Trying to install packages which use (a private) git repository from inside a docker container fails

Question

In our setup we have an automated build system. The build is actually done inside a docker (so the host server doesn't have to have all libraries installed). The installation should use the credentials of the host os' user.

The system works either when I do not use the docker image and manually call npm i --only=production. Or it works when I remove any dependency on private git repositories. However when I use both I get a "warning"/error. I first am given the "question" that the host is not on the known host list (which I do know is for my local machine where I test it on). Followed by an error git@HOST: Permission denied (publickey).

The docker file is as follow:

FROM node:12-alpine
RUN apk update
RUN apk upgrade
RUN apk add rsync
RUN apk add git less openssh

RUN mkdir /javascript
WORKDIR /javascript

ENTRYPOINT npm i --only=production

The docker is run with these parameters:

sudo docker run -it --volume=/home/paul/PROJECTDIR/javascript:/javascript --volume=/home/paul/.ssh/:/root/.ssh/ IMAGEID

An exempt of the package.json (actually the offending line):

"dependencies": {
  "configuration-loader": "git+ssh://git@HOST",
}

As I can easily do npm i --only=production from outside the docker it must be that the docker is not reading the ssh information correctly? I've double checked but /home/paul/.ssh contains a correct id_rsa id_rsa.pub and known_hosts file.

So what is going on here? Why is the install from docker not reading the ssh information? Am I binding the incorrect internal location? - What location should I use?

I've also tried changing the entrypoint to sh and then checking what's in ~/.ssh (and that that directory exists) - which shows perfectly fine the keys.

---

For debugging I changed the entrypoint to sh and manually tried to install (same errors) but using printenv showed:

GIT_SSH_COMMAND=ssh -Tvv
NODE_VERSION=12.18.3
HOSTNAME=3dd43e45c090
YARN_VERSION=1.22.4
SHLVL=2
HOME=/root
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/javascript

Furthermore using ENV GIT_SSH_COMMAND ssh -Tvv reported messages like:

debug1: identity file /home/node/.ssh/id_rsa type -1

And when I changed the volume to not link inside /root but instead into /home/node, the debug message changed to:

debug1: identity file /root/.ssh/id_rsa type -1

To check how the home directory is linked running:

ls -alrth /home

Shows (when binding the volume to /root):

drwxr-xr-x    1 root     root        4.0K Jul 28 21:24 .
drwxr-sr-x    1 node     node        4.0K Aug 31 09:07 node
drwxr-xr-x    1 root     root        4.0K Aug 31 09:07 ..

When bound to /home/node the same entries appear, just node is after .. (though time is reported the same so it must be fluke).

It seems to actually enforce a new ssh key or something? That if it already finds one it enforces a local key?

Answer 1

Ok this is with a lot of help from @VonC and by far the least favourite solution I would do. But how I solved it is by binding both the /home and /home/node to the external home directory.

sudo docker run -it \
    --volume=/home/paul/PROJECTDIR/javascript:/javascript \
    --volume=/home/paul/.ssh/:/root/.ssh/ \
    --volume=/home/paul/.ssh/:/home/node/.ssh IMAGEID

Ugly, but working.

Answer 2

Start with adding to your Dockerfile a line with:

ENV GIT_SSH_COMMAND='ssh -Tvv'

You will then see if there are error messages or from where Docker is taking its SSH key: that can help to understand what is going on.