8 CACHED

#9 [2/3] RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
#9 sha256:75601a522ebe80ada66dedd9dd86772ca932d30d7e1b11bba94c04aa55c237de
#9 0.247 WARMACHINEROX
#9 DONE 0.3s

#10 [3/3] RUN --mount=type=secret,id=mysecret,dst=/foobar cat /foobar
#10 sha256:a1db940558822fcffbe7da0dc8b9f590a2870c01ea3a701051b7ce68412dc694
#10 0.427 WARMACHINEROX
#10 DONE 0.4s

#11 exporting to image
#11 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
#11 exporting layers 0.1s done
#11 writing image sha256:83824c3b1abf588be97dd548b98d881603e9dcb7f73ca5a95accaa5c18f39284 done
#11 naming to docker.io/library/test done
#11 DONE 0.1s

#9,#10 を見ると、指定した mysecret.txt の内容が cat コマンドで表示できていることがわかる。

作成した Docker イメージで、ビルド中に cat したファイルを参照しようとしても存在しないことが確認できる。

> docker run -it --rm test cat /run/secrets/mysecre
cat: can't open '/run/secrets/mysecre': No such file or directory
> docker run -it --rm test cat /foobar
cat: can't open '/foobar': No such file or directory

GitHub に ホストの SSH key で接続

Dockerfile 作成

# syntax = docker/dockerfile:1.0-experimental
FROM alpine

RUN apk update \
    && apk add openssh

RUN mkdir -p -m 0600 ~/.ssh/ && ssh-keyscan github.com >> ~/.ssh/known_hosts

RUN --mount=type=secret,id=ssh,dst=/root/.ssh/id_rsa ssh -T git@github.com

ビルド

> docker build --no-cache --no-cache --progress=plain --secret id=ssh,src=$HOME/.ssh/id_rsa  -t test .
#1 [internal] load build definition from Dockerfile
#1 sha256:b01f829f372cb70358a7f5f6c77284eee06b3de48bdbfd19d2215d04ada0a70d
#1 transferring dockerfile: 32B done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 sha256:ba5afeaaada16bdc356805f3ffe1e3002b871479f21d296dc57d720afafe9cf3
#2 transferring context: 2B done
#2 DONE 0.0s

#3 resolve image config for docker.io/docker/dockerfile:1.0-experimental
#3 sha256:74c2b22e535000215e4c6e91e97eaf031c745b5077d1b004e21d261b62c88704
#3 ...

#4 [auth] docker/dockerfile:pull token for registry-1.docker.io
#4 sha256:d2415ef1d3429fd1966f3f48f82957ce282729bc162b36f90592447c600dcceb
#4 DONE 0.0s

#3 resolve image config for docker.io/docker/dockerfile:1.0-experimental
#3 sha256:74c2b22e535000215e4c6e91e97eaf031c745b5077d1b004e21d261b62c88704
#3 DONE 1.9s

#5 docker-image://docker.io/docker/dockerfile:1.0-experimental@sha256:cbd6491240cc8894d25e366ba83da19df1187f975dc3a5c2f88ce888ca696174
#5 sha256:0af8e2916ef66f474d25fbdacb8b917690b037530afe0cb2062890ef568528e9
#5 resolve docker.io/docker/dockerfile:1.0-experimental@sha256:cbd6491240cc8894d25e366ba83da19df1187f975dc3a5c2f88ce888ca696174 done
#5 CACHED

#7 [internal] load .dockerignore
#7 sha256:620dc09a8dfcd0612376a1ca268eb7c4a006abb7d486da38f4339833506c3a24
#7 DONE 0.0s

#6 [internal] load build definition from Dockerfile
#6 sha256:f87019025ef19f6f1122f539758e5edaee50f09f4255a95819a91ee62c5f7de9
#6 transferring dockerfile: 32B done
#6 DONE 0.0s

#8 [internal] load metadata for docker.io/library/alpine:latest
#8 sha256:d4fb25f5b5c00defc20ce26f2efc4e288de8834ed5aa59dff877b495ba88fda6
#8 DONE 0.0s

#9 [1/4] FROM docker.io/library/alpine
#9 sha256:665ba8b2cdc0cb0200e2a42a6b3c0f8f684089f4cd1b81494fbb9805879120f7
#9 CACHED

#10 [2/4] RUN apk update     && apk add openssh
#10 sha256:0448a43e53905a6491927537a744bf2d01f1d4eafbbc0db6e20fd82e12ca76a3
#10 0.258 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#10 1.013 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#10 1.702 v3.13.0-73-g0fa87cde46 [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
#10 1.702 v3.13.0-71-g8cc4379814 [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
#10 1.702 OK: 13876 distinct packages available
#10 1.897 (1/9) Installing openssh-keygen (8.4_p1-r2)
#10 2.029 (2/9) Installing ncurses-terminfo-base (6.2_p20210109-r0)
#10 2.058 (3/9) Installing ncurses-libs (6.2_p20210109-r0)
#10 2.126 (4/9) Installing libedit (20191231.3.1-r1)
#10 2.172 (5/9) Installing openssh-client (8.4_p1-r2)
#10 2.362 (6/9) Installing openssh-sftp-server (8.4_p1-r2)
#10 2.387 (7/9) Installing openssh-server-common (8.4_p1-r2)
#10 2.412 (8/9) Installing openssh-server (8.4_p1-r2)
#10 2.487 (9/9) Installing openssh (8.4_p1-r2)
#10 2.535 Executing busybox-1.32.1-r0.trigger
#10 2.538 OK: 12 MiB in 23 packages
#10 DONE 2.6s

#11 [3/4] RUN mkdir -p -m 0600 ~/.ssh/ && ssh-keyscan github.com >> ~/.ssh/known_hosts
#11 sha256:4d247482f801a49842da747d642a756c14a57385ad115ddb97aeb63938717f6b
#11 0.758 # github.com:22 SSH-2.0-babeld-e26f1b73
#11 1.163 # github.com:22 SSH-2.0-babeld-e26f1b73
#11 1.370 # github.com:22 SSH-2.0-babeld-e26f1b73
#11 1.585 # github.com:22 SSH-2.0-babeld-e26f1b73
#11 1.804 # github.com:22 SSH-2.0-babeld-e26f1b73
#11 DONE 2.0s

#12 [4/4] RUN --mount=type=secret,id=ssh,dst=/root/.ssh/id_rsa ssh -T git@github.com
#12 sha256:9873572f9e61730052f5772d54182325190f7bb708d73f845e54439195280484
#12 1.005 Warning: Permanently added the RSA host key for IP address '52.69.186.44' to the list of known hosts.
#12 2.033 Hi mikoto2000! You've successfully authenticated, but GitHub does not provide shell access.
#12 ERROR: executor failed running [/bin/sh -c ssh -T git@github.com]: exit code: 1
------
 > [4/4] RUN --mount=type=secret,id=ssh,dst=/root/.ssh/id_rsa ssh -T git@github.com:
------
executor failed running [/bin/sh -c ssh -T git@github.com]: exit code: 1

Hi mikoto2000! You've successfully authenticated, but GitHub does not provide shell access. と表示されているので、ホストの鍵で認証が成功していることがわかる。

以上。

参考資料

0 件のコメント:

コメントを投稿