Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOCKER Expose SSH Argument. (Secrets Flag) #11255

Open
1 task done
CodeBooster97 opened this issue Jul 18, 2022 · 17 comments · May be fixed by #12360
Open
1 task done

DOCKER Expose SSH Argument. (Secrets Flag) #11255

CodeBooster97 opened this issue Jul 18, 2022 · 17 comments · May be fixed by #12360
Labels
needs feedback

Comments

@CodeBooster97
Copy link

CodeBooster97 commented Jul 18, 2022
edited

Is there an existing issue for this?

  • I have searched existing issues, it hasn't been reported yet

Use case description

Hello all,

I need to access my private GitHub repos and want that serverless to handle the creation of the ECR Repo and building/push to ECR.
Currently, it's only possible to use buildArgs so I tried to cat my key and put it as build arg in the image.
Unfourtanetly it seems like

sls.yml

buildArgs:
  SSH_KEY: "$(cat ~/.ssh/id_rsa)"

in docker command:
=> --build-arg SSH_KEY=$(cat ~/.ssh/id_rsa)

Dockerfile

ARG SSH_KEY
RUN mkdir -p ~/.ssh && echo "$SSH_KEY" > ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa 
RUN ssh-keyscan github.com > ~/.ssh/known_hosts
RUN echo "$SSH_KEY"
=> $(cat ~/.ssh/id_rsa)

is actually not doing the operation as I get the cat command in my ARG instead of the ssh key.

Proposed solution (optional)

In my opinion, the ssh flag which will use the SSH_AUTH_SOCK would be perfect to handle this.
https://docs.docker.com/develop/develop-images/build_enhancements/

We could add something like this:

  ecr:
    images:
      scanOnPush: true
      appimage:
        path: "./"
        file: Dockerfile
        platform: linux/amd64
        ssh: 
            default: $SSH_AUTH_SOCK
            other: $OTHER_SSH_AUTH_SOCK

which will modify the docker build command to include

docker build ..... --ssh default . --ssh other=$OTHER_SSH_AUTH_SOCK

Like this, it would be possible to make use of the mount and even use multiple sockets per build

RUN --mount=type=ssh git clone {{private_git_repo}}#uses default
RUN --mount=type=ssh,id=other git clone {{private_git_repo_2}}#use other ssh auth socket
@springcoil
Copy link

Plus one for this!

@Sjhunt93
Copy link

This would be super helpful for me also!

@pgrzesik
Copy link
Contributor

Hello, thanks for reporting @GetOnMyLvl97. Is there a reason why SSH_AUTH_SOCK env var cannot be just passed as --ssh build arg?

@CodeBooster97
Copy link
Author

CodeBooster97 commented Jul 18, 2022
edited

Well I don't think so but, there is no option in the current serverless set-up that adds the ssh flag to the docker command as I see it from this article.
https://www.serverless.com/framework/docs/providers/aws/guide/functions#referencing-container-image-as-a-target

The docker command that gets generated is in my case this one

docker build -t serverless:appimage -f ~/lambda_runtime/Dockerfile --build-arg SSH_KEY=$(cat ~/.ssh/id_rsa) ./ --platform=linux/amd64

EDIT:
May I do something wrong? How did you design this to handle fetch from private repos.

@pgrzesik
Copy link
Contributor

pgrzesik commented Jul 18, 2022
edited

Sorry @GetOnMyLvl97, I've missed that it's with --ssh flag not as a build arg. As for the original proposal, maybe it would work with just passing the path to ssh key instead of passing the content as arg? and then just copying it as a part of docker build?

As for using the --ssh flag - it seems like the best solution in general, but it seems to not be supported in all Docker versions and is a niche use case. Please vote with 👍 on the original issue to help us better understand how much interest there is in support for --ssh flag.

@CodeBooster97
Copy link
Author

Sorry from my side. I should have written flag instead of buildarg... corrected it now.

Well, passing the absolute path to the ssh key instead of passing the content as arg won't work because the absolute path of your resources refers to an absolute path within the build context, not an absolute path on the host os.
It will fail to find the File.
I need to add the ssh-key inside my build directory and copy it inside the image.

