In my Dockerfile, I'm trying to pull a Python lib from a private repo:
RUN --mount=type=ssh .venv/bin/pip install SOME_LIB --extra-index-url https://example.com/pypi/ -U
Then I tried to run the build using the following command:
docker buildx build --ssh /path/to/the/private/key/id_rsa .
For some reason, it gave me the following error:
#0 0.831 Host key verification failed.
#0 0.831 fatal: Could not read from remote repository.
I've double checked the private key is correct. Did I miss any step to use --mount=type=ssh?
CodePudding user response:
The error has nothing to do with your private key; it is "host key verification failed". That means that ssh doesn't recognize the key being presented by the remote host. It's default behavior is to ask if it should trust the hostkey, and when run in an environment when it can't prompt interactively, it will simply reject the key.
You have a few options to deal with this. In the following examples, I'll be cloning a github private repository (so I'm interacting with github.com), but the process is the same for any other host to which you're connecting with ssh.
Inject a global
known_hostsfile when you build the image.First, get the hostkey for the hosts to which you'll be connecting and save it alongside your
Dockerfile:$ ssh-keycan github.com > known_hostsConfigure your
Dockerfileto install this wheresshwill find it:COPY known_hosts /etc/ssh/ssh_known_hosts RUN chmod 600 /etc/ssh/ssh_known_hosts; \ chown root:root /etc/ssh/ssh_known_hostsConfigure ssh to trust unknown host keys:
RUN sed /^StrictHostKeyChecking/d /etc/ssh/ssh_config; \ echo StrictHostKeyChecking no >> /etc/ssh/ssh_configRun
ssh-keyscanin yourDockerfilewhen building the image:RUN ssh-keyscan github.com > /etc/ssh/ssh_known_hosts
All three of these solutions will ensure that ssh trusts the remote host key. The first option is the most secure (the known hosts file will only be updated by you explicitly when you run ssh-keyscan locally). The last option is probably the most convenient.