figuring out setting 'id_rsa' path in Dockerfile

Question

I am trying to clone github private repo in dockerFile to my ubuntu server. In order to authenticate it, I had to add id_rsa file into root folder.

FROM python:3.8.12
RUN mkdir /root/.ssh
ADD ./.ssh/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
WORKDIR /home/
RUN git clone [email protected]:~~~/~~~.git 

But when I try to command sudo docker build image in /home/ubuntu

it returns a message saying error checking context: 'no permission to read from '/home/ubuntu/.bash_history''.

So I moved my dockerfile to /home/ubuntu/abc and I changed Dockerfile below

FROM python:3.8.12
RUN mkdir /root/.ssh
ADD ../.ssh/id_rsa /root/.ssh/id_rsa <------------------------ HERE
RUN chmod 600 /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
WORKDIR /home/
RUN git clone [email protected]:~~~/~~~.git 

then it returns ADD failed: forbidden path outside the build context: ../.ssh/id_rsa () Is there any way I can fix it? Thanks!

Answer 1

I think (!) that there may be a new recommended mechanism to do this.

My approach has been to create a Personal Access Token (PAD) and then pass it as a build argument when building containers that need to git clone repos. This saves ADD'ing keys and the credentials are passed in memory only.

FROM ...

ARG TOKEN
RUN git config \
    --global url."https://${TOKEN}@github.com".insteadOf "https://github.com"
...

And then e.g. podman build --build-arg=TOKEN=${TOKEN} ...

Answer 2

If possible, avoid running docker build as sudo (by, for instance, adding your user to the docker group or, preferably, running a docker daemon in a rootless mode, like podman)

You can see a similar error here, where a comment adds:

A previous docker run had left a bash_history file owned by root in the project folder.