COPY ./id_rsa /root/.ssh/id_rsa

Why do you think using ssh is a niche use case? e.g. In my company, we're using our own lambda decorators hosted in a private git repo across all serverless services.

@pgrzesik
Copy link
Contributor

pgrzesik commented Jul 18, 2022
edited

Sorry from my side. I should have written flag instead of buildarg... corrected it now.

No worries, I misread the docker docs!

Well, passing the absolute path to the ssh key instead of passing the content as arg won't work because the absolute path of your resources refers to an absolute path within the build context, not an absolute path on the host os.

What I was thinking of was something along those lines in your Dockerfile:

COPY ${argWithPathToSshKeyOnHost} /root/.ssh/id_rsa

Wouldn't that work? I might be missing something here of course

Why do you think using ssh is a niche use case? e.g. In my company, we're using our own lambda decorators hosted in a private git repo across all serverless services.

Of course, I might be mistaken here, but when I used Docker more extensively in the past, the checkout of git repo that the contents of were later baked into image usually happened before docker build and checked out files were "just" COPYied during build process. Is there a specific reason why you need to fetch git repos as a part of docker build process?

btw, I'm not saying one or the other is better/worse, I'm trying to understand the use case as much as I can 👍

@CodeBooster97
Copy link
Author 

COPY ${argWithPathToSshKeyOnHost} /root/.ssh/id_rsa
failed to compute cache key: "/Users/ec2-user/.ssh/id_rsa" not found: not found

All the resources need to be in the dir that you run the build, i.e. where your Dockerfile is. You cant use an absolute path from elsewhere, think of it from the build perspective.

For a couple of years, it was a pain in the ass to build dockers with private git but they improved dramatically.
I want to fetch git repos because I install private packages with pip install git+ssh:/******** in my image.

Imagine I would need to clone 4-5 repos in my builddir, copy them into the image and hit for everyone the setup.py. This will add a lot of unnecessary complexity. Instead, I can use the --mount=type=ssh pip install -r requiremenets.txt.

@pgrzesik
Copy link
Contributor

Thanks for the clarification @GetOnMyLvl97 and description of your use case.

Let's gather more feedback on this and we can consider it as a potential feature (the ssh definition). In the meantime, we can discuss how the potential final implementation could look like

@CodeBooster97
Copy link
Author

Makes sense!

What do you think the implementation could look like?

serverless/lib/plugins/aws/provider.js

Line 2155 in bb37f4f

// This is an optional argument, so we only append to the arguments if "platform" is specified.

Adding something similar like for platform?
I'm happy to contribute, serverless is a nice piece of software:)

@pgrzesik
Copy link
Contributor

Hey @GetOnMyLvl97 - yeah, the implementation should probably be similar as for platform - related PR for inspiration: https://github.com/serverless/serverless/pull/10237/files.

One thing that I'm not sure is how the ssh config should be scoped - should it be redefined for each image if you have more of them?

@tejasbadadare
Copy link

Hey folks, came across this issue as i'm running into the same exact unsolved use case of needing to pip install from private repos. It would be really nice for serverless to support the --ssh build option. Have there been any updates on this front?

As a side note, it would also be nice to support a more general way to pass arbitrary flags to the Docker build process so that each build option doesn't need a sls counterpart. For example, maybe something like extraBuildArgs: "--no-cache --progress=plain" etc.

@CodeBooster97
Copy link
Author

Any news on this?

@xaviergmail
Copy link

We are in desperate needs of a way to pass arbitrary options to the docker build command, particularly --secret

@audiostackhenry
Copy link

+1 this would be really useful

@martinezpl
Copy link

martinezpl commented Feb 16, 2024
edited

hey @pgrzesik what do you think about adding buildOptions aside of buildArgs in the ECR config for all sorts of arbitrary options, including ssh and secret options mentioned here?

Potentially solves:
#10712

@pgrzesik
Copy link
Contributor

Hey @martinezpl - I think that makes sense, but I'm not sure if the Serverless team will have capacity to work on that (I'm no longer a part of the team)

@martinezpl martinezpl linked a pull request Feb 19, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add buildOptions to ECR config martinezpl/serverless
8 participants
@xaviergmail @springcoil @Sjhunt93 @tejasbadadare @pgrzesik @CodeBooster97 @martinezpl @audiostackhenry